# [SOLVED] User Authentication with Active Directory - HOWTO

## dgooding

I work in a very Windows-centric environment.  I am attempting to setup a few Gentoo machines.  One of my requirements is that users can log in with their existing Windows accounts and passwords.  Is there a step-by-step howto on getting a Linux machine to authenticate its login attempts with a Windows Active Directory server?

Note:  I do not have administrative rights on the AD server, but I do on the Linux machines.

After a simple Samba install, I am able to browse network shares using my AD account credentials (LinNeighborhood), but I'm still doing that from a local user account.

Any advice or links?

----------

## TheRoachKiller

This should help get the ball rolling

http://us5.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member

----------

## Comatose51

I have the same issue.  The guide is a good starting point but I need a way to use AD to authenticate the user to allow them to log into the workstation.

----------

## dgooding

I just got it working.

I'll see if I can get a quick howto up soon.  Probably have to wait til tomorrow (it's 5 o'clock somewhere).

----------

## dgooding

My goal was to setup a Linux box in my corporate Windows domain, and have the ability to log into my Linux box using the same username/password found on the Windows side.  A single sign-on, if you will.  I didn't want to fake it by creating local Linux accounts that mirrored my Windows accounts.  I didn't want to setup a Samba mirror of the Active Directory accounts and authenticate against Samba.  I wanted to authenticate directly against my Active Directory server.

Here's how I (think) I did it.  If I missed some steps feel free to let me know and I'll edit the post.  This was a sort of Holy Grail for me and I was trying everything I could to get it to work.  Using 'history' and vague recollections, here's what I did to make it happen.

First, because of how things are done, the time on your Linux box has to be in sync with the time on your Active Directory server.  If not, tickets won't be sent and authentication will fail.  Use ntp.

Next, install Samba.  Be careful though, not just any install of Samba will work.  Specific USE keywords are needed for it to work correctly.  I used the following USE keywords to emerge Samba.

```
samba winbind kerberos ldap
```

Now, this should emerge Samba, MIT-KRB5, and OpenLDAP.

Let's get Kerberos functioning correctly.  Edit /etc/krb5.conf.  Case is important.

```

[libdefaults]

        ticket_lifetime = 600

        default_realm = SUBDOMAIN.DOMAIN.COM

        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc

        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]

        SUBDOMAIN.DOMAIN.COM = {

        kdc = ad-server.subdomain.domain.com

        default_domain = subdomain.domain.com

        }

[domain_realm]

        .subdomain.domain.com = SUBDOMAIN.DOMAIN.COM

        subdomain.domain.com = SUBDOMAIN.DOMAIN.COM

[kdc]

        profile = /etc/krb5kdc/kdc.conf

[logging]

        kdc = FILE:/var/log/krb5kdc.log

        admin_server = FILE:/var/log/kadmin.log

        default = FILE:/var/log/krb5lib.log

```

In case DNS decides to stop functioning, add an entry into /etc/hosts

```

1.2.3.4      ad-server ad-server.subdomain.domain.com

```

Let's make sure Kerberos works.  This should prompt you for a password and return you to a prompt, that's it.

```

# kinit username@SUBDOMAIN.DOMAIN.COM

```

Now let's work on configuring Samba.  Here's my /etc/samba/smb.conf

```

[global]

workgroup = SUBDOMAIN

netbios name = hostname

server string = this is my linux box

security = ADS

log file = /var/log/smb/samba.%m

max log size = 50

local master = no

preferred master = no

idmap uid = 10000-20000

idmap gid = 10000-20000

winbind gid = 10000-20000

winbind enum users = yes

winbind enum groups = yes

template homedir = /home/winnt/%D/%U

template shell = /bin/bash

encrypt passwords = yes

dns proxy = no

realm = SUBDOMAIN.DOMAIN.COM

password server = ad-server.subdomain.domain.com

wins proxy = no

