Skip navigation

After struggling to fully join a linux box to the AD domain at work, I’ve now successfully managed it.
This was done in Fedora Core 8, but theres no reason why this shouldn’t work regardless of distro.
Going to give it a go on Ubuntu next!!  (Note that the Active Directory domain in this is example is RC.local and the AD/DNS/Kerberos server is RCSRV01 – replace these entries with your own details…)
Here’s a checklist to follow:

1 – Ensure that the AD domain is correctly configured (DNS,DHCP, etc)

2 – Add the AD domain controller as the first DNS server on the linux box
(and check using /etc/resolv.conf)

3 – Ensure the kerberos and samba packages are installed on the linux box

4 – Set the hostname on your linux box in /etc/sysconfig/network

5 – Ensure you have the correct hostname (using your FQDN) in/etc/hosts. Mine looks like:

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 RCFedora rcfedora.rc.local localhost
::1 localhost6.localdomain6 localhost6

6 – Ensure your linux box is set to use the Windows Domain controller as an NTP server
and that your time zone is correct (this caught me out – the time zone was incorrectly set
and it wouldn’t allow me to join the domain!)

7 – Edit /etc/krb.conf to include the following on the FIRST 2 LINES!!

RC.LOCAL rcsrv01.rc.local:88
RC.LOCAL rcsrv01.rc.local:749 admin server

8 – Next I added the file /etc/krb.realms, and added the following line

.rc.local RC.LOCAL

9 – In /etc/krb5.conf, check that the following options are there and correct:

[libdefaults]

default_realm = RC .LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]

RC.LOCAL = {
kdc = rcsrv01.rc.local:88
admin_server = rcsrv01.rc.local:749
kpasswd_server = rcsrv01.rc.local:464
kpasswd_protocol = SET_CHANGE
}
[domain_realm]
*.addomain.local = RC.LOCAL
.addomain.local = RC.LOCAL

10 – Next check /etc/nsswitch.conf for the following entries:

passwd: compat winbind
group: compat winbind
hosts: files dns winbind

11 – Check /etc/pam.d/system-auth for the following in the session section

session required pam_mkhomedir.so skel=/etc/skel umask=0022

12 – Under the global settings in the /etc/samba/smb.conf you should have the following

unix charset = LOCALE
workgroup = RC
netbios name = RCFEDORA
password server = RCSRV01
realm = RC.LOCAL
server string = Fedora8
security = ads
allow trusted domains = No
idmap backend = idmap_rid:RC=16777216-33554431
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
log level = 1
syslog = 0
log file =var/log/samba/%m
max log size = 50
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = yes
winbind offline logon = true
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
printcap name = CUPS printing = cups

and under HOMES you should have

comment = Home Directories
browseable = no
writable = yes
; valid users = %D%U
; valid users = MYDOMAIN%S

13 – Finally stop the Winbind and Samba services, and run the following commands:

rm -f /etc/samba/*tdb
rm -f /var/cache/samba/*tdb
rm -f /var/cache/samba/*dat
net ads join -U Administrator

then start the winbind and samba services again and reboot!

You should then be able to log on with domain credentials!

2 Comments

  1. Well, its stupid o’clock in the morning and we appear to have a centos distro on our network. Looks like we needed one extra bit of info. In etc/samba/smb.conf we had a section called Standalone Server Options. After deactivating the ‘security’ and ‘passdb backend’ settings in there it successfully joined the realm. Yay! Apart from that we followed your instructions to the letter (well with a little change to paths that didn’t seem to follow with the other settings in the conf files). Just missing the network printers at the mo, but that might change! Cheers Mr Roach,

    Pete
    premiercomputerservices.co.uk

  2. NIcely done sir :)

    Depending on whether it’s supported for your distro and whether your printers are HP, give the Hplip project a go……might make things a little easier on the printer front (particularly if you have any multi function devices on your LAN :)


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>