Now that samba knows what domain its part of, and we have a basic config for it, we need to get the authentication part working. Kerberos is the softare that communicates with your Active Directory domain to authenticate users.The time on your server must be synced to that of your Active Directory Domain Controller.

sync time

ntpdate ((domain controller))

Edit the Kerberos configuration file to point Kerberos towards the right Domain Controllers.

nano /etc/krb5.conf

configure domain in /etc/krb5.conf. important parts:

[libdefaults]
default_realm = ((DOMAIN)).COM
[realms]
((DOMAIN)).COM = {
        kdc = ((domain controller))
        kdc = ((backup DC))
        admin_server = (domain controller))
}
[domain_realm]
        .((domain)).com = ((domain controller)).((domain)).COM

You can test Kerberos’ ability to check a user password by typing:

kinit ((username))

then type:

klist

if you get some output looking like this, you are ready to go.

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: (username)@(domain).COM

Valid starting     Expires            Service principal
04/27/09 13:54:23  04/27/09 23:54:26  krbtgt/(domain).COM@(domain).COM
        renew until 04/27/09 23:54:23

<–Previous Next–>
Menu

This page is part of a series named “Using Debian in an Active Directory environment”. It is meant to be followed in that context.