Windows Domain Authentication on Debian

Debian can be configured to get information about and/or authenticate against a Windows domain. First, get the necessary packages:

# apt-get install samba winbind

/etc/resolv.conf:

search domain.example.com example.com
nameserver 10.0.0.1
nameserver 10.0.0.2

/etc/samba/smb.conf:

[global]
workgroup = DOMAIN
netbios name = MYHOSTNAME
security = ADS
preferred master = no
# printcap name = cups
disable spoolss = Yes
show add printer wizard = No
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind separator = +
winbind use default domain = Yes
template shell = /bin/bash
use sendfile = Yes
# printing = cups
realm = domain.example.com

/etc/nsswitch.conf: (note: this block only includes lines that need to be changed)

passwd:         files winbind
group:          files winbind
shadow:         files winbind

hosts:          files dns winbind

Join the computer to the domain:

# /etc/init.d/winbind stop
# /etc/init.d/samba stop
# /etc/init.d/samba start
# /etc/init.d/winbind start
# net join -U Administrator -S DOMAINCONTROLLER
Administrator's password: 
Using short domain name -- DOMAIN
Joined 'MYHOSTNAME' to realm 'DOMAIN.EXAMPLE.COM'

At this point, you can now get information about domain users. Behold:

# finger joeuser
Login: joeuser                          Name: Joe User
Directory: /home/DOMAIN/joeuser         Shell: /bin/bash
On since Wed Dec 21 14:13 (PST) on pts/2 from 10.0.0.64
   3 hours 54 minutes idle
On since Wed Dec 21 18:49 (PST) on pts/3 from 10.0.0.64
Last login Wed Dec 21 19:16 (PST) on pts/5 from 10.0.0.64
No mail.
No Plan.
# id joeuser
uid=15065(joeuser) gid=15000(domain users) groups=15000(domain users),15024(allsubscribers1234abcd)

Also any shares you set up in Samba can be accessed by domain users, such as this example:

[backup]
comment = backup directory
guest ok = no
read only = No
browseable = Yes
path = /backup

Now, if you want to allow users to authenticate against the box itself (IE SSH), you must modify some PAM configs. /etc/pam.d/common-auth:

auth    sufficient      pam_winbind.so
auth    required        pam_unix.so use_first_pass nullok_secure

/etc/pam.d/common-account:

account sufficient      pam_winbind.so
account required        pam_unix.so

/etc/pam.d/common-password:

password   sufficient pam_winbind.so
password   required   pam_unix.so nullok obscure min=4 max=8 md5

/etc/pam.d/common-session:

session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required        pam_unix.so

This will allow users to SSH in, and will automatically create home directories for them when needed.