Active Directory with Samba and Winbind

Confirm Connectivity
The first step to configuring a Gentoo client for participation in an Active Directory (AD) network is to confirm network connectivity and name resolution for the Active Directory domain controller. An easy way to verify both of these is to ping the fully-qualified domain name (FQDN) of the AD DC on the network.

PING dc1.domain.local (192.168.1.250) 56(84) bytes of data. 64 bytes from win2k3.lab.example.com (192.168.1.250): icmp_seq=1 ttl=128 time=0.176ms

The output of the ping response shows successful resolution of the FQDN to an IP Address, and the confirmation of connectivity between the Gentoo client and the AD DC.

Time Settings
Ensure that the date is correct on the server, a good practice is to install ntp client and sync time with dc1 first. Emerge net-misc/ntp, edit etc/conf.d/ntp-client and set the address to dc1.domain.local. After this the file should look like this:

Make sure to start the ntp client and ensure the date was syncronized properly with dc1:

* Setting clock via the NTP client 'ntpdate' ... [ ok ]

FQDN
A valid FQDN is essential for Kerberos and Active Directory. Active Directory is heavily dependent upon DNS, and it is likely that the Active Directory Domain Controllers are also running the Microsoft DNS server package. Here, we will edit the local hosts file on the Gentoo workstation to make sure that the FQDN is resolvable.

The configuration may be tested by PINGING the FQDN. The output should be similar to the PING output above, from the Network Connectivity test (of course, the FQDN will be our own, and the IP address will be 127.0.0.1). Or test with:

Set up Kerberos
The first step in setting up Kerberos is to install the appropriate client software.

Required Software
Kerberos needs the sys-auth/pam_krb5 and app-crypt/mit-krb5 packages from portage

Now edit the kerberos configuration file according to the setup. Make sure to pay attention at the capitalization, it is very important or things will not work. The following can be used as a template:

Testing
Request a Ticket-Granting Ticket (TGT) by issuing the kinit command, as shown. Any valid domain account may be used; it doesn't have to be Administrator. The domain name may also be omitted from the command if the "default_realm" directive is properly applied in the /etc/krb5.conf file. Make sure the exact same case (upper or lower) is used when testing with kinit!

Password for Administrator@DOMAIN.LOCAL: ******

Check if ticket request was valid using the klist command.

Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@DOMAIN.LOCAL

Valid starting    Expires            Service principal 10/05/07 14:28:00 10/05/07 21:08:00  krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL

At this point, the Kerberos installation and configuration is operating correctly. A test ticket can be released by issuing the kdestroy command.

Required software
You need to install the samba package. For this to work properly samba needs to be emerged with the ads and ldap flags enabled.

Joining the Domain
Edit the samba configuration file, use the following as a template.

Edit the Samba init configuration file and insert the following in order to start winbind with samba:

A few more steps before we start samba. First a valid ticket needs to be created using kinit. If the Kerberos auth was valid, no password will be required. If not working as root, the following is necessary: sudo net ads join -U username and supply the password when prompted. Otherwise, authentication will be issued as root@DOMAIN.LOCAL instead of a valid account name.

Create a valid ticket

join the domain before starting samba and winbind:

Using short domain name – domain Joined 'gentoobox' to realm 'domain.LOCAL'

Be sure to start Samba after the above steps completed succesfuly. Optionally samba may be added to the default runlevel as well.

* samba -> start: smbd ... [ ok ] * samba -> start: nmbd ... [ ok ] * samba -> start: winbind ... [ ok ]


 * samba added to runlevel default

Testing
You should get a list of the users of the domain.

And a list of the groups.

nsswitch
Now edit /etc/nsswitch.conf and make the following changes

Testing
Check the Winbind nsswitch module with getent.

Users from the AD as well as from the local Gentoo box should be visible.

Same thing for groups.

User Profile Directories
Each domain needs a directory in /home/.

PAM Configuration
To enable the ability to change the domain password with passwd, as well as log in by SSH, etc., just change the system-auth file to the one provided with Samba.

You should now be able to log in using SSH, X11, etc.

sudoers Config (Optional)
To allow domain users to use sudo, edit the /etc/sudoers file

LDAP
In case Samba does not startup properly the following solution may help. Mileage may vary. Feel free to further edit this.

Trouble joining the AD?
Make sure to use the net join command and that samba and winbind are not running when joining the domain.

If you receive an 'operation error' you may need to make sure that the first nameserver in /etc/resolve.conf is your windows DNS master or PDC