Integrating Linux machines into a Windows Active Directory (AD) domain enables centralized authentication and access to domain resources. The most common solution involves using Samba and Kerberos for authentication against the AD domain controller.
# Required packages for Debian/Ubuntu
sudo apt-get install samba krb5-user winbind libpam-winbind libnss-winbind
# For RHEL/CentOS
sudo yum install samba samba-client samba-common-tools krb5-workstation oddjob oddjob-mkhomedirEdit /etc/krb5.conf with your domain information:
[libdefaults]
default_realm = YOURDOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
YOURDOMAIN.COM = {
kdc = dc1.yourdomain.com
admin_server = dc1.yourdomain.com
}Configure /etc/samba/smb.conf with these essential parameters:
[global]
workgroup = YOURDOMAIN
realm = YOURDOMAIN.COM
security = ads
idmap config * : backend = tdb
idmap config * : range = 10000-99999
winbind use default domain = yes
winbind offline logon = falseExecute these commands to join the domain (replace with your admin credentials):
sudo net ads join -U Administrator
sudo systemctl enable --now winbind
sudo pam-auth-updateTest your setup with these commands:
wbinfo -u # List domain users
wbinfo -g # List domain groups
getent passwd # Verify user resolutionFor automatic home directory creation, add to /etc/pam.d/common-session:
session required pam_mkhomedir.so skel=/etc/skel umask=0022- Time synchronization is critical - use NTP to sync with domain controllers
- Verify DNS resolution of domain controllers
- Check firewall rules for Kerberos (TCP/UDP 88) and LDAP (TCP 389) ports
For modern systems, consider using SSSD instead of winbind:
sudo apt-get install sssd-ad sssd-tools
# Configure /etc/sssd/sssd.conf
[domain/ad.example.com]
id_provider = ad
access_provider = adIntegrating Linux machines with Windows Active Directory (AD) domains is a common requirement in mixed-OS environments. This allows Linux users to authenticate against AD, access domain resources, and maintain centralized user management.
- A Linux machine with network connectivity to the AD domain controller - Proper DNS configuration pointing to AD DNS servers - AD administrator credentials - One of these packages: realmd, sssd, or winbind
The modern approach uses realmd and sssd for simplified domain joining:
# Install required packages sudo apt install realmd sssd sssd-tools libnss-sss libpam-sss samba-common-bin # Discover the domain sudo realm discover yourdomain.com # Join the domain with administrator credentials sudo realm join --user=admin yourdomain.com # Verify the join sudo realm list
After joining, configure /etc/sssd/sssd.conf:
[sssd] domains = yourdomain.com config_file_version = 2 services = nss, pam [domain/yourdomain.com] ad_domain = yourdomain.com krb5_realm = YOURDOMAIN.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%u access_provider = ad
If authentication fails:
# Check Kerberos tickets klist # Get new ticket kinit username@YOURDOMAIN.COM # Verify DNS resolution host -t SRV _ldap._tcp.yourdomain.com # Check SSSD logs journalctl -u sssd -f
For sudo integration with AD groups:
# Create sudoers.d file sudo visudo -f /etc/sudoers.d/domain_admins # Add line for AD admin group %DOMAIN\\Domain\ Admins ALL=(ALL:ALL) ALL
For older systems or special requirements:
# Install packages sudo apt install winbind samba smbclient # Configure /etc/samba/smb.conf [global] workgroup = YOURDOMAIN realm = YOURDOMAIN.COM security = ads idmap config * : backend = tdb idmap config * : range = 10000-99999 idmap config YOURDOMAIN : backend = rid idmap config YOURDOMAIN : range = 1000-9999 winbind use default domain = yes winbind offline logon = yes # Join domain net ads join -U admin