Skip to main content

Authenticating Windows Domain users on Linux systems

If you're running Linux servers in a Windows domain, it would be pretty cool if Domain users could authenticate to your servers using their domain credentials and then sudo to root. But of course you'll want to prevent each and every user having access to all your servers. Instead, you'll want to restrict access to members of a specific user group.

This howto shows the basic steps needed to allow members of the "admins" group to login and get a shell.

  1. Perform a domain join.

  2. apt-get install libpam-winbind.

  3. Change in /etc/samba/smb.conf:

    winbind refresh tickets = yes
    template shell   = /bin/bash
    template homedir = /home/%D/%U
  4. Now run:

    pam-auth-update --force

    Choose Unix and Winbind.

  5. Configure authentication (the part that verifies users' passwords and makes sure they are who they claim to be). Add in /etc/pam.d/common-auth:

    auth    [success=1 default=ignore]  krb5_auth     krb5_ccache_type=FILE \
                                                            cached_login  try_first_pass \
  6. Configure which users may actually start a shell session when they are logged in. Add in /etc/pam.d/common-session:

    # always allow root
    session [success=1 default=ignore] debug uid = 0
    # other users only if members of the admin group (resolved through winbind)
    session required debug user ingroup admins
  7. To allow these users to get a root shell using sudo, run visudo and paste in the following line:

    %admins ALL=(ALL:ALL) ALL