Connecting to Active Directory (possibly with winbind)
Undo all of your changes and delete the computer account from AD. Remove the winbind
package.
Install a suitable selection of packages. On Debian-based systems you can use apt-get install samba smbclient sssd realmd dnsutils policykit-1 packagekit sssd-tools sssd libnss-sss libpam-sss adcli
.
Don't worry at this point if sssd
fails to start. It needs to be configured with the realm
command, which we're going to address in a moment.
Make sure your local Linux-based system has your DC at its DNS server. Do not add any additional DNS server unless it is part of your Active Directory environment. If you simply edit /etc/resolv.conf
and ignore the "do not edit this file" warning, your changes will probably get overwritten. At this point your system will fail to authenticate anyone and may even eventually fall off the domain. (Users tend to get unhappy at this point.)
Make sure your local time matches the time in Active Directory, since Kerberos won't work with a skew of greater than about 5 minutes (300 seconds).
For your local domain contoso.com
run these three commands as root:
domain=contoso.com # The FQDN itself. Not machine.FQDN
realm discover "$domain" # If this fails, stop and recheck everything
realm join "$domain" # [--user <ad_username>] [--computer-ou <ou>]
If you need to provide an AD account name for the realm join
, do so with realm join --user <ad_username> "$domain"
, where <ad_username>
represents an unqualified sAMAccountName
. Your own AD account should work for a minimum of ten clients even if it is not a domain administrator, although administrator
is a useful choice if you know its password. The --computer-ou
option allows you to specify the initial OU for the account. Leave this blank unless you know its correct value (don't guess it).
Fix up the sssd.conf
file. The ad_hostname
is necessary for some versions to work around a bug. The LDAP group nesting level allows sssd
to handle membership of nested groups.
sed -i "/^ad_domain /s/$/\nad_hostname = $(hostname).$domain/" /etc/sssd/sssd.conf
( echo; echo 'ldap_group_nesting_level = 5'; echo 'ldap_use_tokengroups = false' ) >>/etc/sssd/sssd.conf
service sssd restart
Related videos on Youtube
owcred601
Updated on September 18, 2022Comments
-
owcred601 over 1 year
I'm trying to figure out how to integrate Linux environment authentication system to Windows server 2012, and I found a way using
winbind
.I've searched Google and there are several pages that introduce how to do it from synchronizing the time to configuring some config files.
I set the hostname and hosts in Linux such as following.
[/etc/hosts] 192.168.XXX.XX1 test1.example.com example ## Windows IP 192.168.XXX.XX2 test1 ## Linux IP [/etc/hostname] test1
I set up an Active Directory which has the following properties, and there are two accounts.
Computer name : TEST1 Domain : example.com Account1 : Administrator Account2 : tester1
So, I set the Linux environment DNS to AD's IP address. Can check the info in the "resolv.conf".
[root ~]# nslookup example.com Server: 192.168.xxx.xx1 Address: 192.168.xxx.xx1#53 Name: example.com Address: 192.168.xxx.xxx
In "nsswitch.conf", I added the 'winbind' word only next to 'files'.
passwd: files winbind shadow: files sss winbind group: files winbind
In "krb5.conf", I changed the lookup part and default realm.
[libdefaults] dns_lookup_realm = true dns_lookup_kdc = true default_realm = EXAMPLE.COM [realms] DOMAIN.COM = { kdc = example.com admin_server = example.com } [domain_realm] .domain.com = EXAMPLE.COM domain.com = EXAMPLE.COM
And finally, I set up
smb.conf
. However, there are lots of different way to set this up, so I'm not sure. Just selected one of the Google pages.When I tried to connect to Windows Server with "administrator" id, it shows the following error:
[root ~]# net ads join -U Administrator gse_get_client_auth_token: gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Message stream modified](2529638953) kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/test1.example.com with user[Administrator] realm[EXAMPLE.COM]: The attempted logon is invalid. This is either due to a bad username or authentication information. Failed to join domain: failed to connect to AD: The attempted logon is invalid. This is either due to a bad username or authentication information.
I'm stuck in this step, and I can't find the way how to solve it in Google. Do I need to edit some files in
/etc/pam.d
?After use the tool 'testparm' about
smb.conf
, finally I can't find any problems, but now it shows the following message when I use "net ads testjoin".ads_connect: No logon servers are currently available to service the logon request.
-
Michael Mrozek almost 6 yearsConversation has been moved to chat.