How to enable AD authentication with Kerberos on Linux (Debian)?

Question

I want local users to be able to log in to a Linux server using their Windows domain (AD) passwords. (All local accounts have a matching userid in AD).

I've installed libpam-krb5, and the main settings in /etc/krb5.conf seem ok:

default_realm = FOO.COMPANY.COM
kdc = controller.foo.company.com

These settings work fine on another Linux box (Ubuntu); everything should be ok in the AD server.

As I don't know/remember, my question is, what else needs to be tweaked on the Linux server to get AD passwords to work when users try to log in?

The server is running Debian 5.0.3.

Answer 1

Right, got it working with some help from a colleague. The only additional configuration file that needed tweaking was /etc/pam.d/common-auth.

The original configuration was:

auth    required    pam_unix.so nullok_secure

We changed it to:

auth    [success=2 default=ignore]      pam_krb5.so minimum_uid=1000
auth    [success=1 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

AD passwords now work fine when logging on to the server.

Answer 2

use google

http://www.ccs.neu.edu/home/battista/documentation/winbind/index.html
http://www.alethe.com/brad/2005/08/active-directory-authentication/
http://wiki.samba.org/index.php/Samba_&_Active_Directory
http://blog.scottlowe.org/2007/01/15/active-directory-integration-index/