Joining a Debian Server to Active Directory

To prepare my Mail Server for the user authentication and authorization over the AD I wanted to join my Mail Server to the Directory as well. My example systems are the Domain Controller "" and my Linux Mail server "".

First I installed and configured only the Kerberos packages. That was enough to get the NTLM authentication in Dovecot to work. But in order join your Linux Machine to the Domain you will need more than just Kerberos. Here is a list of the packages necessary:samba, ntpdate, smbclient, winbind, krb5-config and krb5-user. After the installation you should make sure, that the domain controller and your Linux Machine have the same time: ntpdate

This is necessary for Kerberos, Kerberos tickets will not be accepted if the time-difference between the 2 Machines is too big.

The next step is configuring Kerberos. I changed the following settings in the config file /etc/krb5.conf:

default_realm = EXAMPLE.COM
kdc =
admin_server =
default_domain =
[domain_realm] = AD.EXAMPLE.COM = AD.EXAMPLE.COM

After making those changes I was able to authenticate AD users with the kinit command.
The command is used like this:

kinit username

It will ask for a password. If it is successful it will drop the user back to the normal command line, if not it will output an error.
After a successful kinit, I used the klist command to verfiy, that Kerberos had a valid ticket. The klist command lists all Kerberos tickets the computer knows about. The output of klist told me, that there was indeed one valid Ticket for my Domain.

With Kerberos working I needed to set up samba correctly before I could join the Domain. The samba configuration can be found at “/etc/samba/smb.conf”. This is how my config looks like:

workgroup = EXAMPLE
server string = %h server
wins support = no
security = ads
encrypt passwords = yes
obey pam restrictions = yes
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
idmap uid = 10000-20000
idmap gid = 10000-20000

Now that Samba knew about my Domain, I had to tell Linux to look up users in the Domain. This is done in the file /etc/nsswitch.conf. I had to add winbind to the lines “passwd” and “group”. After this I added the compat_passwd and compat_group lines and gave them winbind as value. The 4 lines looked like this:

passwd: compat winbind
passwd_compat: winbind
group: compat winbind
group_compat: winbind

With all the preparations done it was time to restart winbind and Samba. After the restart I could finally join the Domain with following command:

net ads join -U administrator

Instead of administrator you could use any Domain Account with the right to add new computers to the Domain. After issuing the command I got a message along the lines of: “Joined to realm”. That message also told me, that there were problems with updating the DNS records for you new machine. If that happens the DNS entries for the Server have to be set manually.

I used wbinfo -t to test if everything worked, and it told me, that there were RPC errors. A restart of winbind fixed the issue. Now your Linux Server has a computer account in the Active Directory and your AD users can log on the Linux server.

2 thoughts on “Joining a Debian Server to Active Directory”

  1. That worked nicely for joining a debian linux VM to another VM running Zentyal 4.2 (Ubuntu 14) running as an AD.

    ntpdate I couldn’t get to work – not sure if that’s related to both nodes being VMs but in any case, they were close enough on time that it didn’t make any difference, so I ignored that step and all worked fine.


Leave a Reply

Your email address will not be published. Required fields are marked *