Active Directory Integration

From ArchWiki
Revision as of 16:36, 15 December 2006 by Moo-Crumpus (talk | contribs) (Login testing)
Jump to: navigation, search

HowTo Arch Linux as Active Directory Member

This guide explains how to include Archlinux into an existing Windows Active Directory.


Having Backups of all modified files is recommended, as well as testing login before any rebooting. In the worst case, login will be broken for all users, including root - so be warned. Use at your own risk!


  • What you get:
    • Windows AD users & archlinux users are accepted archlinux box users, at the console or gdm
    • Windowes AD users can use Samba shares like Windows Shares.
  • What you won't get
    • Windows users are simply users on your machine. Possibly you can have Windows AD Admins to be linux admins, too. But this is not worked out so far in this HowTo.
    • Several other apps use authentication - like sudo, f.e. As far as they use PAM, it should be able to let them check against AD user accounts, too. But this is not worked out so far.


  • Be a Windows Admin.
  • Be root.
  • Be able to work with linux without X.
  • Be able to edit files.
  • Note: There is no need to taint the AD with linux schemes.

Preparation of the Windows AD Policy

It is necessary to disable "Digital Sign Communication (Always)" in the AD group policies. Dive into

'Local policies'
'Security policies'
'Microsoft Network Server'
'Digital sign communication (Always)'

  • activate "define this policy" and
  • use the "disable" radio button

This is all you have to do on the Windows. Let's go on with Archlinux.


These packages are needed on the Archlinux machine:

  • Samba
  • Heimdal
  • NTP

Most of the packages can be installed by using pacman:

pacman -Sy samba ntp heimdal

To install, you have to download pam_krb5-1.60.1-css1_linux.tar.Z for RedHat / Linux from Untar it, move into the extracted folder and run:


Now, is installed into /lib/security/cssi/, with a symlink into /lib/security.


Samba / Winbindd Startup

The current samba package of Archlinux does include winbindd. While samba can be used as a daemon - /etc/rc.d/samba start - that includes smbd and nmbd, winbindd is not started. As there already is a feature request and a solution ( I follow this way to have smbd, nmbd and winbindd be started at once. By adding /etc/conf.d/samba, where you can specify the parts /etc/rc,d/samba should start, and little changes in /etc/rc.d/samba to include /etc/conf.d/samba, winbindd will be started together with smbd, nmbd.

Create /etc/conf.d/samba:

##### /etc/conf.d/samba #####
# Configuration for the samba init script

# space separated list of daemons to launch
#DAEMONS=(smbd nmbd)
DAEMONS=(smbd nmbd winbindd)

Change /etc/rc.d/samba:

##### /etc/rc.d/samba #####

. /etc/rc.conf
. /etc/rc.d/functions
[ -f /etc/conf.d/samba ] && . /etc/conf.d/samba

[ -z "$DAEMONS" ] && DAEMONS=(smbd nmbd)

case "$1" in
stat_busy "Starting Samba Server"
for d in ${DAEMONS[@]}; do
PID=`pidof -o %PPID /usr/sbin/$d`
[ -z "$PID" ] && /usr/sbin/$d -D
if [ $rc -gt 0 ]; then
add_daemon samba
stat_busy "Stopping Samba Server"
for d in ${DAEMONS[@]}; do
PID=`pidof -o %PPID /usr/sbin/$d`
[ -z "$PID" ] || kill $PID &> /dev/null
if [ $rc -gt 0 ]; then
rm /var/run/samba/ &>/dev/null
rm /var/run/samba/ &>/dev/null
rm /var/run/samba/ &>/dev/null
rm_daemon samba
$0 stop
sleep 1
$0 start
echo "usage: $0 {start|stop|restart}"
exit 0

Heimdal / Kerberos - /etc/krb5.conf

Let's assume that your AD is named Let's further assume your AD is ruled by two domain controllers, the primary and secondary one, which are named adam and eve, and respectively. Their IP adresses will be and in this example.

##### /etc/krb5.conf ####
        default_realm 	= 	PARADISE.COM
	clockskew 	= 	300
	ticket_lifetime	=	1d
		kdc 	=
		kdc 	=
		default_domain = PARADISE.COM
[domain_realm] 	= 	PARADISE.COM	= 	PARADISE.COM
	paradise	= 	PARADISE.COM

	pam = {
	ticket_lifetime 	= 1d
	renew_lifetime 		= 1d
	forwardable 		= true
	proxiable 		= false
	retain_after_close 	= false
	minimum_uid 		= 0
	debug 			= false

	kdc 			= FILE:/var/log/kdc.log 

Inside an AD, it is importand that all machines run the same system time. To synchronize the time run:


Now you can query the AD domain controllers for a ticket with the following commands (uppercase is necessary):


You´ll now be asked for the password. In case it matches, you'll be returned to the console.

