11 Feb

Integrate Linux & Active Directory using Kerberos, WinBind, Samba

Integrate Linux & Active Directory using Kerberos, WinBind, Samba

We can integrate Linux & Active Directory using Kerberos, Winbind, Samba. Prerequisites to join an Ubuntu Server to Windows Active Directory,

  1. Your Ubuntu server should be able to reach AD server.
  2. Active Directory Domain administrator account or an account in Active Directory’s ‘Domain Admins’ group or an account, that has sufficient privilege to join your Ubuntu server to Active Directory domain.

Configure Hosts

The first step of Active Directory join is to edit the /etc/hosts file. Set your machine’s IP address and hostname in /etc/hosts file.

In the hosts file, please enter the below values,

Example :-

In the hosts file, please enter the below values,

Configure Local Resolver

Next you need to setup the /etc/resolv.conf with your name server entries and search domain entry. Usually, the AD server IP itself will be the name server IPs, since DNS role may be installed in the same server.

In the resolv.conf file, please enter the below values

Example :-

Edit the resolv.conf file and please enter the below values

Install the Utilities

Install the required packages,

During the Kerberos installation, you will see a pink screen. Just enter your full domain name in CAPITAL LETTERS,

Eg : DOMAIN.COM

select OK by pressing TAB

You may keep it as BLANK and press OK, if you wish to configure Kerberos later.

Configure NTP Settings

The date and time of your Ubuntu server\host must synchronize with Active Directory  server. Add your active directory’s ntp hostname in the /etc/ntp.conf file,

You can also keep it as Ubuntu’s NTP servers, provided your active directory server’s time and Ubuntu NTP server time are in sync.

In that case, add the below values, instead of above values,

Now sync the Ubuntu host machine’s date and time with NTP server and then start the NTP service,

If you are using your Active Directory’s NTP service, then execute the below commands,

or

or

Configure Kerberos Settings

Create a file named krb5.conf,

Enter the below values in the kerberos config file,

Now, try to get a valid Kerberos ticket for your active directory administrator account,

Configure NSSwitch

To configure the NSSwitch configuration, please edit the file /etc/nsswitch.conf

Now enter the below values into your configuration file.

 

Configure SAMBA Service

To configure the SAMBA service in your Ubuntu box, edit the samba configuration file  /etc/samba/smb.conf

To edit the file, execute the command,

Replace the DOMAIN with your domain name(without .com) and DOMAIN.COM with your complete domain name.

Restart the Samba & Winbind

To restart the Samba and Winbind service, you may execute the below commands,

or

or

Verify krb5.keytab

To list the content of /etc/krb5.keytab file, please execute the below command,

To show the available kerberos tickets, please execute the command,

SUDOER Configuration

To enable a particular AD group to have admin privilege in the Ubuntu box, you need to edit the sudoer configuration. The sudo file is located at /etc/sudoers. The members of AD groups added in sudoers can perform sudo.

To edit the sudoers, please execute,

Configure LightDM

To configure the lightDM, create the lightDM configuration file “/etc/lightdm/lightdm.conf“.

Once the file is saved, restart the lightDM service by executing the below command,

Join the Ubuntu Host to Active Directory Domain

To join the Linux Host to Active Directory Domain, please execute the below command,

Verify the AD connectivity

To verify the active directory connectivity, please execute the below commands.

To test the AD join, please execute the below command,

If the result is ‘Join is OK‘ , then  test the winbind. To test the winbind service, please execute the below commands.

To list the AD users

To List the AD groups,

If it is displaying your AD group and Username details, then it means, your linux box is successfully integrated into the AD domain.

Now try a server reboot. Also try to access using the server via SSH from an another host and perform sudo.

Leave a Reply

Your email address will not be published. Required fields are marked *

15 + 4 =