Linux Domain join howto

There are quite a few tutorials on how to join a Linux machine into a Windows Domain. Some of them are outdated and talk about old-style domains instead of Active Directory. Others require the Active Directory schema be extended. Most of them neglect configuring the system so that Kerberos can be used correctly. And almost none of 'em show how to configure stable user IDs that are reproducible across multiple systems, so using NFS and DRBD will actually work instead of completely breaking permissions.

So, here's my own howto which fixes all of this. It lays out the config I use in my home samba4 domain, LOCAL.LAN. (Yes, I do have an Active Directory domain at home. I like it, even. This is how crazy I am.)

  1. You'll want to make sure that your hostname (the one that the hostname command spits out) is not longer than 15 characters and does not consist of numbers only. (I once named a host 1319. This seemed to work at first but caused some very strange behaviour later on. Renaming the host 13-19 fixed that.)

  2. Make sure that hostname --fqdn actually spits out an FQDN and not just the hostname. Vice versa, make sure that hostname without --fqdn does not spit out an FQDN.

    You can do this by adjusting /etc/hostname and /etc/hosts. Make sure /etc/hosts contains a line such as this one for the hostname you set in /etc/hostname:

    # IP            FQDN               Hostname       hive.local.lan     hive

    Put the FQDN first, and the short hostname second. Do not omit either one. Do not put the FQDN in /etc/hostname.

  3. Install the samba daemons, winbind and the Kerberos utilities:

    apt-get install samba winbind libnss-winbind krb5-user

    It doesn't matter if you're using Samba 3 or Samba 4.

  4. Put the following into /etc/krb5.conf, replacing LOCAL.LAN with your domain name:

       default_realm = LOCAL.LAN
       default_keytab_name = /etc/krb5.keytab
       default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
       default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
       .local.lan = LOCAL.LAN
       local.lan = LOCAL.LAN

    Note that capitalization matters.

  5. Put this into /etc/samba/smb.conf, again adapting the netbios name, workgroup and realm to your environment:

       netbios name = HIVE
       workgroup    = LOCALLAN
       realm        = LOCAL.LAN
       security     = ADS
       encrypt passwords = yes
       # Load the acl_xattr module for Windows ACL support
       vfs objects = shadow_copy2 acl_xattr
       # Use an external keytab that can be used for other services (e.g. apache)
       kerberos method = dedicated keytab
       dedicated keytab file = /etc/krb5.keytab
       idmap config *:backend = tdb
       idmap config *:range   = 1000000-1999999
       # Make sure we have reproducible user IDs
       idmap config LOCALLAN:backend = rid
       idmap config LOCALLAN:range   = 10000-999999
       winbind nss info = rfc2307
       winbind trusted domains only = no
       winbind use default domain = yes
       # should "getent passwd" and "getent group" list *all* AD users/groups?
       winbind enum users  = yes
       winbind enum groups = yes
       # Default shell that users get (/bin/true = no login)
       template shell = /bin/true
  6. Just in case, rm -f /etc/krb5.keytab. It shouldn't be there, but now it definitely won't be.

  7. Authenticate as an administrator:

    kinit Administrator

    You will be prompted for your password. (See how to get rid of passwords)

  8. Once that worked, proceed to actually joining the domain:

    net ads -k join
    net ads -k keytab create
  9. If you want to provide authentication for other services via Kerberos, add the service principal names for those services to your newly-created machine account:

    net ads -k keytab add HTTP
    net ads -k keytab add HTTPS
    net ads -k keytab add NFS

    I'm not sure if you need one for SSH too, or if SSH just uses the default HOST principal, but you might as well add it just-in-case. By the way, this command also updates the machine account on the AD side, so no adsiedit and copying around keytab files necessary.

  10. Now you won't need the Kerberos ticket anymore:

  11. Let's see if the domain account is set up correctly and Kerberos authentication works. We do this by acquiring a Kerberos ticket for the machine account:

    kinit -k HOSTNAME$

    That $ sign at the end of the HOSTNAME is part of the command, so for hive, I'd have to run kinit -k HIVE$. HIVE$ is the name of the computer account created for the machine named HIVE, for which we want to get a ticket.

    Note that you may need to retry this command a few times until ADS set up everything. It should work after a couple of seconds though.

  12. Restart the samba services:

    service smbd restart
    service nmbd restart
    service winbind restart
  13. For users and groups to be resolvable in the system (e.g. for ls and friends), modify /etc/nsswitch.conf:

    passwd: compat winbind
    group:  compat winbind

    Verify using:

    # getent passwd Administrator
    # getent group "Domain Admins"
    domain admins:x:10512:svedrin,administrator

    Both commands should spit out something.

Congrats, you've joined an Active Directory domain!

Update: This guy appears to have been as frustrated with this stuff as I have, and he has some nice tips about what to do when the getent something parts fail.