Ubuntu and Active Directory
Ubuntu and Active Directory
This Howto describes how to add an Ubuntu box in an Active Directory domain and to
authenticate the users with AD.
Used terms
term definition
AD Active Directory
DC Domain Controller
lab.example.com AD domain
win2k3.lab.example.com DC FQDN
10.0.0.1 DC IP
LAB.EXAMPLE.COM Kerberos Realm
linuxwork computername of the Ubuntu workstation
linuxwork.lab.example.com FQDN of the Ubuntu workstation
ntp.example.com timeserver (NTP)
Kerberos
The first step in joining an Active Directory domain is to install and configure Kerberos. See
Samba/Kerberos below.
Kerberos Introduction
Kerberos is an authentication protocol using secret-key cryptography. There are several
implementations of the Kerberos protocol used in both commercial and open-source software.
This guide covers configuring the Samba server and clients to utilize Kerberos authentication
services.
Active Directory
Detailed instructions for integrating Samba with Active Directory are available on the Samba
wiki.
The linked page gives the location of the PAM configuration files for Red Hat: in Ubuntu, the
PAM configuration files are located in /etc/pam.d/ directory. The auth, account, and
passwd stanzas are split into three files in Ubuntu: /etc/pam.d/common-auth for auth
stanzas, /etc-pam.d/common-account for account stanzas, and /etc/pam.d/common-
passwd for passwd stanzas.
Ubuntu release 9.04 (Jaunty Jackalope) and newer automatically updates the PAM
configuration files using the pam-auth-update utility. In previous versions, the configuration
files must be edited manually.
MIT Kerberos
Instructions for installing and configuring MIT Kerberos are available on its wiki page.
Samba is just another service to Kerberos, so to allow Samba to authenticate users via
Kerberos, simply generate a principal for the Samba server, place the service key in a keytab,
and configure Samba to use it.
1. Launch the kadmin utility as the realm administrator or as a user authorized to add
principals:
$ kadmin -p admin/admin
Make sure to include the encryption type. The default encryption type is not compatible
with the Samba client utilities.
4. Securely copy the keytab to /etc/krb5.keytab on the server that will be running Samba.
5. Make sure only the root user can access the keytab:
...
security = ADS
realm = KERBEROS_REALM
encrypt passwords = yes
use kerberos keytab = yes
#optional
password server = kdc.fdqn
...
The password server option is only required if you intend to use a password server other than
the one configured in /etc/krb5.conf.
7. Restart Samba:
User Administration
Add users to the Kerberos database using the kadmin interface:
You will be prompted to enter a password for the user. Once a user is added you should be
able to acquire Ticket-Granting Tickets with kinit from any system that is configured to
authenticate using your Kerberos domain. See the Kerberos page for more details.
Note that Samba maps authenticated users to a system users. This means that if you add a
user to the Kerberos database that does not exist as a system user, you will not be able to
authenticate using your Kerberos credentials until a user of the same name is added as a
system user. See AddUsersHowto for details on adding users. Other options such as pulling
user information from LDAP are possible, but outside the scope of this guide.
$ id <username>
Testing
$ kinit <Kerberos username>
$ smbclient -k -L //server/