Active Directory Authentication and NT Domain Integration

This procedure will install Samba, which will integrate this computer with the Microsoft Windows domain.

Note: Samba 2.2 is incompatible with Windows 2003 SMB packet signing. If this computer must use Windows 2003 domain controllers, then disable SMB packet signing in the domain policy for domain controllers.

Before starting: Create a winbind account in the domain and add it to the Domain Admins security group. The server will use this account to authenticate users against the domain.

  1. Login as the root user.
    [screenshot]

  2. Update the package list.

    # apt-get update

  3. Install Samba and Winbind.

    # apt-get install samba winbind
    [screenshot]

    If you used the bundled debian-etc.tar.gz file earlier, then this command should download packages from the us1.samba.org site.

    Answer the questions as follows:
    [screenshot] Configure smb.conf through debconf? Yes
    [screenshot] Workgroup/Domain Name? bfree.on.ca
    [screenshot] Use password encryption? Yes
    [screenshot] How do you want to run Samba? daemons
    [screenshot] Create samba password file? No

  4. Check the winbind version.

    # dpkg --status winbind
    [screenshot]

    The screenshot shows that version 2.2.8a-0.1 is installed on the example computer. The winbind version must be 2.2.6 or later because prior versions do not recognize the "winbind use default domain" configuration directive.

  5. Edit the /etc/samba/smb.conf file.

    # mcedit /etc/samba/smb.conf
    [screenshot]

    Add these lines to the [global] section of the file: 

    winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
password server = *
template shell = /bin/bash
security = domain

    Note: If your domain has more than 10,000 members, then increase the size of the "winbind uid" and "winbuid gid" ranges.

    Note: Remember to disable SMB packet signing in the domain controller security policy if this computer must connect to Windows 2003 domain controllers.

    Caveat: The "password server = *" directive configures Samba to use any domain controller on the local broadcast segment. If this computer will be on a broadcast segment without a domain controller, then you must specify the fully qualified domain name of one or more domain controllers.

  6. Verify that a domain controller can be contacted.

    # smbpasswd -r rigel.bfree.on.ca -S
    [screenshot]

    The domain SID will be printed if rigel.bfree.on.ca is a domain controller.

  7. Join this computer to the domain.

    # smbpasswd -r rigel.bfree.on.ca -j bfree.on.ca -U dajhorn
    [screenshot]

    The name given by the -U option must be an administrator in the domain given by the -j option. In this example, dajhorn is an administrator in the bfree.on.ca domain and rigel.bfree.on.ca is a domain controller.

  8. Restart the winbind daemon.

    # /etc/init.d/winbind restart
    [screenshot]

  9. Verify the computer trust account.

    # wbinfo -t
    [screenshot]
    [screenshot]

    This command may initially report "Secret is bad, 0xc000018b". Wait until this command reports "Secret is good" before proceeding to the next step. This usually happens within fifteen minutes of issuing the previous smbpasswd command, but it may take much longer in a busy domain.

  10. Test the domain credentials.

    # wbinfo -a winbind%ABC123
    [screenshot]

    In this example, winbind is a privileged user with password ABC123 in the bfree.on.ca domain.

  11. Install the domain credentials.

    # wbinfo -A winbind%ABC123
    [screenshot]

    Warning: The winbind user must be a domain administrator. A bug in Active Directory, present in both Windows 2000 and Windows 2003, will cause random intermittent failures if this account is not fully privileged.

  12. List all domain groups.

    # wbinfo -g

    This command should list all groups in the domain.

  13. List all domain users.

    # wbinfo -u

    This command should list all users in the domain.

  14. Edit the /etc/nsswitch.conf file.

    # mcedit /etc/nsswitch.conf
    [screenshot]

    Append winbind to the passwd and group lines.

    The "compat winbind" stanzas means "use local account information first, and use domain account information second".

  15. Verify that this computer is part of the domain.

    # id guest
    [screenshot]

    This command loads the account named "guest" from the domain and prints its group membership. Try this command with other account names.

  16. Populate init.d symlinks so that the winbind daemon will be started automatically by the system.

    # cd /etc/rc1.d; ln -s -v ../init.d/winbind K19winbind
    # cd /etc/rc2.d; ln -s -v ../init.d/winbind S20winbind
    # cd /etc/rc3.d; ln -s -v ../init.d/winbind S20winbind
    # cd /etc/rc4.d; ln -s -v ../init.d/winbind S20winbind
    # cd /etc/rc5.d; ln -s -v ../init.d/winbind S20winbind
    # cd /etc/rc6.d; ln -s -v ../init.d/winbind K19winbind
    [screenshot]

    Note: The winbind package should install these links, but it doesn't. This is a bug.

This computer is now participating in the domain. Note, however, that each service on this computer must be individually configured to use domain authentication. If you have followed these instructions precisely, then you will not be able to login to this computer with a domain account.