```

Let's run a quick check to make sure smb.conf has the right syntax.

```

# testparm

Load smb config files from /etc/samba/smb.conf

Loaded services file OK.

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters

[global]

        workgroup = SUBDOMAIN

        realm = SUBDOMAIN.DOMAIN.COM

        server string = this is my linux box

        security = ADS

        password server = ad-server.subdomain.domain.com

        log file = /var/log/smb/samba.%m

        max log size = 50

        preferred master = No

        local master = No

        dns proxy = No

        idmap uid = 10000-20000

        idmap gid = 10000-20000

        template homedir = /home/winnt/%D/%U

        template shell = /bin/bash

```

Now, before we authenticate, we should at least be nice enough to join the domain we're authenticating against.  Start winbindd.  Make sure smbd and nmbd are not running.  Now, with a domain account that has the ability to join machines to the domain:

```

# net ads join -U username

```

Almost there, now let's edit a few more files and run a few more tests.  In /etc/nsswitch.conf, edit the top section to look like this.

```

passwd:      compat winbind

shadow:      compat

group:       compat winbind

```

To confirm that winbind is actually talking to the Active Directory server run:

```

# wbinfo -u

# wbinfo -g

```

Now let's make sure that the conversion of Windows Active Directory accounts to Linux accounts is working

```

# getent passwd

# getent group

```

Edit /etc/conf.d/samba

```

daemon_list="smdb nmdb winbind"

```

Make some links

```

# ln -s /usr/lib/libnss_winbind.so /lib/libnss_winbind.so

# ln -s /usr/lib/libnss_winbind.so.2 /lib/libnss_winbind.so.2

```

Make a backup of your /etc/pam.d folder

```

# cp -r /etc/pam.d /etc/pam.d.backup

```

Edit /etc/pam.d/login

```

auth       required     /lib/security/pam_securetty.so

auth       sufficient   /lib/security/pam_winbind.so

auth       sufficient   /lib/security/pam_unix.so use_first_pass

auth       required     /lib/security/pam_stack.so service=system-auth

auth       required     /lib/security/pam_nologin.so

account    sufficient   /lib/security/pam_winbind.so

account    required     /lib/security/pam_stack.so service=system-auth

password   required     /lib/security/pam_stack.so service=system-auth

session    required     /lib/security/pam_stack.so service=system-auth

```

Now, at last:

```

# /etc/init.d/samba start

# rc-update add samba default

```

That's it, I think.  Here were the three primary sources of my information:

```

http://gentoo-wiki.com/HOWTO_Adding_a_Samba_Server_into_an_existing_AD_Domain

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html

http://www.google.com

```

----------

## humbletech99

your pam.d/login appears to have a mistake because I copied it exactly and replaced my login (after backup of course) and now when logging in it gives me the password request twice and then fails. local root seems to be ok though...

----------

## dgooding

I don't know what to tell you.  I just re-went-through these steps on another machine and they worked just fine.

But now I've run into another problem.  These steps work for logging into vt1-vt6, but not into xdm/kdm/gdm.

----------

## humbletech99

i sorted it out eventually after much time rtfm(s).

time well spent, i'm much more comfortable with this now although it's not that easy/obvious to learn.

you have set this in the wrong place, usually system-auth is a better bet, but it depends on your situ.

if u r using gentoo, then system-auth would be the right place, mine works everywhere, locally, ssh, excellent.

----------

## dgooding

You're right.  Today at work I slipped winbind into system-auth and everything works well.  I'll edit my post tomorrow.

So far, most everything is working for my Linux box in my Windows domain.  NTFS File Shares, Exchange, Active Directory, MS SQL Server, MS Office Documents.  I'm fairly pleased.  Hopefully after this one-man pilot program proves successful, Linux will be a valid alternative for the company.  (My only outstanding issues are ActiveX and Entrust PKI.)

----------

## Shedoks

Hi. I've got a headache becouse of this. I'm trying to make this work but it won't. I used your /etc/krb5.conf but when i reach kinit part i get error

```
kinit(v5): KRB5 error code 68 while getting initial credentials
```

what should i do?

