Ledhed at 02:42, 4 December 2020

2020-12-04T02:42:31Z

Ledhed at 02:42, 4 December 2020

2020-12-04T02:42:05Z

Ledhed: Created page with "== Overview == If you already have an established Active Directory environment, it might make sense to have your Linux computers authenticate to it instead of managing individ..."

2020-12-04T02:39:55Z

Created page with "== Overview == If you already have an established Active Directory environment, it might make sense to have your Linux computers authenticate to it instead of managing individ..."

New page

== Overview ==
If you already have an established Active Directory environment, it might make sense to have your Linux computers authenticate to it instead of managing individual local accounts.

== Assumptions ==
* You already have Active Directory configured and have an account with permission to join the domain.
* You already have a Linux computer setup and connected to the network, and have root access.
* DNS is configured and the Linux computer can ping the Domain Controller.
* This tutorial will be geared towards a Debian based distro, this will work with RedHat based distros also, but the package names and file locations may vary.
* '''You already have backups!'''

== Prerequisites ==
sudo apt install sssd heimdal-clients msktutil

== Kerberos ==
/etc/krb5.conf
[libdefaults]
default_realm = YOURDOMAIN.TLD
rdns = no
dns_lookup_kdc = true
dns_lookup_realm = true

[realms]
NOTS.LOCAL = {
kdc = dc-001.yourdomain.tld
admin_server = dc-001.yourdomain.tld
}

Generate the KeyTab file:
kinit administrator
klist
msktutil -N -c -b 'CN=COMPUTERS' -s LINUX-BOX/linux-box.yourdomain.tld -k /etc/sssd/linux-box.keytab --computer-name LINUX-BOX --upn LINUX-BOX$ --server dc-001.yourdomain.tld --user-creds-only
msktutil -N -c -b 'CN=COMPUTERS' -s LINUX-BOX/linux-box -k /etc/sssd/linux-box.keytab --computer-name LINUX-BOX --upn LINUX-BOX$ --server dc-001.yourdomain.tld --user-creds-only
kdestroy
You will be prompted to login, this is where you authenticate with a domain account that can join the domain. You might be expecting some type of confirmation that the login succeeded, but you'd be wrong. If you get nothing then you're authentication worked, you should only be concerned if you get an error messsage. <br>
You can change ''CN=COMPUTERS'' to the OU or container you want the computer object created in.
''Yes the 'msktutil' lines look almost identical, we run it twice once with the FQDN and once with the NetBIOS name. You can omit the 2nd 'msktutil' command if you've disabled NetBIOS.'' <br>

== SSSD ==
/etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = nots.local

[nss]
entry_negative_timeout = 0
#debug_level = 5

[pam]
#debug_level = 5

[domain/nots.local]
#debug_level = 10
enumerate = false
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
dyndns_update = false
ad_hostname = ubuntu-desktop.nots.local
ad_server = winserver19.nots.local
ad_domain = nots.local
ldap_schema = ad
ldap_id_mapping = true
fallback_homedir = /home/%u
default_shell = /bin/bash
ldap_sasl_mech = gssapi
ldap_sasl_authid = UBUNTU-DESKTOP$
krb5_keytab = /etc/sssd/my-keytab.keytab
ldap_krb5_init_creds = true

Set permissions on sssd.conf
sudo chmod 0600 /etc/sssd/sssd.conf

== PAM ==
Open the PAM common-session file and find ''pam_unix.so'' and insert ''pam_mkdomedir.so'' after it <br>
/etc/pam.d/common-session

session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel umask=0077

Resetart the sssd service:
sudo service sssd restart
or for you SystemD types:
sudo systemctl restart sssd

== Sudo (Optional) ==
If you want a particular account to have sudo rights then add them to the sudo group:
sudo adduser <AD-USERNAME> sudo
Where <AD-USERNAME> is the name of an Active Directory user account.

== Reference ==
https://www.youtube.com/watch?v=BvqdU6FZblw&feature=emb_logo

https://nerdonthestreet.com/wiki?find=Authenticate+Ubuntu+19.04+against+Active+Directory

[[Category:Linux]]

@@ Line 38: / Line 38: @@
 You can change ''CN=COMPUTERS'' to the OU or container you want the computer object created in.
 ''Yes the 'msktutil' lines look almost identical, we run it twice once with the FQDN and once with the NetBIOS name. You can omit the 2nd 'msktutil' command if you've disabled NetBIOS.'' <br>
 == SSSD ==

@@ Line 44: / Line 44: @@
   services = nss, pam
   config_file_version = 2
-  domains = nots.local
+  domains = yourdomain.tld
   [nss]
@@ Line 61: / Line 61: @@
   access_provider = ad
   dyndns_update = false
-  ad_hostname = ubuntu-desktop.nots.local
+  ad_hostname = linux-box.yourdomain.tld
-  ad_server = winserver19.nots.local
+  ad_server = dc-001.yourdomain.tld
-  ad_domain = nots.local
+  ad_domain = yourdomain.tld
   ldap_schema = ad
   ldap_id_mapping = true
@@ Line 69: / Line 69: @@
   default_shell = /bin/bash
   ldap_sasl_mech = gssapi
-  ldap_sasl_authid = UBUNTU-DESKTOP$
+  ldap_sasl_authid = LINUX-BOX$
-  krb5_keytab = /etc/sssd/my-keytab.keytab
+  krb5_keytab = /etc/sssd/linux-box.keytab
   ldap_krb5_init_creds = true

User Authentication with Active Directory - Linux - Revision history

Ledhed at 02:42, 4 December 2020

Ledhed at 02:42, 4 December 2020

Ledhed: Created page with "== Overview == If you already have an established Active Directory environment, it might make sense to have your Linux computers authenticate to it instead of managing individ..."