How to join Debian 8 Jessie to Windows Server Active Directory

May 18, 2015 | By | Reply More

This tutorial is going to show you how to join Debian 8 “Jessie” to existing Windows Server Domain Controller (Active Directory). When Debian is connected and joined to a Domain Controller, we can use the domain users and password to log in to Debian Jessie. There are couple things to do here. Before we go through, I assume the Domain Controller is up and running to provide user login capability to the network. I am using Windows Server 2012 R2 with Domain Controller enabled.

On this tutorial, I use the following domain controller settings:

  • Domain Name: GAMBLISFX
  • Realm Name: GAMBLISFX.CO.ID
  • Password Server: WINSERVER.GAMBLISFX.CO.ID

A. Install Samba and additional packages

In order to join a domain, Debian needs the following packages to be installed: ntp, samba smbclient samba-common winbind. Open Terminal, login as root and install those packages.

su
apt-get install samba smbclient samba-common winbind ntp libpam-krb5 krb5-user

B. Configure Samba and other settings

First we need to check if the time is correct. You may also add your server address that provide time update. Edit the file /etc/netp.conf if necessary. In my case I leave this as default.

/etc/init.d/ntp start
date
ntp on debian

Check the hostname using “hostname -f” Make sure it returns fully qualified server host name. You can edit your host name on the /etc/hosts and /etc/hostname if needed.

check hostname

Also make sure you can ping the hostname from other computer using the hostname

ping hostname

Edit Kerberos file in /etc/krb5.conf. Fill it with minimal configuration as follow. Change GAMBLISFX.CO.ID with your own setup.

[libdefaults]
default_realm = GAMBLISFX.CO.ID
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
GAMBLISFX.CO.ID = {
kdc = WINSERVER.GAMBLISFX.CO.ID
admin_server = WINSERVER.GAMBLISFX.CO.ID
}
[domain_realm]
.gamblisfx.co.id = GAMBLISFX.CO.ID
gamblisfx.co.id = GAMBLISFX.CO.ID

Clear any cache that exist with the following commands

kdestroy
klist
kinit fitria@GAMBLISFX.CO.ID
klist

Now Debian can get ticket from the AD domain successfully. Now we need to configure and join Debian system to the domain. We need to configure /etc/samba/smb.conf file.

The following are the content of my smb.conf file

workgroup = GAMBLISFX
realm = GAMBLISFX.CO.ID
security = ADS
password server = WINSERVER.GAMBLISFX.CO.ID
os level = 0
local master = No
domain master = No
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap config GAMBLISFX:range = 10000000-19000000
idmap config GAMBLISFX:backend = rid
idmap config *:range = 11000-20000
idmap config * : backend = tdb

Now stop and restart the services below:

/etc/init.d/winbind stop
/etc/init.d/samba restart
/etc/init.d/winbind start

Now try to join domain with the following command and test if all working.

net join -S winserver -U administrator
/etc/init.d/winbind restart
net ads testjoin
net ads info
wbinfo -u
wbinfo -g

debian join domain

Now we need to setup authentication so domain users can use their password to login to Debian. Edit /etc/nsswitch.conf and add winbind to it.

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the glibc-doc-reference' and info’ packages installed, try:
# `info libc “Name Service Switch”‘ for information about this file.

passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files

hosts: files myhostname mdns4_minimal [NOTFOUND=return] dns
networks: files

Now check and make sure your domain users and group are listed with the following commands

getent passwd
getent group

debian join domain 2

If you cannot see your Domain users listed, you may need to install the following packages:

apt-get install libnss-winbind libpam-winbind

Now all should be working. Finally, create a home directory once a Domain user log in to Debian

nano /etc/pam.d/common-session
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel

Next, try to login to Debian using Domain user and password. Enjoy

debian join domain 3

 

Tags: , , , , , ,

Category: Debian, Server

Leave a Reply