User Tools

Site Tools


general:linux:joining_linux_to_ad

Install samba-common-bin and krb5-user for kerberos usage

In /etc/samba/smb.conf

   [global]
   workgroup = WORKGROUP
   realm = WORKGROUP.DOM
   kerberos method = system keytab
   security = ADS

Then do: “net ads join -U adminuser”
After this you will have a /etc/krb5.keytab with current AD kerberos key

In /etc/ssh/sshd_config

# GSSAPI options
GSSAPIAuthentication yes

Check if /etc/ssh/sshd_config contains “AllowUsers” and add user to list

AllowUsers admin user1 user2

Or us AllowGroups in sshd_config Example

AllowGroups admin linux_admins

#aptitude install sssd krb5-user

#adcli join –host-fqdn=$( hostname -f ) –login-user=<username> –domain=example.dom

Example that will add HTTP service in addition to host (need to check if SPN records are being handled as well or if there is a need to manually add those with the setspn.exe command)

#adcli join --host-fqdn=$( hostname -f ) --login-user=<username> --domain=example.dom -V host -V HTTP

Edit /etc/sssd/sssd.conf (based on /usr/share/doc/sssd-common/examples/sssd-example.conf)

[sssd]
config_file_version = 2
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
domains = EXAMPLE.DOM

[nss]

[pam]

# Example LDAP domain
; [domain/LDAP]
; id_provider = ldap
; auth_provider = ldap
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
; ldap_schema = rfc2307
; ldap_uri = ldap://ldap.mydomain.org
; ldap_search_base = dc=mydomain,dc=org
# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
; enumerate = false
# Allow offline logins by locally storing password hashes (default: false).
; cache_credentials = true

# An example Active Directory domain. Please note that this configuration
# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis
# compliant attribute names. To support UNIX clients with AD 2003 or older,
# you must install Microsoft Services For Unix and map LDAP attributes onto
# msSFU30* attribute names.
; [domain/AD]
; id_provider = ldap
; auth_provider = krb5
; chpass_provider = krb5
;
; ldap_uri = ldap://your.ad.example.com
; ldap_search_base = dc=example,dc=com
; ldap_schema = rfc2307bis
; ldap_sasl_mech = GSSAPI
; ldap_user_object_class = user
; ldap_group_object_class = group
; ldap_user_home_directory = unixHomeDirectory
; ldap_user_principal = userPrincipalName
; ldap_account_expire_policy = ad
; ldap_force_upper_case_realm = true
;
; krb5_server = your.ad.example.com
; krb5_realm = EXAMPLE.COM


[domain/EXAMPLE.DOM]
id_provider = ad
access_provider = ad

dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600

ad_hostname = <hostname>.example.dom
general/linux/joining_linux_to_ad.txt · Last modified: 2020/11/17 20:40 by