To configure a Linux box (in this case Ubuntu 8.04) to authenticate user logins and samba users via a separate Active Directory server (in this case tested with Win2K3). This is the process as was used to get a Ubuntu Samba box playing nice-nice with "adserver".


Observe that there's the assumption here that the DNS hostname of your Active Directory box is adserver.example.local and has an ip So naturally, this means you should swap out what I'm calling it here for whatever you've got.

Also note that the caps names such as EXAMPLE.LOCAL are required. I forget why, but I'm pretty sure it's explained in one of the reference docs.


sudo apt-get install krb5-user winbind samba ntp

Edit Config Files


For some reason the logging does not work.

        default = FILE:/var/log/krb5.log

        default_realm = EXAMPLE.LOCAL
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

        EXAMPLE.LOCAL = {
                kdc = adserver.example.local
                admin_server = adserver.example.local
                default_domain = EXAMPLE.LOCAL

        .adserver.example.local = EXAMPLE.LOCAL
        adserver.example.local = EXAMPLE.LOCAL
        .kerberos.server = EXAMPLE.LOCAL
        krb4_convert = true
        krb4_get_tickets = false


Note the work group is the left most part of the realm.

        log file = /var/log/samba/log.%m
        max log size = 1000
        security = ADS
        realm = EXAMPLE.LOCAL
        password server =
        workgroup = EXAMPLE
        use kerberos keytab = true
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = true
        winbind use default domain = yes
        restrict anonymous = 2

;Communal Files
   comment = Shared Files Stuff
   path = /Storage/
   writable = yes

;Individual Files - sym link /home/%D to /Storage/ 

A samba share of files\Storage is created. The directory should be created and permissions assigned

mkdir /Storage
chmod a+rwx /Storage


passwd:         compat  winbind
group:          compat  winbind
shadow:         compat

hosts:          files mdns4_minimal dns mdns4 wins [NOTFOUND=return]
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


Set time server to the active directory server - sufficiently large clock skews can mess with authentication. Best off to install ntpd

   server    adserver


account sufficient      pam_winbind.so
account required        pam_unix.so


auth    sufficient      pam_winbind.so
auth    required        pam_unix.so nullok_secure use_first_pass


password        required        pam_unix.so nullok obscure min=4 max=50 md5
password        optional        pam_smbpass.so nullok use_authtok use_first_pass missingok


session required        pam_mkhomedir.so umask=0022 skel=/etc/skel


You may need to add the following line in order to get user home directory auto-creation working:

session    required     pam_mkhomedir.so        skel=/etc/skel/ umask=0022

I added this towards the bottom of /etc/pam.d/sshd, right before the last line, an "@include" statement.

Make User Home Dir

Directory name is the same as the workgroup.

mkdir /home/EXAMPLE

Work around potential DNS pitfalls

Edit /etc/hosts to contain:     adserver.example.local example.local adserver       <hostname>.example.local localhost <hostname>
<local ip>      <hostname>.example.local <hostname>

Restart key services

/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start


To test Kerberos:

kinit '''<your username>'''@EXAMPLE.LOCAL

Check that a ticket was issued: klist

Query LDAP server: ldapsearch 

List all users to test LDAP configuration: getent passwd

Make sure you time is correct: net time

Join the Active Directory Domain

net ads join -U administrator@EXAMPLE.LOCAL

Note that any domain administrator user could be used instead of administrator If it does not work remover @EXAMPLE.LOCAL. If problems persist add -d5 for extra debugging information.

Restart ssh and test login

/etc/init.d/ssh restart

ssh '''<your username>'''@'''<smb server>'''

Allowing sudo for some users

One approach is to add the Active Directory group name of sudoer users to the /etc/sudoers file (of course, you may have to create said group)

Example /etc/sudoers:

%BUILTIN\administrators ALL=(ALL) ALL
%"domain admins" ALL=(ALL) ALL


Largely derived from: this page

More reading :Winbind Howto

What's next

Once this is working Apache2 user authentication via Active Directory can quite easily be added on. Check out the page here.


ADAuthentication (last edited 2009-07-21 15:38:19 by dawning)