Skip to content

Arch Linux Install Active Directory Integration

Instruction Order


These instructions are incomplete and are here for reference.

  1. Samba
  2. PAM
  3. Sudo


  1. Install samba package.
    # pacman -Sy samba
  2. Modify Samba configuration.
    # nano /etc/samba/smb.conf
    #networking config
    interfaces =
    bind interfaces only = yes
    #Domain config
    workgroup = AD
    realm = AD.EXAMPLE.COM
    server string = %h ArchLinux
    security = ADS
    encrypt passwords = yes
    #IDMAP config to be used for BUILTIN and local accounts/groups
    idmap config * : backend = tdb
    idmap config * : range = 2000-9999
    #IDMAP config for AD.EXAMPLE.COM
    idmap config AD : backend = rid
    idmap config AD : range = 20000-90000000
    #winbind config
    winbind nss info = template
    winbind offline logon = yes
    template shell = /bin/bash
    template homedir = /home/%D/%U
    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes
    timestamp logs = yes
    log level = 1
    log file = /var/log/samba/%m.log  
  3. Modify NSS configuration file.
    # nano /etc/nsswitch.conf
    passwd:     files   winbind
    group:      files   winbind
    shadow:     files   winbind
    publickey:  files
    hosts:      files   dns     wins    myhostname 
    networks:   files
    protocols:  db      files
    services:   db      files
    ethers:     db      files
    rpc:        db      files
    netgroup:   nis     files
  4. Enable "smbd", "nmbd", and "winbindd" services.
    # systemctl enable smbd.service nmbd.service winbindd.service
  5. Start "smbd", "nmbd", and "winbindd" services.
    # systemctl start smbd.service nmbd.service winbindd.service
  6. Join the computer to the domain.
    # net ads join


Make changes to the following files:

  1. Edit PAM Winbind configuration file.
    # nano /etc/security/pam_winbind.conf
       cached_login = yes
       krb5_ccache_type = FILE
       krb5_auth = yes
       mkhomedir = yes
       try_first_pass = yes
  2. Edit system authentication settings.
    # nano /etc/pam.d/system-auth
    auth        [success=1 default=ignore]
    auth        [success=2 default=die]
    auth        [success=1 default=die] nullok
    auth        requisite         
    auth        optional          
    auth        required          
    account     required          
    account     [success=1 default=ignore]
    account     required          
    account     optional          
    account     required          
    password    [success=1 default=ignore]
    password    [success=2 default=die]
    password    [success=1 default=die] sha512 shadow
    password    requisite         
    password    optional          
    session     required          
    session     required              skel=/etc/skel/ umask=0022
    session     required          
    session     [success=1 default=ignore]
    session     required          
    session     optional          
  3. Edit super user settings.

    # nano /etc/pam.d/su
    auth        sufficient
    # Uncomment the following line to implicitly trust users in the "wheel" group.
    #auth       sufficient trust use_uid
    # Uncomment the following line to require a user to be in the "wheel" group.
    #auth       required use_uid
    auth      include   system-auth
    account   include   system-auth
    session   include   system-auth
    auth      include   system-auth
    account   include   system-auth
    session   include   system-auth


Use "visudo" to make a new configuration file.

# visudo -f /etc/sudoers.d/domain
#permit domain administrators, localadmins, sudoers to execute all commands
%AD\\sudoers ALL=(ALL) ALL
%AD\\localadmins ALL=(ALL) ALL
%AD\\domain\ admins ALL=(ALL) ALL