Join Ubuntu 14 to Active Directory

This summer I worked at my university, where I got a great change to get familiar with Linux. Naturally this got me thinking Could I deploy Ubuntu at home as well? This is how you join Ubuntu workstations to Active Directory and let users logon with their AD credentials.

First, let's install necessary packages (do not insert the line break):

apt-get install winbind samba libnss-winbind
  libpam-winbind krb5-config krb5-locales krb5-user

Windows 2000 and later uses Kerberos as its default authentication method. Kerberos is a computer network authentication protocol which works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. (source: Wikipedia). Now open /etc/krb5.conf in your favorite text editor (for example sudo nano /etc/krb5.conf) to configure Kerberos settings. Append to [libdefaults] section:

       default_realm = YOUR.DOMAIN.COM
       ticket_lifetime = 24000
       default_tgs_enctypes = rc4-hmac des-cbc-md5
       default_tkt_enctypes = rc4-hmac des-cbc-md5
       permitted_enctypes = rc4-hmac des-cbc-md5
       dns_lookup_realm = true
       dns_lookup_kdc = true
       dns_fallback = yes

Append to [realms] section:

        YOUR.DOMAIN.COM = {
                kdc = your.domain.com:88
                default_domain = your.domain.com
        }

Append to [domain_realm] section:

        .your.domain.com = YOUR.DOMAIN.COM
        your.domain.com = YOUR.DOMAIN.COM

Append the following sections:

[appdefaults]

        pam = {
                debug = false
                ticket_lifetime = 36000
                renew_lifetime = 36000
                forwardable = true
                krb4_convert = false
        }

[logging]

        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log

Try to get a ticket from AD administrator:

kinit Administrator@YOUR.DOMAIN.COM

Enter the admin password when prompted. Next, edit /etc/samba/smb.conf:

netbios name = COMPUTER_HOSTNAME
workgroup = YOUR
security = ADS
realm = YOUR.DOMAIN.COM
encrypt passwords = yes
idmap config *:backend = rid
idmap config *:range = 5000-100000
winbind allow trusted domains = no
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users  = yes
winbind enum groups = yes
winbind refresh tickets = yes
client ntlmv2 auth = yes

template shell = /bin/bash

wins server = WINS_SERVER_IP
name resolve order = lmhosts host wins bcast

I have a DFS that uses WINS, so I add WINS server address here. You can omit that if you don't need WINS. Remove the default workgroup that you just replaced from the file.
Edit the following files in /etc/nsswitch.conf:

passwd:         compat winbind
group:          compat winbind
hosts:          files wins mdns4_minimal [NOTFOUND=return] dns

Join the computer in domain:

net ads join -k

service winbind restart
service nmbd restart
service smbd restart

pam-auth-update

If you want that home directories are automatically created for new users, add the following file in the end of /etc/pam.d/common-account:

session required pam_mkhomedir.so skel=/etc/skel umask=0077

This gives users full access to their homes, but no access to anyone else. You also need to allow manual login for users to be able to login with their AD credentials. Add the following line in /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf:

greeter-show-manual-login=true

Now restart Ubuntu and try to login with any AD account.