Authenticating Ubuntu Client to Windows Active Directory

I got the chance to configure one of the old system of my friend running Windows 2000 and Ubuntu 7, (yes it’s not typo) and he wants to authenticate some of his old Ubuntu PCs to Windows AD. Here’s the tutorial for adding Ubuntu box in a Active Directory domain and to authenticate the users with AD

Needed software:
Windows 2000 Advanced Server (function as Domain Controller, AD)
Linux (Ubuntu 6,7)

Used terms: –> AD Domain –> DC IP address –> Kerberos Realm –> NTP server

Step1: Confirm Connectivity
Confirm network connectivity and name resolution for the Active Directory domain controller. Ping the fully-qualified domain name (FQDN) of the AD DC on your network


If not successful, it could be a DNS issue, you can change the right DNS or add the info using /etc/hosts

Step2: Set the time settings
Time is important for Kerberos, which is used for authentication in Active Directory networks.


Step3:Setup Kerberos

Install the appropriate client software. This process assumes that you have opened up all the Breezy main and security sources in your sources.list as well as the Universe repository /etc/apt/sources.list
Install the necessary Kerberos packages, you should use the following apt-get command to install the software:

$sudo apt-get install krb5-user libpam-krb5
Modify the /etc/krb5.conf

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_realm =
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h

[realms] = {
kdc =
admin_server =
default_domain =

[domain_realm] = =

profile = /var/kerberos/krb5kdc/kdc.conf

pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false

Step4: Testing

Request a Ticket-Granting Ticket (TGT) by issuing the kinit command and Check if ticket request was valid using the klist command.

Sample output:

root@ubuntu:~# kinit
Password for
root@ubuntu:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal:

Valid starting Expires Service principal
06/21/19 14:52:09 06/22/19 00:56:06 krbtgt/
renew until 06/22/19 14:52:09

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

At this point, your Kerberos installation and configuration is operating correctly


Step5: Join AD domain
Install winbind and samba

apt-get install winbind samba


workgroup = AD
hosts allow = 10.201.0. 10.200.0. 127.
password server =
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = yes
winbind separator = /
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
realm =

Be sure to restart the Samba and Winbind services after changing the /etc/samba/smb.conf file:   

root@ubuntu:~# /etc/init.d/winbind stop
root@ubuntu:~# /etc/init.d/samba restart
root@ubuntu:~# /etc/init.d/winbind start


Join the domain:
net ads join –U
Using short domain name – AD
Joined ‘ubuntu’ to realm ‘’

Step6: Testing the AD join

wbinfo -u

You should get a list of the users of the domain.
And a list of the groups.

wbinfo -g

Step7: Setup the Authentication

Modify /etc/nsswitch.conf

passwd: files winbind
group: files winbind
shadow: files compat winbind
hosts: files dns wins winbind
networks: files
protocols: db files winbind
services: db files winbind
ethers: db files
rpc: db files
netgroup: nis files winbind

Step8: Testing winbind nsswitch

Check Winbind nsswitch module with getent.
getent passwd
getent group

Step9: Modify PAM
Go to /etc/pam.d


account sufficient
account sufficient minimum_uid=1000
account required nullok_secure
account [default=bad success=ok user_unknown=ignore service_err=ignore system_er


auth sufficient
auth sufficient minimum_uid=1000 use_first_pass
auth required
auth sufficient use_first_pass


session required
session optional
session optional
session required umask=0022 skel=/etc/skel


auth sufficient
auth sufficient use_first_pass
auth required
@include common-account


@include common-auth
@include common-account
@include common-session
@include common-password


password required nullok obscure min=4 max=8 md5
password required nullok obscure min=4 max=50 md5

Step10: Create the domain directory in /home

#mkdir /home/AD

Easy steps for the configuration files

All config files can be get via wget on
Nsswitch.conf, krb5.conf , smb.conf located on script folder
Pam.d config files located on script/pam
#cd /etc/

#cd /etc/samba

You can add boot up script on /etc/rc.local
vi /root/

/etc/init.d/winbind stop
/etc/init.d/samba restart
/etc/init.d/winbind start

Save and exit.

Make the script executable

#chmod +x /root/script

Under /etc/rc.local, append the script so it will run during start-up


About the author

Free Linux

View all posts

Leave a Reply