# Seems fixed:Join Active Directory domain using Samba/Winbind

## keet

Does anyone here have experience joining Gentoo to a Windows Active Directory domain?  I have a home server running Windows Server 2012, acting as the domain controller.  Let's say that the domain is called GREYCAT.LOCAL.  I am trying the Samba/Winbind method.

It seems to be partly working:

```

sudo net ads join -U myusername

Password: 

Ignoring unknown parameter "winbind offline login"

Enter myusername's password:

Using short domain name -- GREYCAT

Joined 'LAPTOP' to dns domain 'greycat.local'

net_update_dns_internal: Failed to connect to our DC!

DNS update failed!

```

'wbinfo -u' shows a list of domain users.

However, no-one can log into my Linux laptop using domain credentials.  It is working fine on the Windows computers (or the same laptop if I reboot into Windows)

Does anyone here know how to make it work properly?

/etc/krb5.conf

```

[libdefaults]

   default_realm = GREYCAT.LOCAL

   dns_lookup_realm = false

   dns_lookup_kdc = false

   forwardable = true

#   kdc_timesync = 1

#   ccache_type = 4

#   proxiable = true

#   fcc-mit-ticketflags = true

#   default_keytab_name = FILE:/etc/krb5.keytab

#   default_tkt_enctypes = aes256-cts-hmac-sha1-96

[realms]

  GREYCAT.LOCAL = {

  kdc = ipaddressofdomaincontroller

  admin_server = ipaddressofdomaincontroller

  default_domain = GREYCAT.LOCAL

}

[domain_realm]

        .greycat.local = GREYCAT.LOCAL

        greycat.local = GREYCAT.LOCAL

#[login]

#        krb4_convert = true

#        krb4_get_tickets = false

[logging]

        kdc = FILE:/var/log/krb5kdc.log 

        admin_server = FILE:/var/log/kadmin.log 

        default = FILE:/var/log/krb5lib.log

```

/etc/samba/smb.conf (and smb2.conf)

```

[global]

   workgroup = GREYCAT

   password server = ipaddressofdomaincontroller

   realm = GREYCAT.LOCAL

   security = ads

   idmap config * : range = 16777216-33554431

   template homedir=/home/%U

   template shell = /bin/bash

   winbind use default domain = true

   winbind offline login = true

   kerberos method = secrets and keytab

   winbind refresh tickets = true

   server string = dd Samba Server Version %v

   netbios name = LAPTOP

   log file = /var/log/samba/log.%m

   max log size = 50

   passdb backend = tdbsam

   encrypt passwords = yes

#   winbind enum groups = yes

#   winbind enum users = yes

[homes]

   comment = Home Directories

   browseable = no

   writeable = yes

```

/etc/security/pam_winbind.conf

```

(censored)

krb5_auth = yes

krb5_ccache_type = FILE

(censored)

```

/etc/pam.d/system-auth

```

#%PAM-1.0

# $Id$

auth        required      pam_env.so

auth        sufficient    pam_winbind.so

auth        sufficient    pam_unix.so likeauth nullok use_first_pass

auth        required      pam_deny.so

account     sufficient    pam_winbind.so

account     required      pam_unix.so

password    required      pam_cracklib.so retry=3

password    sufficient    pam_unix.so nullok use_authtok md5 shadow

password    required      pam_deny.so

session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0022 

session     required      pam_limits.so

session     required      pam_unix.so

```

/etc/pam.d/samba

```

#%PAM-1.0

# * pam_smbpass.so authenticates against the smbpasswd file

# * changed Redhat's 'pam_stack' with 'include' for *BSD compatibility

#    (Diego "Flameeyes" Petteno'): enable with pam>=0.78 only

auth       required     pam_smbpass.so nodelay

account    include      system-auth

session    include      system-auth

password   required     pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf

```

Edit:  I might have fixed it.  I set this laptop to use the same hostname in Windows and in Linux.  I had also not configured /etc/hosts properly, I think; I had '127.0.0.1 localhost...', so I changed my hostname to 'laptop_gentoo' and in /etc/hosts '127.0.0.1 laptop_gentoo.greycat laptop_gentoo'.  Now, it seems to be working properly; I can log into my Linux laptop using accounts that I made on my Windows domain controller.

----------

## keet

It is working more or less well.  When users log in, their home directories are readable by all and owned by 'users:domain users' by default.  I needed to add 'auth sufficient pam_winbind.so' to /etc/pam.d/lightdm for lightdm to work with domain credentials.

----------