Also when i try to start mit i get:

```
 

#/etc/init.d/mit-krb5kadmind start

 * Starting MIT Kerberos 5 KDC ...

krb5kdc: cannot initialize realm SUBDOMAIN.DOMAIN.COM - see log file for details

 * Error starting MIT Kerberos 5 KDC                                      [ !! ]

 * ERROR:  Problem starting needed services.

 *         "mit-krb5kadmind" was not started.

# /etc/init.d/mit-krb5kdc start    

 * Starting MIT Kerberos 5 KDC ...

krb5kdc: cannot initialize realm SUBDOMAIN.DOMAIN.COM - see log file for details

 * Error starting MIT Kerberos 5 KDC 
```

Last edited by Shedoks on Thu Mar 30, 2006 6:25 am; edited 1 time in total

----------

## humbletech99

first off, check your spelling!!!!!! I know you're from serbia so english isn't your first language but "headick" is bordering on an insult (you're free to insult yourself but it's not neccessary here...)

Secondly, make sure you're not literally using SUBDOMAIN.DOMAIN.COM in the file.

Thirdly, you'd be better of learning what to do rather than copying otherwise you're more likely to fall down and not know how to fix it like now...

To dgooding:

Please let me know how you are getting on with accessing stuff from your linux box - I'm especially curious about accessing the windows shares, I've found that I can't mount them as a regular user and if I su to be able to mount, then I can't use my domain credentials any more as I'm running as root! Catch-22?

----------

## Shedoks

I fix it. I use copy/paste becouse it isn't work with my configuration so i've tried this one. 

And about head... i think i'll never remmember how to spell it correctly  :Smile:  I was to lasy to look in2 dictionary.

Thx 4 reference  :Smile: 

I'll check this share stuff and i'll let you know  :Smile: 

----------

## humbletech99

correct spelling "headache" (not an obvious spelling).

I've found I can mount as ordinary user using smbmount instead of mount -t smbfs but I still can't use my domain creds properly, even with krb it apparently only works against other samba servers....

----------

## Shedoks

I can't mount as user.

----------

## humbletech99

of course not, you'd have to mount in your home dir... and use smbmount not mount -t smbfs...

----------

## DumbAss

Thanks. This howto worked perfect. But I have one question:

My users have to login to the share (via a windows machine): by entering:

DOMAIN\user

password

But I want them to only enter the username and that samba uses the standard domain for DOMAIN. Is this possible?

----------

## humbletech99

yes, it's an option in smb.conf, can't remember which though, but I just enter my username from the default domain and then the password. explore smb.conf, it's there.

----------

## DumbAss

 *humbletech99 wrote:*   

> yes, it's an option in smb.conf, can't remember which though, but I just enter my username from the default domain and then the password. explore smb.conf, it's there.

 

Hi, I tried

```

winbind use default domain = yes

```

 but that didn't work.

Then I get this kind of errors:

```
[2006/05/15 17:44:35, 0] auth/pampass.c:smb_pam_account(573)

  smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management for User: TIMONLINE\marien

[2006/05/15 17:44:35, 0] auth/pampass.c:smb_pam_accountcheck(781)

  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User TIMONLINE\marien!
```

And TIMONLINE is the right domain! That's the weird stuff.

----------

## humbletech99

it looks like the user auth is failing, can your users log in with either DOMAINNAME\user or just user? If you can't log in with either then the problem is your domain auth isn't set up properly.

Setting the default domain should work, check the docs again, I've found that the docs on this stuff are good enough to get you through and this worked for me.

----------

## DumbAss

 *humbletech99 wrote:*   

> it looks like the user auth is failing, can your users log in with either DOMAINNAME\user or just user? If you can't log in with either then the problem is your domain auth isn't set up properly.
> 
> Setting the default domain should work, check the docs again, I've found that the docs on this stuff are good enough to get you through and this worked for me.

 

My users can login with DOMAINNAME\user but not with user. 

But it now works suddenly. I was just editing the PAM-files. Could this have been it?

