From LedHed's Wiki
Jump to: navigation, search
(Created page with "== Overview == If you already have an established Active Directory environment, it might make sense to have your Linux computers authenticate to it instead of managing individ...")
(No difference)

Revision as of 02:39, 4 December 2020

Overview

If you already have an established Active Directory environment, it might make sense to have your Linux computers authenticate to it instead of managing individual local accounts.

Assumptions

  • You already have Active Directory configured and have an account with permission to join the domain.
  • You already have a Linux computer setup and connected to the network, and have root access.
  • DNS is configured and the Linux computer can ping the Domain Controller.
  • This tutorial will be geared towards a Debian based distro, this will work with RedHat based distros also, but the package names and file locations may vary.
  • You already have backups!


Prerequisites

sudo apt install sssd heimdal-clients msktutil


Kerberos

/etc/krb5.conf

[libdefaults]
default_realm = YOURDOMAIN.TLD
rdns = no
dns_lookup_kdc = true
dns_lookup_realm = true

[realms]
NOTS.LOCAL = {
kdc = dc-001.yourdomain.tld
admin_server = dc-001.yourdomain.tld
}

Generate the KeyTab file:

kinit administrator
klist
msktutil -N -c -b 'CN=COMPUTERS' -s LINUX-BOX/linux-box.yourdomain.tld -k /etc/sssd/linux-box.keytab --computer-name LINUX-BOX --upn LINUX-BOX$ --server dc-001.yourdomain.tld --user-creds-only
msktutil -N -c -b 'CN=COMPUTERS' -s LINUX-BOX/linux-box -k /etc/sssd/linux-box.keytab --computer-name LINUX-BOX --upn LINUX-BOX$ --server dc-001.yourdomain.tld --user-creds-only
kdestroy

You will be prompted to login, this is where you authenticate with a domain account that can join the domain. You might be expecting some type of confirmation that the login succeeded, but you'd be wrong. If you get nothing then you're authentication worked, you should only be concerned if you get an error messsage.
You can change CN=COMPUTERS to the OU or container you want the computer object created in. Yes the 'msktutil' lines look almost identical, we run it twice once with the FQDN and once with the NetBIOS name. You can omit the 2nd 'msktutil' command if you've disabled NetBIOS.

SSSD

/etc/sssd/sssd.conf

[sssd]
services = nss, pam
config_file_version = 2
domains = nots.local

[nss]
entry_negative_timeout = 0
#debug_level = 5

[pam]
#debug_level = 5

[domain/nots.local]
#debug_level = 10
enumerate = false
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
dyndns_update = false
ad_hostname = ubuntu-desktop.nots.local
ad_server = winserver19.nots.local
ad_domain = nots.local
ldap_schema = ad
ldap_id_mapping = true
fallback_homedir = /home/%u
default_shell = /bin/bash
ldap_sasl_mech = gssapi
ldap_sasl_authid = UBUNTU-DESKTOP$
krb5_keytab = /etc/sssd/my-keytab.keytab
ldap_krb5_init_creds = true

Set permissions on sssd.conf

sudo chmod 0600 /etc/sssd/sssd.conf


PAM

Open the PAM common-session file and find pam_unix.so and insert pam_mkdomedir.so after it
/etc/pam.d/common-session

session required        pam_unix.so
session required        pam_mkhomedir.so skel=/etc/skel umask=0077


Resetart the sssd service:

sudo service sssd restart

or for you SystemD types:

sudo systemctl restart sssd


Sudo (Optional)

If you want a particular account to have sudo rights then add them to the sudo group:

sudo adduser <AD-USERNAME> sudo

Where <AD-USERNAME> is the name of an Active Directory user account.


Reference

https://www.youtube.com/watch?v=BvqdU6FZblw&feature=emb_logo

https://nerdonthestreet.com/wiki?find=Authenticate+Ubuntu+19.04+against+Active+Directory