这几天在公司捣鼓了Ubuntu加入AD域的方法，结合了几篇文档和配置中出现的错误，准备了一份比较全的配置。
依照如下配置基本完成加入AD域和离线AD域账户登录的功能。

环境

• 域DNS地址

10.20.3.244

• 域名

EXAMPLEAD.NET

• 域DC

DC1.EXAMPLEAD.NET

Configure NTP and DNS

sudo apt-get install ntpdate
sudo ntpdate 10.20.3.244
sudo vim /etc/network/interfaces
dns-nameserver 10.20.3.244

Save and reboot

Install the required packages

sudo apt-get install winbind samba
sudo apt-get install libnss-winbind libpam-winbind
sudo apt-get install krb5-user

When asked to fill in the table , using this :

Default RELAM:

EXAMPLEAD.NET

Kerberos servers for realm:

DC1.EXAMPLEAD.NET

Administrative server for your kerberos realm:

DC1.EXAMPLEAD.NET

Configure the server

• Edit /etc/krb5.conf

    [libdefaults]
    default_realm = EXAMPLEAD.NET
    krb4_config = /etc/krb.conf
    krb4_realms = /etc/krb.realms
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    [realms]
    EXAMPLEAD.NET = {
        kdc = DC1.EXAMPLEAD.NET
        admin_server = DC1.EXAMPLEAD.NET
    }
    [domain_realm]
    .examplead.net = EXAMPLEAD.NET
    examplead.net = EXAMPLEAD.NET

• Edit /etc/samba/smb.conf

    [global]
    workgroup = EXAMPLEAD
    security = ads
    netbios name = MLSZLAP031 //change the value for different client
    realm = EXAMPLEAD.NET 
    password server = DC1.EXAMPLEAD.NET 
    idmap uid = 500-10000000
    idmap gid = 500-10000000
    winbind separator = +
    idmap backend = tdb
    passdb backend = tdbsam
    winbind enum users = yes
    winbind enum groups = yes
    winbind use default domain = yes
    template homedir = /home/%D/%U
    template shell = /bin/bash
    client use spnego = yes
    domain master = no 
    winbind nested groups = yes
    winbind refresh tickets = yes
    winbind offline logon = true

• Edit /etc/nsswitch.conf

// /etc/nsswitch.conf
// Example configuration of GNU Name Service Switch functionality.
// If you have the glibc-doc-reference and info packages installed, try:
// info libc "Name Service Switch"' for information about this file.
passwd:         compat  winbind
group:          compat  winbind
shadow:         compat  winbind
gshadow:        files
hosts:          files mdns4_minimal [NOTFOUND=return] dns       wins
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

• Edit /etc/pam.d/common-account

account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore]        pam_winbind.so
account sufficient    pam_winbind.so
account required    pam_unix.so

• /etc/pam.d/common-auth

auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

• Modify the /etc/pam.d/common-password

password   required   pam_unix.so nullok obscure min=4 max=50 md5password   required   pam_unix.so nullok obscure min=4 max=50 md5

• /etc/pam.d/common-session

session required        pam_mkhomedir.so umask=0022 skel=/etc/skelsession required        pam_mkhomedir.so umask=0022 skel=/etc/skel

Initialize Kerberos

sudo kinit administrator@EXAMPLEAD.NET
sudo klist
malongit@MLSZLAP031:~$ sudo klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@EXAMPLEAD.NET
Valid starting       Expires              Service principal
2017-09-01T10:17:22  2017-09-01T20:17:22  krbtgt/EXAMPLEAD.NET@EXAMPLEAD.NET
        renew until 2017-09-02T10:17:12

Join Domain

sudo net ads join -U administrator@EXAMPLEAD.net
sudo reboot

Configure SUDO

/etc/sudoers

%Group ALL=(ALL) ALL

Show infomation about user and group

Show user

wbinfo -u
getent passwd

Show group

wbinfo -g
getent group
```
## User manual login in Lightdm

edit /etc/lightdm/lightdm.conf.d/50-unity-greeter.conf

```
[SeatDefaults]
greeter-show-manual-login=true
greeter-hide-users=true
```