Skip to content

Adding Your RADIUS Server to an Active Directory Domain

Step 1: Update the Hosts File and System

Update the server's hosts file with the domain controller's IP so that it can be resolved

ip-address-of-dc01  dc01.YOUR-DOMAIN.edu.gh     dc01

Also ensure that the server's operating system is up to date by running the appropriate system update command. For example, on a Debian-based system, you can use the command:

sudo apt update && sudo apt upgrade

Step 2: Install the Prerequisites

Install the necessary packages to perform domain enrollment by executing the following command:

sudo apt-get install samba winbind libnss-winbind krb5-user
  • samba is the main package, providing the necessary components for file and printer sharing.
  • winbind is a part of Samba that allows integration with Windows domains, providing features like authentication and name resolution.
  • libnss-winbind is a library that enables Windows domain users and groups to be used as valid system users and groups on Linux systems.
  • krb5-user installs the Kerberos client programs, which are used for authentication and secure communication in the Kerberos realm.

Step 3: Configure Samba

After the installation, we need to configure the Samba server. Make a backup of the "/etc/samba/smb.conf" file and replace its contents with the following configuration:

[global]
workgroup = second-level or third-level domain      #Example could be 'GARNET' which could be the second or third-level domain
security = ads
winbind use default domain = yes
realm = YOUR-DOMAIN.edu.gh
password server = dc01.YOUR-DOMAIN.edu.gh
ntlm auth = mschapv2-and-ntlmv2-only

Step 4: Configure Kerberos

Make a backup of the Kerberos config file "/etc/krb5.conf" and replace its contents with the following configuration:

[libdefaults]
default_realm = GARNET.EDU.GH
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
YOUR_DOMAIN.EDU.GH = {
          kdc = ad.your-domain.edu.gh
          admin_server = ad.your-domain.edu.gh
          default_domain = your-domain.edu.gh
        }

[domain_realm]
.your-domain.edu.gh = YOUR_DOMAIN.EDU.GH
your-domain.edu.gh = YOUR_DOMAIN.EDU.GH

Step 5: Add Server to the Domain

Now that we have installed and configured the Samba server and Kerberos authentication, we need to join the Active Directory. Before joining the Active Directory, make sure you have an administrator account or an account with administrative privileges, such as the "administrator" account. Follow these steps on Ubuntu:

Run the command kinit admin-account to obtain and cache a Kerberos ticket-granting ticket. When prompted, enter the password for the admin account: "Password for AD-ADMIN-ACCOUNT@YOUR-DOMAIN.EDU.GH:" Next, run the command net ads join -S dc01.YOUR-DOMAIN.edu.gh -U admin-account to add the server to the domain. After a successful domain linkage, you will see the message: "Joined 'ServerName' to dns domain 'YOUR-DOMAIN.edu.gh'" Restart the following services: - service smbd restart - service nmbd restart - service winbind restart

Now that your server has joined your domain, we can test if New Technology LAN Manager (NTLM) authentication works. FreeRADIUS uses the "ntlm_auth" tool to allow external access to Winbind's NTLM authentication function. Run the following command to confirm if NTLM authentication works on your RADIUS server:

ntlm_auth --request-nt-key --domain=YOUR-DOMAIN.edu.gh --username=admin-account --password=admin-password

If the authentication is successful, you should see the following output:

NT_STATUS_OK: The operation completed successfully. (0x0)

Step 6: Easy Management of Adding a Server to the Domain

In the event of a lost connection from the server to the domain, two systemd services have been created to quickly check if the server has been added and to run hourly checks on the service for confirmation.

The first file is join-ad.service:

[Unit]
Description=Join Ubuntu server to Active Directory

[Service]
ExecStart=/bin/bash -c "echo 'admin-password' | sudo -S net ads join -S dc01.YOUR-DOMAIN.edu.gh -U admin-account  && echo 'Joined to Active Directory successfully.' || echo 'Failed to join Active Directory.'"
Type=oneshot
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

The second file is join-ad.timer:

[Unit]
Description=Run Join Active Directory Service every hour

[Timer]
OnCalendar=*:0/1
Unit=join-ad.service

[Install]
WantedBy=timers.target

The files should be placed in the "/etc/systemd/system/" folder. Run these commands to enable and start them.

systemctl daemon-reload
systemctl enable join-ad.service
systemctl enable join-ad.timer
systemctl start join-ad.service
systemctl start join-ad.timer