Arch Linux Install Active Directory Integration¶

Instruction Order¶

Warning

These instructions are incomplete and are here for reference.

Samba
PAM
Sudo

Samba¶

Install samba package.
```
# pacman -Sy samba
```

Modify Samba configuration.

# nano /etc/samba/smb.conf

[global]
#networking config
interfaces = 192.168.0.0/255.255.255.0
bind interfaces only = yes

#Domain config
workgroup = AD
realm = AD.EXAMPLE.COM
server string = %h ArchLinux
security = ADS
encrypt passwords = yes

#IDMAP config to be used for BUILTIN and local accounts/groups
idmap config * : backend = tdb
idmap config * : range = 2000-9999

#IDMAP config for AD.EXAMPLE.COM
idmap config AD : backend = rid
idmap config AD : range = 20000-90000000

#winbind config
winbind nss info = template
winbind offline logon = yes

template shell = /bin/bash
template homedir = /home/%D/%U

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

timestamp logs = yes
log level = 1
log file = /var/log/samba/%m.log

Modify NSS configuration file.

# nano /etc/nsswitch.conf

passwd:     files   winbind
group:      files   winbind
shadow:     files   winbind

publickey:  files

hosts:      files   dns     wins    myhostname 
networks:   files

protocols:  db      files
services:   db      files
ethers:     db      files
rpc:        db      files

netgroup:   nis     files

Enable "smbd", "nmbd", and "winbindd" services.

# systemctl enable smbd.service nmbd.service winbindd.service

Start "smbd", "nmbd", and "winbindd" services.

# systemctl start smbd.service nmbd.service winbindd.service

Join the computer to the domain.
```
# net ads join
```

PAM¶

Make changes to the following files:

Edit PAM Winbind configuration file.

# nano /etc/security/pam_winbind.conf

[global]
   cached_login = yes
   krb5_ccache_type = FILE
   krb5_auth = yes
   mkhomedir = yes
   try_first_pass = yes

Edit system authentication settings.

# nano /etc/pam.d/system-auth

#%PAM-1.0

auth        [success=1 default=ignore]  pam_localuser.so
auth        [success=2 default=die]     pam_winbind.so
auth        [success=1 default=die]     pam_unix.so nullok
auth        requisite                   pam_deny.so
auth        optional                    pam_permit.so
auth        required                    pam_env.so

account     required                    pam_unix.so
account     [success=1 default=ignore]  pam_localuser.so
account     required                    pam_winbind.so
account     optional                    pam_permit.so
account     required                    pam_time.so

password    [success=1 default=ignore]  pam_localuser.so
password    [success=2 default=die]     pam_winbind.so
password    [success=1 default=die]     pam_unix.so sha512 shadow
password    requisite                   pam_deny.so
password    optional                    pam_permit.so

session     required                    pam_limits.so
session     required                    pam_mkhomedir.so    skel=/etc/skel/ umask=0022
session     required                    pam_unix.so
session     [success=1 default=ignore]  pam_localuser.so
session     required                    pam_winbind.so
session     optional                    pam_permit.so

Edit super user settings.

# nano /etc/pam.d/su

#%PAM-1.0
auth        sufficient  pam_rootok.so

# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth       sufficient  pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth       required    pam_wheel.so use_uid

auth      include   system-auth
account   include   system-auth
session   include   system-auth

auth      include   system-auth
account   include   system-auth
session   include   system-auth

Sudo¶

Use "visudo" to make a new configuration file.

# visudo -f /etc/sudoers.d/domain

#permit domain administrators, localadmins, sudoers to execute all commands
%AD\\sudoers ALL=(ALL) ALL
%AD\\localadmins ALL=(ALL) ALL
%AD\\domain\ admins ALL=(ALL) ALL