Public Notes

# Linux Domain join howto

Origin: https://blog.svedr.in/posts/linux-domain-join-howto/

There are quite a few tutorials on how to join a Linux machine into a Windows Domain. Some of them are outdated and talk about old-style domains instead of Active Directory. Others require the Active Directory schema be extended. Most of them neglect configuring the system so that Kerberos can be used correctly. And almost none of 'em show how to configure stable user IDs that are reproducible across multiple systems, so using NFS and DRBD will actually work instead of completely breaking permissions.

So, here's my own howto which fixes all of this. It lays out the config I use in my home samba4 domain, LOCAL.LAN. (Yes, I do have an Active Directory domain at home. I like it, even. This is how crazy I am.)

1. You'll want to make sure that your hostname (the one that the hostname command spits out) is not longer than 15 characters and does not consist of numbers only. (I once named a host 1319. This seemed to work at first but caused some very strange behaviour later on. Renaming the host 13-19 fixed that.)

2. Make sure that hostname --fqdn actually spits out an FQDN and not just the hostname. Vice versa, make sure that hostname without --fqdn does not spit out an FQDN.

You can do this by adjusting */etc/hostname* and */etc/hosts* . Make sure */etc/hosts* contains a line such as this one for the hostname you set in */etc/hostname* :

```

# IP            FQDN               Hostname

127.0.1.1       hive.local.lan     hive

```

Put the FQDN first, and the short hostname second. Do not omit either one. Do not put the FQDN in /etc/hostname.

Install the samba daemons, winbind and the Kerberos utilities:

```

apt-get install samba winbind libnss-winbind krb5-user

```

4. Put the following into /etc/krb5.conf, replacing LOCAL.LAN with your domain name:

```

[libdefaults]

   default_realm = LOCAL.LAN

   default_keytab_name = /etc/krb5.keytab

   default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

   default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

[domain_realm]

   .local.lan = LOCAL.LAN

   local.lan = LOCAL.LAN

```

Note that capitalization matters.

5. Put this into /etc/samba/smb.conf, again adapting the netbios name, workgroup and realm to your environment:

```

[global]

   netbios name = HIVE

   workgroup    = LOCALLAN

   realm        = LOCAL.LAN

   security     = ADS

   encrypt passwords = yes

   # Load the acl_xattr module for Windows ACL support

   vfs objects = shadow_copy2 acl_xattr

   # Use an external keytab that can be used for other services (e.g. apache)

   kerberos method = dedicated keytab

   dedicated keytab file = /etc/krb5.keytab

   idmap config *:backend = tdb

   idmap config *:range   = 1000000-1999999

   # Make sure we have reproducible user IDs

   idmap config LOCALLAN:backend = rid

   idmap config LOCALLAN:range   = 10000-999999

   winbind nss info = rfc2307

   winbind trusted domains only = no

   winbind use default domain = yes

   # should "getent passwd" and "getent group" list *all* AD users/groups?

   winbind enum users  = yes

   winbind enum groups = yes

   # Default shell that users get (/bin/true = no login)

   template shell = /bin/true

```

6. Just in case, rm -f /etc/krb5.keytab. It shouldn't be there, but now it definitely won't be.

7. Authenticate as an administrator:

```

kinit Administrator

```

You will be prompted for your password. (See how to get rid of passwords)

Once that worked, proceed to actually joining the domain:

```

net ads -k join

net ads -k keytab create

```

If you want to provide authentication for other services via Kerberos, add the service principal names for those services to your newly-created machine account:

```

net ads -k keytab add HTTP

net ads -k keytab add HTTPS

net ads -k keytab add NFS

```

I'm not sure if you need one for SSH too, or if SSH just uses the default HOST principal, but you might as well add it just-in-case. By the way, this command also updates the machine account on the AD side, so no adsiedit and copying around keytab files necessary.

Now you won't need the Kerberos ticket anymore:

```

kdestroy

```

Let's see if the domain account is set up correctly and Kerberos authentication works. We do this by acquiring a Kerberos ticket for the machine account:

```

kinit -k HOSTNAME$

```

That $ sign at the end of the HOSTNAME is part of the command, so for hive, I'd have to run kinit -k HIVE$. HIVE$ is the name of the computer account created for the machine named HIVE, for which we want to get a ticket.

Note that you may need to retry this command a few times until ADS set up everything. It should work after a couple of seconds though.

Restart the samba services:

```

service smbd restart

service nmbd restart

service winbind restart

```

For users and groups to be resolvable in the system (e.g. for ls and friends), modify /etc/nsswitch.conf:

```

passwd: compat winbind

group:  compat winbind

```

Verify using:

```

# getent passwd Administrator

administrator:*:10500:10513:Administrator:/home/LOCALLAN/administrator:/bin/true

# getent group "Domain Admins"

domain admins:x:10512:svedrin,administrator

```

Both commands should spit out something.

Congrats, you've joined an Active Directory domain!

Update: This guy appears to have been as frustrated with this stuff as I have, and he has some nice tips about what to do when the getent something parts fail.