PAM Configuration for Login

Now we have to change /etc/pam.d/login so it sends its request to the AD controllers. In case of logins, PAM should first ask for AD accounts, and for local accounts if no matching AD account was found. Therefore, we add entries to include into the authentication process. Furthermore, we include If an AD user logs in, /home/paradise/user will be created automatically.

#### /etc/pam.d/login ####
auth     sufficient
auth     required use_first_pass use_authtok
auth     required
auth     required
auth     required
account  sufficient
account  sufficient use_first_pass use_authtok
password required
password sufficient
password sufficient use_first_pass use_authtok
session  required skel=/etc/skel/ umask=0022
session  sufficient
session  sufficient use_first_pass use_authtok
session  required

If you like to allow AD users to login into GDM, you have to do the same for /etc/pam.d/gdm. You may try to change other /etc/pam.d/ rules for other apps, to allow them to authenticate AD users.

Samba Configuration for Shares

Samba is highly configurable. Take this example only as a rough idea, hardly polished. Here is what my /etc/samba/smb.conf looks like:

#### /etc/samba/smb.conf ####
netbios name = archlinux
workgroup = PARADISE
server string = archlinux
map to guest = Bad User
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind gid = 10000-20000
winbind use default domain = Yes
winbind separator =+
os level = 20

# Theres no shell defined for users in AD, so I define a default shell to use
# Not sure if its even possible to define a shell in AD
template shell = /bin/bash
encrypt passwords = yes
security = ads
password server =
preferred master = no
dns proxy = no
wins server =
wins proxy = no

admin users = @"NET+domain admins"
force group = "RPDA+domain admins"
inherit acls = Yes
map acl inherit = Yes
acl group control = yes

load printers = no
debug level = 3
use sendfile = no
comment = User´s homedirs
path =/home/%U
valid users = %S NET+%S
browseable = no
read only = no

comment = Data
valid users = %S net+%S
path = /data
read only = no
browseable = yes
comment = Backup filer
path = /backup
read only = no
browseable = yes
valid users = @"NET+Domain Admins"

We shall now explain to Samba that it shall use the PDC´s database for authentication queries. Again, we use winbindd which is a part of the samba package. Winbind maps the UID and GID of the AD to our Linux-machine. Winbind uses a Unix-implementation of RPC-calls, Pluggable Authentication Modules (aka PAM) and Name Service Switch (NSS) to allow Windows AD and users accessing and to grant permissions on the Linux-machine. The best part of winbindd is, that you don´t have to define the mapping yourself, but only define a range of UID and GID. That´s what we defined in smb.conf. To include Winbindd into NSS calls, edit /etc/nsswitch.conf. Add winbind to the lines as shown here:

#### /etc/nsswitch.conf ####
passwd:            files winbind
shadow:            files winbind
group:             files winbind

Starting and Testing things

Hopefully, you have not rebooted yet. Fine. If you are in an X-session, quit it, so you can test login into another console, while you are still logged in.

Start Samba (including smbd, nmbd and winbindd:

/etc/rc.d/samba restart

Winbind testing

Let's check if winbind is able to query the AD. The following command should return a list of AD users:

wbinfo -u

We can do the same for AD groups:

wbinfo -g

Login testing

Now, start a new console session and try to login with an AD account. As we told winbind to use default_realms, it should not be necessary to add the AD name. Lets assume there is an AD user named kain. Try to login as


Both should work. You should notice that /home/paradise/kain will be created. Log into another session using an linux account. Check that you still be able to log in as root - but keep in mind to be logged in as root in at least one session!

Samba testing

Try out some net commands to see if samba can adress the AD:

net ads info
net ads lookup
net ads status

The commands return several AD related information.

Archlinux becomes an AD member

You need an AD Administrator account to do this. Let's assume this is named Administrator. The command is 'net ads join'

# net ads join -U Administrator
Administrator's password: xxx
Using short domain name -- PARADISE

More INFO:

Everything there is to know about Samba

Please feel free to comment this article - but if your edit this - PLEASE LET ME KNOW