raspberry pi join ad domain

How to Join an AD Domain with your Raspberry Pi in 10 minutes

Joining an Active Directory domain from a Raspberry Pi, or a Linux computer in general, is not always easy
And I’m working in a company with Linux users and servers on an Active Directory domain, so I know what I’m talking about ūüôā
In this tutorial, I’ll show you how to do this in less than 10 minutes, with a step-by-step procedure

How to Join an Active Directory Domain with your Raspberry Pi?
There is no built-in feature that allows you to join a domain from your Raspberry Pi
You firstly need to install software like Kerberos, Samba and WinBind
Then you have to configure them manually to join your Active Directory domain

It’s probably not straightforward for you, but don’t worry, I will show you exactly how to do this
And basically, you just need to copy/paste and edit what I give you

Before starting

What will you get?

In this tutorial I’ll show you how to join an AD domain from your Raspberry Pi
That is to say, you’ll have your Raspberry Pi in the Computers OU in your Active Directory

From here, you can start to¬†add other features, like creating a share for AD users (I’ll show you how) or login in with your AD user name and password

I think this is mainly for educational purposes, to learn how to do this for a Linux server
But maybe you have concrete applications in head

Prerequisites

You don’t need a lot of prerequisites, but I recommend preparing this:

  • Your Domain controller name and IP address
  • A domain administrator login and password
  • A Raspbian (Lite or Desktop) installed on your Raspberry Pi (check my guide here)
  • A SSH access to copy and paste the commands and configuration files I’ll give you

My configuration

I’ll give you a lot of my configuration lines in this tutorial, with my own¬†network configuration
So, to avoid disturbing you, here is my configuration:

  • My domain controller IP: 192.168.1.25
  • My domain controller name: adserver
  • My domain name: rpitips.local
  • My Raspberry Pi IP: 192.168.1.17
  • My Raspberry Pi runs on Raspbian Lite 9.6

In any configuration files and commands you’ll see after, you need to replace these values by your own

Raspberry Pi Configuration

There are a lot of configurations to do on the Raspberry Pi before joining the domain
But as I’m going to give you all, it’ll be easy

Time configuration

In order to connect your Raspberry Pi to a domain, you need to set up a time synchronization between the Raspberry Pi and the domain controller
To do this, you need to install and start the NTP service

  • Install the NTP package
    sudo apt install ntp
  • After a few minutes, check that the current time is close from what you have on the domain controller:
    date

If I remember well, Kerberos doesn’t allow AD connections if there is more than a 5 minutes difference between the Raspberry Pi and the domain controller
Maybe it’s configurable but anyway, this was an important step to complete

DNS configuration

The second thing to do, is to configure the Raspberry Pi to use the domain controller as DNS server

To do this, you have three choices:

  • Use the domain controller as DHCP server and set itself as the DNS server
  • Change the DNS server on your current DHCP server to use the domain controller
  • Change the DNS server for the Raspberry Pi only (not the easiest way, but you have the procedure below)

If you just want to make a try, without breaking anything on your network, you need to change the DNS server on the Raspberry Pi to use the domain controller

To do this, you need to edit the /etc/resolv.conf file
But the DHCP client overwrites this file on boot
So, you must follow this procedure:

  • Open the /etc/dhcpcd.conf file with nano:
    sudo nano /etc/dhcpcd.conf
  • Add this line:
    static domain_name_servers=192.168.1.25

    This is the IP address of my domain controller, replace by yours

  • Save and exit (CTRL+O, CTRL+X)
  • Reboot your Raspberry Pi
    sudo reboot
  • Check that your DNS is working
    ping raspberrytips.com

Packages installation

Before going further, there are a few packages we need to install:

  • Kerberos: This package will manage the authentication process with the domain controller
  • Samba: Well-know for sharing folders, Samba is also useful for Windows compatibility on Linux systems
  • WinBind: This one is the gateway between Linux and Windows. It will make your domain accounts visible on Linux

To install all these packages, use the command below:

sudo apt install samba smbclient krb5-config krb5-user krb5-clients winbind libnss-winbind libpam-winbind

During the installation, Kerberos will ask you for the realm to configure
Give your domain name, but it’s not mandatory as we will edit the configuration file later

After a few minutes, everything you need is now installed on your Raspberry Pi
Let’s move to the configuration part

Kerberos configuration

As I promised you, to do all of this in less than 10 minutes, I’ll give you the entire configuration file for each package
I recommend starting by doing a backup of each original configuration

The configuration file for Kerberos is /etc/krb5.conf

  • Backup the configuration file
    sudo mv /etc/krb5.conf /etc/krb5.conf.orig
  • Create a new file
    sudo nano /etc/krb5.conf
  • Paste these lines inside
    [libdefaults]
            default_realm = RPITIPS.LOCAL
            dns_lookup_realm = false
            dns_lookup_kdc = false
            ticket_lifetime = 24h
            renew_lifetime = 7d
            kdc_timesync = 1
            ccache_type = 4
            forwardable = true
            proxiable = true
            fcc-mit-ticketflags = true
    [realms]
            RPITIPS.LOCAL = {
                    kdc = 192.168.1.25:88
                    admin_server = 192.168.1.25
                    default_domain = RPITIPS.LOCAL
            }
    [domain_realm]
            .RPITIPS.LOCAL = RPITIPS.LOCAL
            RPITIPS.LOCAL = RPITIPS.LOCAL
    

