(Created page with "== Overview == If you already have an established Active Directory environment, it might make sense to have your Linux computers authenticate to it instead of managing individ...") |
|||
Line 44: | Line 44: | ||
services = nss, pam | services = nss, pam | ||
config_file_version = 2 | config_file_version = 2 | ||
− | domains = | + | domains = yourdomain.tld |
[nss] | [nss] | ||
Line 61: | Line 61: | ||
access_provider = ad | access_provider = ad | ||
dyndns_update = false | dyndns_update = false | ||
− | ad_hostname = | + | ad_hostname = linux-box.yourdomain.tld |
− | ad_server = | + | ad_server = dc-001.yourdomain.tld |
− | ad_domain = | + | ad_domain = yourdomain.tld |
ldap_schema = ad | ldap_schema = ad | ||
ldap_id_mapping = true | ldap_id_mapping = true | ||
Line 69: | Line 69: | ||
default_shell = /bin/bash | default_shell = /bin/bash | ||
ldap_sasl_mech = gssapi | ldap_sasl_mech = gssapi | ||
− | ldap_sasl_authid = | + | ldap_sasl_authid = LINUX-BOX$ |
− | krb5_keytab = /etc/sssd/ | + | krb5_keytab = /etc/sssd/linux-box.keytab |
ldap_krb5_init_creds = true | ldap_krb5_init_creds = true | ||
Revision as of 02:42, 4 December 2020
Contents
Overview
If you already have an established Active Directory environment, it might make sense to have your Linux computers authenticate to it instead of managing individual local accounts.
Assumptions
- You already have Active Directory configured and have an account with permission to join the domain.
- You already have a Linux computer setup and connected to the network, and have root access.
- DNS is configured and the Linux computer can ping the Domain Controller.
- This tutorial will be geared towards a Debian based distro, this will work with RedHat based distros also, but the package names and file locations may vary.
- You already have backups!
Prerequisites
sudo apt install sssd heimdal-clients msktutil
Kerberos
/etc/krb5.conf
[libdefaults] default_realm = YOURDOMAIN.TLD rdns = no dns_lookup_kdc = true dns_lookup_realm = true [realms] NOTS.LOCAL = { kdc = dc-001.yourdomain.tld admin_server = dc-001.yourdomain.tld }
Generate the KeyTab file:
kinit administrator klist msktutil -N -c -b 'CN=COMPUTERS' -s LINUX-BOX/linux-box.yourdomain.tld -k /etc/sssd/linux-box.keytab --computer-name LINUX-BOX --upn LINUX-BOX$ --server dc-001.yourdomain.tld --user-creds-only msktutil -N -c -b 'CN=COMPUTERS' -s LINUX-BOX/linux-box -k /etc/sssd/linux-box.keytab --computer-name LINUX-BOX --upn LINUX-BOX$ --server dc-001.yourdomain.tld --user-creds-only kdestroy
You will be prompted to login, this is where you authenticate with a domain account that can join the domain. You might be expecting some type of confirmation that the login succeeded, but you'd be wrong. If you get nothing then you're authentication worked, you should only be concerned if you get an error messsage.
You can change CN=COMPUTERS to the OU or container you want the computer object created in.
Yes the 'msktutil' lines look almost identical, we run it twice once with the FQDN and once with the NetBIOS name. You can omit the 2nd 'msktutil' command if you've disabled NetBIOS.
SSSD
/etc/sssd/sssd.conf
[sssd] services = nss, pam config_file_version = 2 domains = yourdomain.tld [nss] entry_negative_timeout = 0 #debug_level = 5 [pam] #debug_level = 5 [domain/nots.local] #debug_level = 10 enumerate = false id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad dyndns_update = false ad_hostname = linux-box.yourdomain.tld ad_server = dc-001.yourdomain.tld ad_domain = yourdomain.tld ldap_schema = ad ldap_id_mapping = true fallback_homedir = /home/%u default_shell = /bin/bash ldap_sasl_mech = gssapi ldap_sasl_authid = LINUX-BOX$ krb5_keytab = /etc/sssd/linux-box.keytab ldap_krb5_init_creds = true
Set permissions on sssd.conf
sudo chmod 0600 /etc/sssd/sssd.conf
PAM
Open the PAM common-session file and find pam_unix.so and insert pam_mkdomedir.so after it
/etc/pam.d/common-session
session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel umask=0077
Resetart the sssd service:
sudo service sssd restart
or for you SystemD types:
sudo systemctl restart sssd
Sudo (Optional)
If you want a particular account to have sudo rights then add them to the sudo group:
sudo adduser <AD-USERNAME> sudo
Where <AD-USERNAME> is the name of an Active Directory user account.
Reference
https://www.youtube.com/watch?v=BvqdU6FZblw&feature=emb_logo
https://nerdonthestreet.com/wiki?find=Authenticate+Ubuntu+19.04+against+Active+Directory