This section is for Joining Debian 8 to Active Directory
Use apt to install the following required packages
root # apt-get install sudo realmd adcli sssd ntp libsss-sudo samba-common-bin sssd-toolsRun the following as root:
mkdir -p /var/lib/samba/privateecho "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" | tee -a /etc/pam.d/common-sessionecho "%domain\ admins@$DOMAIN ALL=(ALL) ALL" | tee -a /etc/sudoers.d/domain_adminsvim /etc/sssd/sssd.confModify the line to be: use_fully_qualified_names = False
The following command can be executed to check if the server can find the YOURDOMAIN.lan domain
The output should be similar below
yourdomain.lan
type: kerberosrealm-name:yourdomain.LAN
domain-name:yourdomain.lan
configured: kerberos-memberserver-software: active-directoryclient-software: sssdrequired-package: sssd-toolsrequired-package: sssdrequired-package: libnss-sssrequired-package: libpam-sssrequired-package: adclirequired-package: samba-common-binlogin-formats: %Ulogin-policy: allow-realm-loginsrealm join --user=administrator yourdomain.lan #Enter the administrator password ( Domain one)
systemctl enable sssd
systemctl start sssd
The following can be written as an executable script and ran in one shot:
aptitude install ntp sudoaptitude install realmd adcli sssdmkdir -p /var/lib/samba/privaterealm join --user=administratoryourdomain.lan
if [ $? -ne 0 ]; thenecho "AD join failed. Please run 'journalctl -xn' to determine why."exit 1fisystemctl enable sssdsystemctl start sssdecho "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" | sudo tee -a /etc/pam.d/common-sessionaptitude install libsss-sudoecho "%domain\ admins@$DOMAIN ALL=(ALL) ALL" | sudo tee -a /etc/sudoers.d/domain_adminsThis should be the contents of /etc/sssd/sssd.conf[sssd]domains =yourdomain.lan
config_file_version = 2services = nss, pam[domain/yourdomain.lan]
ad_domain =yourdomain.lan
krb5_realm =yourdomain.LAN
realmd_tags = manages-system joined-with-samba cache_credentials = Trueid_provider = adkrb5_store_password_if_offline = Truedefault_shell = /bin/bashldap_id_mapping = Trueuse_fully_qualified_names = Falsefallback_homedir = /home/%d/%uaccess_provider = adRestart sssd when the sssd.conf is modified
This section is for Joining Debian 7 (and lower) to Active Directory
Use apt to install the following required packages
[libdefaults]default_realm = yourdomain.LAN kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = truedns_lookup_realm = falsedns_lookup_kdc = truefcc-mit-ticketflags = truedefault_keytab_name = FILE:/etc/krb5.keytabticket_lifetime = "10h 0m 0s" renew_lifetime = "7d 0h 0m 0s" realms]yourdomain.LAN = {kdc = dc1-ma.yourdomain.lan #multiple kdc lines can be added if desired to include other domain controllersadmin_server = dc1-ma.yourdomain.lan default_domain = yourdomain.LAN}[domain_realm].yourdomain.lan = yourdomain.LANyourdomain.lan = yourdomain.LAN[login]krb4_convert = truekrb4_get_tickets = falsemv /etc/samba/smb.conf /etc/samba/smb.conf.orig
vi /etc/samba/smb.conf
[global]workgroup = yourdomainsecurity = adsrealm = yourdomain.lanpassword server = dc1-ma.yourdomain.landomain logons = notemplate homedir = /home/%D/%Utemplate shell = /bin/bashwinbind enum groups = yeswinbind enum users = yeswinbind use default domain = yesdomain master = nolocal master = noprefered master = noos level = 0idmap config *:backend = tdbidmap config *:range = 11000-20000idmap config DOMAIN:backend = rididmap config DOMAIN:range=10000000-19000000passwd: compat winbindgroup: compat winbindshadow: compatsession required pam_unix.sosession required pam_mkhomedir.so umask=0022 skel=/etc/skelYou should now be able to log in to the system using a domain username/password combination and a home folder will be automatically created for you on first logon.
This section is for Joining CentOS 7 to Active Directory
root # yum install adcli realmd oddjob oddjob-mkhomedir sssd samba-common-tools ipa-python -yroot # realm discover YOURDOMAIN.COMyourdomain.com type: kerberos realm-name: YOURDOMAIN.COM domain-name: yourdomain.com configured: no server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-toolsroot # realm join --user=administrator YOURDOMAIN.COMvim /etc/sssd/sssd.conf
Modify the line to be: use_fully_qualified_names = False
Then restart or start the service
root # systemctl enable sssdroot # systemctl start sssdroot # systemctl restart sssdroot # echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" | sudo tee -a /etc/pam.d/common-sessionsession required pam_mkhomedir.so skel=/etc/skel/ umask=0022Change the sudoers file to add the line below
root # visudo # Allow members of group internal-it to execute any command%internal-it ALL=(ALL:ALL) ALLChange the smb.conf file with the following Workgroup :
root :~ cat /etc/samba/smb.conf# See smb.conf.example for a more detailed config file or# read the smb.conf manpage.# Run 'testparm' to verify the config is correct after# you modified it.[global] workgroup = YOURDOMAIN security = user passdb backend = tdbsam printing = cups printcap name = cups load printers = yes cups options = raw