To prepare my Mail Server for the user authentication and authorization over the AD I wanted to join my Mail Server to the Directory as well. My example systems are the Domain Controller "ad.example.com"
and my Linux Mail server "mail.example.com"
.
First I installed and configured only the Kerberos packages. That was enough to get the NTLM authentication in Dovecot to work. But in order join your Linux Machine to the Domain you will need more than just Kerberos. Here is a list of the packages necessary:samba, ntpdate, smbclient, winbind, krb5-config and krb5-user
. After the installation you should make sure, that the domain controller and your Linux Machine have the same time: ntpdate ad.example.com
This is necessary for Kerberos, Kerberos tickets will not be accepted if the time-difference between the 2 Machines is too big.
The next step is configuring Kerberos. I changed the following settings in the config file /etc/krb5.conf:
[libdefaults] default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { kdc = ad.example.com admin_server = ad.example.com default_domain = example.com } [domain_realm] .example.com = AD.EXAMPLE.COM example.com = AD.EXAMPLE.COM
After making those changes I was able to authenticate AD users with the kinit command.
The command is used like this:
kinit username
It will ask for a password. If it is successful it will drop the user back to the normal command line, if not it will output an error.
After a successful kinit, I used the klist command to verfiy, that Kerberos had a valid ticket. The klist command lists all Kerberos tickets the computer knows about. The output of klist told me, that there was indeed one valid Ticket for my Domain.
With Kerberos working I needed to set up samba correctly before I could join the Domain. The samba configuration can be found at “/etc/samba/smb.conf”. This is how my config looks like:
[global] workgroup = EXAMPLE server string = %h server wins support = no security = ads realm = EXAMPLE.COM encrypt passwords = yes obey pam restrictions = yes winbind use default domain = yes winbind enum users = yes winbind enum groups = yes template shell = /bin/bash idmap uid = 10000-20000 idmap gid = 10000-20000
Now that Samba knew about my Domain, I had to tell Linux to look up users in the Domain. This is done in the file /etc/nsswitch.conf. I had to add winbind to the lines “passwd” and “group”. After this I added the compat_passwd and compat_group lines and gave them winbind as value. The 4 lines looked like this:
passwd: compat winbind passwd_compat: winbind group: compat winbind group_compat: winbind
With all the preparations done it was time to restart winbind and Samba. After the restart I could finally join the Domain with following command:
net ads join -U administrator
Instead of administrator you could use any Domain Account with the right to add new computers to the Domain. After issuing the command I got a message along the lines of: “Joined mail.example.com to realm example.com”. That message also told me, that there were problems with updating the DNS records for you new machine. If that happens the DNS entries for the Server have to be set manually.
I used wbinfo -t
to test if everything worked, and it told me, that there were RPC errors. A restart of winbind fixed the issue. Now your Linux Server has a computer account in the Active Directory and your AD users can log on the Linux server.
That worked nicely for joining a debian linux VM to another VM running Zentyal 4.2 (Ubuntu 14) running as an AD.
ntpdate I couldn’t get to work – not sure if that’s related to both nodes being VMs but in any case, they were close enough on time that it didn’t make any difference, so I ignored that step and all worked fine.
Thanks.