Weir stuff :S 

I have another question. If it's not to much  :Smile: 

I have this in PAM:

```
auth    sufficient      pam_winbind.so

auth    sufficient      pam_unix.so nullok_secure
```

But then, when I want to login with a user account that only exists locally (for example root). I have to type my password twice. How can I occur this from happening?

----------

## humbletech99

```
auth    sufficient      pam_unix.so nullok_secure use_first_pass
```

will do it.   :Smile: 

----------

## DumbAss

 *humbletech99 wrote:*   

> 
> 
> ```
> auth    sufficient      pam_unix.so nullok_secure use_first_pass
> ```
> ...

 

Thanks man! I started today with editing the PAM files and I already learned a lot. Locked myself out already once  :Smile: 

I still don't know what the problem was with the samba-logins, but it works.

I installed pam support for ssh too. And it creates the home-directory when someone wants to log on. But I have another problem. If the user logons via ssh, he is thrown out. And I think it has something to do with the shell it default gets:

```
linuxbak:~# getent passwd |grep leon

leon:x:10000:10000:Leon Bogaert:/home/TIMONLINE/leon:/bin/false

linuxbak:~#
```

Can I overwrite the /bin/false somewhere? I tried it in /etc/samba/smb.conf with:

```
template shell = /bin/bash
```

 but that apperently doesn't work.

Thanks in advance!

----------

## humbletech99

are you restarting samba each time you make a change?

this should work, I can see you've been good enough to read the docs and this is what I did and it worked.

If you didn't restart samba then, put the template shell line in smb.conf, restart samba and try again.

----------

## DumbAss

 *humbletech99 wrote:*   

> are you restarting samba each time you make a change?
> 
> this should work, I can see you've been good enough to read the docs and this is what I did and it worked.
> 
> If you didn't restart samba then, put the template shell line in smb.conf, restart samba and try again.

 

Damn, you're right. I was to lazy to restart samba each time and I hammered myself on the fingers.

I did:

```
/etc/init.d/samba stop && /etc/init.d/winbind stop

/etc/init.d/samba start && /etc/init.d/winbind start

```

and it worked:

```
linuxbak:~# getent passwd |grep leon

leon:x:10000:10000:Leon Bogaert:/home/TIMONLINE/leon:/bin/bash

linuxbak:~#
```

Now I can go ahead with my windows/linux integration project.

----------

## humbletech99

well, if you're grateful for the help, please post what other things you're doing regarding linux and in a domain environment, I'm also doing this and am wondering what kinds of things other people are doing around these topics, I've got the auth and share things working, but I'm not sure if there's more I could do....

----------

## DumbAss

 *humbletech99 wrote:*   

> well, if you're grateful for the help, please post what other things you're doing regarding linux and in a domain environment, I'm also doing this and am wondering what kinds of things other people are doing around these topics, I've got the auth and share things working, but I'm not sure if there's more I could do....

 

Well, I could write a howto when everything's working. My next big project will be setting up a PDC with Linux. This is already possible, right?

----------

## Henning Rogge

I have a problem with the guid, everytimes I try to enter the domain, the following error happens:

```
net ads join -U administrator

administrator's password:

[2006/05/18 10:25:14, 0] utils/net_ads.c:ads_startup(191)

  ads_connect: Interrupted system call
```

what could be wrong ?

----------

## mamac

Hi,

 *dgooding wrote:*   

> ...So far, most everything is working for my Linux box in my Windows domain.  NTFS File Shares, Exchange...

 

Which client do you use to connect to Exchange server?

----------

## dgooding

Well, actually, I gave up on Exchange integration.  I'm now using Thunderbird w/ IMAP to send and receive email (both unencrypted and encrypted).  I happen to use Sunbird for my calendaring needs (but only because KOrganizer was giving me fits).

I had been using Evolution with the Exchange connector.  It worked decently well for email, but was having issues with the calendaring support (hence my giving up).

----------

## humbletech99

The authentication doesn't seem to be the biggest trouble here, but does anyone know how to map UIDs so that they are the same across all the linux machines that are authenticating against the Active Directory?

I want the UID for user "Joe" to be the same whatever linux box he logs on to...

----------