    Replace all IP addresses and domain names with your own network configuration

    I think I had some issues with my DNS server configuration on the test VM I created for this tutorial
    So I put IP address in the Kerberos configuration
    If you can, it’s better to replace them by the host name, that way if you change the DC IP address, you don’t need to come back here

That’s all you need to do for the Kerberos configuration

Samba configuration

For the samba configuration, it’s a similar procedure
The configuration file is /etc/samba/smb.conf

  • Create a backup of the original file
    sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.ori
  • Create a new file
    sudo nano /etc/samba/smb.conf
  • Paste these lines inside
    [global]
    workgroup = rpitips
    security = ads
    realm = rpitips.local
    password server = adserver.rpitips.local
    domain logons = no
    template homedir = /home/%D/%U
    template shell = /bin/bash
    winbind enum groups = yes
    winbind enum users = yes
    winbind use default domain = yes
    domain master = no
    local master = no
    prefered master = no
    os level = 0
    idmap config *:backend = tdb
    idmap config *:range = 11000-20000
    idmap config rpitips.local:backend = rid
    idmap config rpitips.local:range=10000000-19000000

    Same thing, search and replace all rpitips and rpitips.local by your domain name
    adserver is the computer name for my DC controller, replace it by your DC name

Nsswitch configuration

The last thing you can do is to configure nsswitch to use the domain
It allows you to see the AD users and groups into the system

  • Open the configuration file
    sudo nano /etc/nsswitch.conf
  • Add “winbind” at the end of the two first lines (passwd and group)
  • It should look like this
    # /etc/nsswitch.conf
    #
    # Example configuration of GNU Name Service Switch functionality.
    # If you have the `glibc-doc-reference' and `info' packages installed, try:
    # `info libc "Name Service Switch"' for information about this file.
    
    passwd:         compat winbind
    group:          compat winbind
    shadow:         compat
    gshadow:        files
    
    hosts:          files mdns4_minimal [NOTFOUND=return] dns
    networks:       files
    
    protocols:      db files
    services:       db files
    ethers:         db files
    rpc:            db files
    
    netgroup:       nis

All the configuration is almost ready, you now need to join the domain

Join the Active Directory domain

Join the domain

To join an AD domain on Linux, there are two steps: create a token for Kerberos and then join the domain

Kerberos initialization

So the first thing is to check the Kerberos configuration and create a temporary token we’ll use later

Use this command:

kinit Administrator

Then enter the password of the domain administrator (you can use another account with administrative privileges if you want)
After a few seconds, the command ends without error (if not, there is an issue in your Kerberos or DNS configuration

You can use klist to see the existing tokens:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@RPITIPS.LOCAL

Valid starting     Expires            Service principal
03/02/19 15:55:00  04/02/19 01:55:00  krbtgt/RPITIPS.LOCAL@RPITIPS.LOCAL
        renew until 10/02/19 15:54:57

Please note, Kerberos deletes tickets when restarting the Raspberry Pi
If you restart before the end of the installation, redo this command first

Join the domain

You can now really join the domain with:

net join -U Administrator

Again, it will ask your password and add your Raspberry Pi into the Active Directory computers list

join domain with raspberry pi

If it doesn’t work, check the /var/log/syslog file or any error message you have in the terminal

The last thing to do is to reboot your Raspberry Pi to apply changes:

sudo reboot

Checks

After the reboot, you should be able to see the domain users and groups with these commands:

wbinfo -u
wbinfo -g
getent passwd
getent group

The wbinfo command displays what winbind has found in the Active Directory
If it’s not working, you have connection issues with the LDAP directory
Make sure that samba and winbind services are running

The getent command depends on nsswitch
If you don’t have the domain users and groups displayed at the end of the output, check your nsswitch.conf file

Create a share

Once the Raspberry Pi is well connected with the Active Directory domain, you can start to use the domain users in any project.
For example, you can create a share on the Raspberry Pi, accessible for the AD users

  • Create a new folder to share
    sudo mkdir /media/share
  • Edit the samba configuration file
    sudo nano /etc/samba/smb.conf
  • Paste these lines at the end

    Share this Post

    path = /media/share/ read only = no
  • Then adjust the permission for the new share folder
    sudo chmod 660 /media/share
    sudo chown Administrator /media/share

    As you can see, it’s now possible to use the AD user “Administrator” directly in the chmod command
    And you can use any users or groups from the domain

  • Restart samba to apply all changes
    sudo service smbd restart

To access this new share use your file explorer and browse to the Raspberry Pi
For example, \\<IP> on Windows or if your computer is also in the domain, you can use \\RASPBERRYPI

When your system asks for a login and password, use DOMAIN\Administrator and the domain password

Related questions

How to change the Raspberry Pi host name? If you need to add several Raspberry Pi in a domain name, you will have an issue with duplicate host names. To change the Raspberry Pi name, you need to edit the /etc/hostname file and change the value inside. Obviously, you need to to this before starting this procedure ūüôā

Is there a way to leave the domain? Yes, you can use the command “net leave -U Administrator” to leave the domain. After that, your Raspberry Pi will be removed from the Active Directory domain and you can uninstall all the packages (Kerberos, Samba, …)

Conclusion

That’s it, you now know how to add your Raspberry Pi into an Active Directory domain

If you’re working on a network with an Active Directory, this tutorial was probably the first step
Let me know what kind of projects you’re working on

And if the goal is to create a share for the AD users, this guide on how to turn your Raspberry Pi into a file server can probably help you

 

 

Comments

Leave a Comment