Debian: Samba with AD Authentication


This tutorial is a mix-up of other tutorials I found on the net. You’ll find the other sites in the source list at the bottom of this post.


Just change ICT-FREAK.LOCAL to your own domain and Debian5srv1 to the name of your Debian server.

Step 1:  Update / Upgrade your Debain setup

apt-get update && apt-get upgrade

Step 2: Install the following packages:

apt-get install krb5-config krb5-user libkrb53 libpam-krb5
samba-common samba winbind smbclient

Step 3:  Create a backup of the krb5.conf file.

mv /etc/krb5.conf /etc/

edit the /etc/krb5.conf file with you favorite editor (nano or vi /etc/krb5.conf):


default = FILE:/var/log/krb5.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log


default_realm = ICT-FREAK.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
clock_skew = 300
ticket_lifetime = 24h
forwardable = yes


kdc = dc01.ICT-FREAK.LOCAL
admin_server = dc01.ICT-FREAK.LOCAL
default_domain = ICT-FREAK.LOCAL

Step 4: Check if you can Authenticate a user against the Active Directory

debian5srv1:~# kinit administrator
Password for administrator@ICT-FREAK.LOCAL:

Step 5: Create a backup of the krb5.conf file.

mv /etc/samba/smb.conf /etc/samba/

edit the /etc/samba/smb.conf file with you favorite editor (nano or vi /etc/samba/smb.conf):


workgroup = ICT-FREAK
load printers = no
preferred master = no
local master = no
server string = fileserver
password server = <ip-address from your DC>
encrypt passwords = yes
security = ADS
netbios name = debian5srv1
client signing = Yes
dns proxy = No
wins server = <ip-address from your DC>
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
auth methods = winbind

Step 6: Start Winbind and test the connection

/etc/init.d/winbind start

You can query the AD with the command wbinfo. The –u parameter returns all users. The –g parameter returns all groups.

debian5srv1:~# wbinfo -u

debian5srv1:~# wbinfo -g
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
dhcp users
dhcp administrators
wins users

Step 7: Add the Debian box to the Windows domain

debian5srv1:~# kinit administrator
Password for administrator@ICT-FREAK.LOCAL

debian5srv1:~# net ads join -U administrator
Joined ‘debian5srv1’ to realm ‘ICT-FREAK.LOCAL’

Step 8: Now tell PAM that samba requires authentication and account from winbind. Add the following lines to /etc/pam.d/samba

auth required /lib/security/
account required /lib/security/

We also need to edit the /etc/nsswitch.conf file so it will look like this:

passwd: compat winbind
group: compat winbind
shadow: compat

Test the new settings with: getent passwd If everything is configured as it should be, you’ll see the AD users.

Step 9: Create a share. First we need to create a folder

mkdir –p /data/share

Change the permissions so the folder is writable

chmod 777 /data/share

Open the /etc/samba/smb.conf file and paste the following lines:

comment = Test Share
read only = no
path = /data/share
valid users = @"ICT-FREAK+domain users"

Restart the Samba service via:

/etc/init.d/samba restart

Step 10: Test the new share. Go to your Windows box and browse to the Debian box via \\debian5srv1 

If everything is configured as it should be, you will see the following screen:





3 thoughts on “Debian: Samba with AD Authentication

  1. PardusLynx

    Thanks for this nice tutorial! At the end of the article you explained how to allow access to a group. What if we want to allow access to a specific user?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s