Integrate Linux with Active Directory using Samba, Winbind, and Kerberos

1.	Get your linux box configured, with the relevant packages installed. So, you've got your server/workstation up with your favorite flavor of linux installed, and it's time to join the Windows domain. For this, we'll be needing samba and kerberos. Most distros come with samba installed, but it's best to go ahead and grab the newest version either from your distro's repositories or the samba website itself. Also, make sure you have the krb5 packages installed.
2.	Time synchronization... AD is very picky about the time matching during authentication, so you'll need to point the ntpd process to a server on your network. A domain controller is a good choice. On redhat flavored linux (CentOS, RHEL, and maybe SuSE, I'm not sure on that one) you can configure NTP without editing a .conf file like so: ntpdate HOSTNAME For debian flavored linux, edit /etc/ntp.conf with your favorite text editor. Real men use vi. You'll see a servers section; just replace what's there with one or more NTP servers on your domain, like so: server HOSTNAME iburst dynamic Now, restart the NTP service like so: service ntp restart or /etc/init.d/ntp restart or /etc/rc.d/init.d/ntp restart depending on your particular brand of *nix. Make sure it's working with the following command: ntpq -p You'll see some output that should include the NTP server you pointed it to, and some stats.
3.	Edit /etc/hosts Add this line to /etc/hosts for each domain controller: xxx.xxx.xxx.xxx adserver.yourdomain adserver
4.	Edit /etc/krb5.conf Edit /etc/krb5.conf to look something like this: [libdefaults] ticket_lifetime = 600 default_realm = YOURDOMAIN default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc [realms] YOURDOMAIN = { kdc = ip of you ads server default_domain = YOURDOMAIN } [domain_realm] .yourdomain = YOURDOMAIN yourdomain = YOURDOMAIN [kdc] profile = /etc/krb5kdc/kdc.conf [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.logog
5.	Test kerberos authentication Enter the following at the shell to test kerberos authentication: kinit username@DOMAIN It will prompt for a password, and if all is well, return you to the prompt. Use the command klist to verify you received a ticket. If you have a ticket, then you're doing great. If not, double check your /etc/krb5.conf file.
6.	Configure Samba and Winbind to be a domain member. Almost done. Now we need to edit the /etc/samba/smb.conf file. I'll include the important parameters. Your smb.conf file should look something like this: [global] workgroup = domainname password server = hostname of domain controller wins server = IP of wins server realm = DOMAIN security = ads idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash winbind use default domain = false winbind offline logon = false winbind separator = + <<very important, as the default \ character does strange things in unix/linux. allow trusted domains = Yes <<if you have them Those are the important bits, but you'll find that there are hundreds of valid parameters for the samba config file. Explore them; it's a very powerful program.
7.	Tell linux to allow winbind to handle authentication. Edit your /etc/nsswitch.conf to look something like this: passwd: compat winbind shadow: compat group: compat winbind
8.	Moment of truth: Join the domain. Once the /etc/samba/smb.conf file is properly edited, enter the following at the shell: testparm It gives you the rundown of your samba config file, and will let you know if something is wrong. If all is well, it's time to start the smb and winbind services, like so: (depending on *nix flavor) service smb restart service winbind restart or /etc/init.d/smb restart /etc/init.d/winbind restart or /etc/rc.d/init.d/smb restart /etc/rc.d/init.d/winbind restart If they both come back up fine, lets move to joining the domain, like so: net ads join -U DOMAIN+username%password Then test the join using: net ads testjoin If it reports "Join is OK", the test winbind: wbinfo -u <lists all of your AD users> wbinfo -g <lists all of your AD groups> If it works, your linux box is now integrated into the AD domain.
9.	Lastly, configure the smb and winbind services to start automatically Every distro has a different way of doing this, so I won't delve into too much detail. Just have a google on it; theres a wealth of information out there