I’m making this tutorial because I had to set-up Ubuntu to authenticate on my company’s NT Domain, so now that it’s working I thought I could share my experience.
Any comments, ideas, and even some questions are welcome. There are several tutorials regarding this, but this one is made specially for Ubuntu.

First of all, I’m assuming that you are comfortable editing text files and have a basic undestanding of a linux system, including booting in recovery mode and restoring file backups. Although this procedure is not “dangerous”, it could render the authentication system unusable if you make any mistake. So please, be careful and make backups of all the files changed.

To authenticate on a NT Domain, you need the following extra packets:

  • samba
  • winbind

If I remeber correctly, the samba package comes with Ubuntu, but you have to download winbind separately from the universal repository.

Ok, now this is a list of the files we are touching, please make backups:

Code:
/etc/login.defs<br />/etc/nsswitch.conf<br />/etc/samba/smb.conf<br />/etc/pam.d/common-account<br />/etc/pam.d/common-auth<br />/etc/pam.d/common-password<br />/etc/pam.d/common-session<br />/etc/pam.d/sudo</pre> </div>Now, the first thing we are doing is setting up samba/winbind to work with the domain, so do a <b>nano /etc/samba/smb.conf</b> and insert the following lines:<br /><div style="margin: 5px 20px 20px;"> 	<div class="smallfont" style="margin-bottom: 2px;">Code:</div> 	<pre class="alt2" dir="ltr" style="border: 1px inset ; margin: 0px; padding: 6px; overflow: auto; width: 640px; height: 210px; text-align: left;">workgroup = MYDOMAIN<br />idmap uid = 10000-20000<br />idmap gid = 10000-20000<br />template shell = /bin/bash<br />template homedir = /home/%D/%U<br />winbind enum users = yes<br />winbind enum groups = yes<br />winbind cache time = 10<br />winbind separator = +<br />security = domain<br />password server = *<br />winbind use default domain = yes</pre> </div>Remeber that this is just and example, you should/can change the values according to your needs.<br /><br /><br />After that we need to make the system to use winbind. First edit <b>/etc/nsswitch.conf</b> and replace:<br /><br /><div style="margin: 5px 20px 20px;"> 	<div class="smallfont" style="margin-bottom: 2px;">Code:</div> 	<pre class="alt2" dir="ltr" style="border: 1px inset ; margin: 0px; padding: 6px; overflow: auto; width: 640px; height: 50px; text-align: left;">passwd:	compat<br />group:	compat</pre> </div>with<br /><div style="margin: 5px 20px 20px;"> 	<div class="smallfont" style="margin-bottom: 2px;">Code:</div> 	<pre class="alt2" dir="ltr" style="border: 1px inset ; margin: 0px; padding: 6px; overflow: auto; width: 640px; height: 50px; text-align: left;">passwd: compat winbind<br />group:	compat winbind</pre> </div>Now go to <b>/etc/pam.d</b> and edit the following files:<br /><br /><b>common-account</b>:<br /><div style="margin: 5px 20px 20px;"> 	<div class="smallfont" style="margin-bottom: 2px;">Code:</div> 	<pre class="alt2" dir="ltr" style="border: 1px inset ; margin: 0px; padding: 6px; overflow: auto; width: 640px; height: 66px; text-align: left;">#Commented for winbind to work<br />#account-required	pam_unix.so<br />account-required	pam_winbind.so</pre> </div><b>common-auth</b>:<br /><div style="margin: 5px 20px 20px;"> 	<div class="smallfont" style="margin-bottom: 2px;">Code:</div> 	<pre class="alt2" dir="ltr" style="border: 1px inset ; margin: 0px; padding: 6px; overflow: auto; width: 640px; height: 50px; text-align: left;">auth	sufficient	pam_winbind.so<br />auth	required	pam_unix.so nullok_secure use_first_pass</pre> </div><b>common-session</b>:<br /><div style="margin: 5px 20px 20px;"> 	<div class="smallfont" style="margin-bottom: 2px;">Code:</div> 	<pre class="alt2" dir="ltr" style="border: 1px inset ; margin: 0px; padding: 6px; overflow: auto; width: 640px; height: 50px; text-align: left;">session	required	pam_unix.so<br />session	required	pam_mkhomedir.so umask=0022 skel=/etc/skel/</pre> </div><b>sudo</b>:<br /><div style="margin: 5px 20px 20px;"> 	<div class="smallfont" style="margin-bottom: 2px;">Code:</div> 	<pre class="alt2" dir="ltr" style="border: 1px inset ; margin: 0px; padding: 6px; overflow: auto; width: 640px; height: 50px; text-align: left;">auth	sufficient	pam_winbind.so<br />auth	required	pam_unix.so use_first_pass</pre> </div><br />And this is an extra, not really required, but as I think the default max password lenght of 8 chars sucks (I like to use passphrases), and as we are using md5, I changed it:<br /><br /><b>/etc/login.defs</b>:<br /><div style="margin: 5px 20px 20px;"> 	<div class="smallfont" style="margin-bottom: 2px;">Code:</div> 	<pre class="alt2" dir="ltr" style="border: 1px inset ; margin: 0px; padding: 6px; overflow: auto; width: 640px; height: 34px; text-align: left;">PASS_MAX_LEN	50</pre> </div><b>/etc/pam.d/common-password</b>:<br /><div style="margin: 5px 20px 20px;"> 	<div class="smallfont" style="margin-bottom: 2px;">Code:</div> 	<pre class="alt2" dir="ltr" style="border: 1px inset ; margin: 0px; padding: 6px; overflow: auto; width: 640px; height: 34px; text-align: left;">password	required	pam_unix.so nullok obscure min=4 max=50 md5</pre> </div><br />Finally, there are only a few things left to do:<br /><br />Join the domain:<br /><div style="margin: 5px 20px 20px;"> 	<div class="smallfont" style="margin-bottom: 2px;">Code:</div> 	<pre class="alt2" dir="ltr" style="border: 1px inset ; margin: 0px; padding: 6px; overflow: auto; width: 640px; height: 34px; text-align: left;">net rpc join -D MYDOMAIN -U administrator</pre> </div>Test it with:<br /><div style="margin: 5px 20px 20px;"> 	<div class="smallfont" style="margin-bottom: 2px;">Code:</div> 	<pre class="alt2" dir="ltr" style="border: 1px inset ; margin: 0px; padding: 6px; overflow: auto; width: 640px; height: 50px; text-align: left;">wbinfo -u<br />wbinfo -g</pre> </div><br />Make the domain home dir (users home dirs will be inside this one, but can be configured in <b>smb.conf</b>):<br /><div style="margin: 5px 20px 20px;"> 	<div class="smallfont" style="margin-bottom: 2px;">Code:</div> 	<pre class="alt2" dir="ltr" style="border: 1px inset ; margin: 0px; padding: 6px; overflow: auto; width: 640px; height: 34px; text-align: left;">mkdir /home/MYDOMAIN

Reboot, and that’s it, you should now have domain authentication working in Ubuntu.

Just a few extra comments:

  • Remeber that if you need one user to have administration permissions, you need to include him in the /etc/sudoers list. Use the visudo command to do this. And there’s no need to prepend MYDOMAIN+ to the username since winbind is configured to use the configured domain by default.
  • If anything goes wrong and you cannot login to the system, you have to reboot in recovery mode (press ESC when grub is starting) and replace the changed files from /etc/pam.d with the backups.
  • I use NT4 domains, I don’t think a W2k domain in native mode will work. You surely have to make some changes.
  • This tutorial is just and example of how things worked for me. It’s obviously not the only (or better) way to do things.
Advertisements