Debian active directory authentication

Ensure the debian server date and the AD server do have the same date and time. If needed install ntpd or ntpdate.

Install the kerberos things. The AD domain is UNKNOWN.

aptitude install krb5-user libpam-krb5

Edit file /etc/krb5.conf

        default = FILE:/var/log/krb5.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log

        default_realm = UNKNOWN.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = false
        ticket_lifetime = 24h
        renew_lifetime = 7d
        forwardable = true

        UNKNOWN.LOCAL = {
                kdc = carotte
                admin_server = carotte

        .unknown = UNKNOWN
        UNKNOWN.LOCAL = unkown.local

        krb4_convert = true
        krb4_get_tickets = false

Check it works and you can authenticate a windows AD user from the debian server:

kinit administrator

You will be prompted the administrator passowrd:

Password for administrator@UNKNOWN.LOCAL:

No message is a good thing. Check you have been granted a kerberos ticket:


You should have the ticket:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@UNKNOWN.LOCAL

Valid starting       Expires              Service principal
10/15/2015 13:51:07  10/15/2015 23:51:07  krbtgt/UNKNOWN.LOCAL@UNKNOWN.LOCAL
        renew until 10/22/2015 13:51:03

Now integrate the debian server in the AD domain

apt-get install samba winbind

Change file /etc/samba.conf


        workgroup = UNKNOWN
        security = ads
        realm = UNKNOWN.LOCAL
        password server = carotte
        domain logons = no
        template homedir = /home/%D/%U
        template shell = /bin/bash
        winbind enum groups = yes
        winbind enum users = yes
        winbind use default domain = yes
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
        restrict anonymous = 2
        domain master = no
        local master = no
        prefered master = no
        os level = 0
        idmap config *:backend = tdb
        idmap config *:range = 11000-20000
        idmap config UNKNOWN:backend = rid
        idmap config UNKNOWN:range = 10000000-1900000000

Restart services:

/etc/init.d/winbind stop
/etc/init.d/samba restart
/etc/init.d/winbind start

Now join the domain:

net ads join -U administrator

Give administrator password:

Enter administrateur's password:
Using short domain name -- UNKNOWN
Joined '
kikinou' to dns domain 'unknown.local'

Greetings, linux kikinou server joined the domain « UNKNOWN »
You are now able to view AD users and groups from the linux server:

wbinfo -u
wbinfo -g

Edit /etc/nsswitch.conf to add winbind for looking up passwords and groups.
Add windbind at the end of these two lines:

          passwd:         compat winbind
          group:          compat winbind

Make a test by getting AD users and groups

getent passwd

You should get a view of passwd file with also AD users informations.

getent group

The same as above but showing group with AD groups.
In case getent does not return anything else than local information (no AD info), check you have the library that connects winbind to nss. If not install it:

apt-get install libnss-winbind

Edit file /etc/pam.d/common-session and add the two last lines (for debian):

session [default=1]           
session requisite             
session required              
session required
session required umask=0022 skel=/etc/skel

That’s it, you can now log on your debian server with a windows AD user.