Debian active directory authentication

Ensure the debian server date and the AD server do have the same date and time. If needed install ntpd or ntpdate.

Install the kerberos things. The AD domain is UNKNOWN.

aptitude install krb5-user libpam-krb5

Edit file /etc/krb5.conf

        default = FILE:/var/log/krb5.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log

        default_realm = UNKNOWN.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = false
        ticket_lifetime = 24h
        renew_lifetime = 7d
        forwardable = true

        UNKNOWN.LOCAL = {
                kdc = carotte
                admin_server = carotte

        .unknown = UNKNOWN
        UNKNOWN.LOCAL = unkown.local

        krb4_convert = true
        krb4_get_tickets = false

Check it works and you can authenticate a windows AD user from the debian server:

kinit administrator

You will be prompted the administrator passowrd:

Password for administrator@UNKNOWN.LOCAL:

No message is a good thing. Check you have been granted a kerberos ticket:


You should have the ticket:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@UNKNOWN.LOCAL

Valid starting       Expires              Service principal
10/15/2015 13:51:07  10/15/2015 23:51:07  krbtgt/UNKNOWN.LOCAL@UNKNOWN.LOCAL
        renew until 10/22/2015 13:51:03

Now integrate the debian server in the AD domain

apt-get install samba winbind

Change file /etc/samba.conf


        workgroup = UNKNOWN
        security = ads
        realm = UNKNOWN.LOCAL
        password server = carotte
        domain logons = no
        template homedir = /home/%D/%U
        template shell = /bin/bash
        winbind enum groups = yes
        winbind enum users = yes
        winbind use default domain = yes
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
        restrict anonymous = 2
        domain master = no
        local master = no
        prefered master = no
        os level = 0
        idmap config *:backend = tdb
        idmap config *:range = 11000-20000
        idmap config UNKNOWN:backend = rid
        idmap config UNKNOWN:range = 10000000-1900000000

Restart services:

/etc/init.d/winbind stop
/etc/init.d/samba restart
/etc/init.d/winbind start

Now join the domain:

net ads join -U administrator

Give administrator password:

Enter administrateur's password:
Using short domain name -- UNKNOWN
Joined '
kikinou' to dns domain 'unknown.local'

Greetings, linux kikinou server joined the domain « UNKNOWN »
You are now able to view AD users and groups from the linux server:

wbinfo -u
wbinfo -g

Edit /etc/nsswitch.conf to add winbind for looking up passwords and groups.
Add windbind at the end of these two lines:

          passwd:         compat winbind
          group:          compat winbind

Make a test by getting AD users and groups

getent passwd

You should get a view of passwd file with also AD users informations.

getent group

The same as above but showing group with AD groups.
In case getent does not return anything else than local information (no AD info), check you have the library that connects winbind to nss. If not install it:

apt-get install libnss-winbind

Edit file /etc/pam.d/common-session and add the two last lines (for debian):

session [default=1]           
session requisite             
session required              
session required
session required umask=0022 skel=/etc/skel

That’s it, you can now log on your debian server with a windows AD user.

SSL certificates with letsencrypt

Get it

cd /opt
git clone
cd letsencrypt

Generate certificates

./letsencrypt-auto certonly --webroot -w /var/www/ -d -d

Result, certificates are here:


Config web server:

ssl on;
ssl_certificate /etc/letsencrypt/live/;
ssl_certificate_key /etc/letsencrypt/live/;

Restart web server.
Add cron task to automate certificate renewal:

00 00 1 * * /opt/letsencrypt/letsencrypt-auto certonly --renew-by-default --webroot -w /var/www/ -d -d >> /var/log/

Cisco NAT range ports

This article describes how to open a range port from outside to an inside server.

fa0/0 is public interface
Public interface has IP address
fa0/1 is lan interface
LAN network is

Create an extended acl

R1(config)#ip access-list extended NAT_SERVER1
r0(config-ext-nacl)#permit tcp host range 40000 60000 any
r0(config-ext-nacl)#permit udp host range 40000 60000 any

Associate the acl to the route-map

R1(config)#route-map NAT_SERVER1_RULES per 10
R1(config)#match ip address NAT_SERVER1

Finaly nat with route-map

R1(config)#ip nat inside source static route-map NAT_SERVER1