no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
— | linux:ad_integration:sssd [2021/03/29 14:11] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Ubuntu 20.04 and Samba integration with Active Directory using SSSD ====== | ||
+ | ===== Join Ubuntu to Active Directory ===== | ||
+ | <code bash> | ||
+ | # install required applications | ||
+ | su@fs:~$ sudo apt -y install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit | ||
+ | # configure network to use ADDC as DNS server, and to use the FQDN as default search name | ||
+ | su@fs:~$ sudo vim / | ||
+ | network: | ||
+ | ethernets: | ||
+ | eth0: | ||
+ | addresses: | ||
+ | - 192.168.2.251/ | ||
+ | gateway4: 192.168.2.1 | ||
+ | nameservers: | ||
+ | addresses: | ||
+ | - 192.168.2.2 | ||
+ | search: | ||
+ | - example.com | ||
+ | version: 2 | ||
+ | |||
+ | # apply the configuration | ||
+ | su@fs:~$ sudo netplan apply | ||
+ | |||
+ | # test if you can discover the domain | ||
+ | su@fs:~$ realm discover example.com | ||
+ | example.com | ||
+ | type: kerberos | ||
+ | realm-name: EXAMPLE.COM | ||
+ | domain-name: | ||
+ | configured: no | ||
+ | ... | ||
+ | |||
+ | # join the domain | ||
+ | su@fs:~$ realm join -U administrator example.com | ||
+ | Password for administrator: | ||
+ | |||
+ | # test if you can query the domain | ||
+ | su@fs:~$ id user@example.com | ||
+ | uid=687821651(user@example.com) gid=687800512(user@example.com) groups=687800512(domain users@example.com) | ||
+ | |||
+ | # additional configuration | ||
+ | su@fs:~$ sudo vim / | ||
+ | # set use_fully_qualified_names to false id you want to login using username only - otherwise you must use user@example.com | ||
+ | # modify fallback_homedir to change user home folder - I prefer /home/%d/%u | ||
+ | |||
+ | # enable auto create of home folders | ||
+ | su@fs:~$ sudo pam-auth-update --enable mkhomedir | ||
+ | |||
+ | # add users to sudo group | ||
+ | su@fs:~$ sudo usermod -aG sudo user@example.com | ||
+ | # or add a domain group to sudoers | ||
+ | su@fs:~$ visudo | ||
+ | # append the line (with the desired group name | ||
+ | %Domain\ admins | ||
+ | |||
+ | # login with user | ||
+ | su@fs:~$ su - user@example.com | ||
+ | Creating directory '/ | ||
+ | To run a command as administrator (user " | ||
+ | See "man sudo_root" | ||
+ | |||
+ | user@example.com@fs: | ||
+ | logout | ||
+ | su@fs:~$ | ||
+ | |||
+ | # additionally, | ||
+ | su@fs:~$ sudo realm deny –all | ||
+ | su@fs:~$ sudo realm permit user@example.com user2@example.com | ||
+ | su@fs:~$ sudo realm permit -g ' | ||
+ | </ | ||
+ | ===== Kerberos ===== | ||
+ | If you install krb5-user, your AD users will also get a kerberos ticket upon logging in | ||
+ | <code bash> | ||
+ | {{ : | ||
+ | <code bash> | ||
+ | su@fs:~$ su -l user@example.com | ||
+ | Password: | ||
+ | user@example.com@fs: | ||
+ | Ticket cache: FILE:/ | ||
+ | Default principal: user@EXAMPLE.COM | ||
+ | |||
+ | Valid starting | ||
+ | 03/29/2021 08: | ||
+ | renew until 03/30/2021 08:57:32 | ||
+ | user@example.com@fs: | ||
+ | user@example.com@fs: | ||
+ | |||
+ | Sharename | ||
+ | --------- | ||
+ | ADMIN$ | ||
+ | C$ Disk Default share | ||
+ | CertEnroll | ||
+ | ContentBuilderSCUM Disk | ||
+ | D$ Disk Default share | ||
+ | E$ Disk Default share | ||
+ | IPC$ IPC | ||
+ | NETLOGON | ||
+ | Share Disk | ||
+ | ShareSSD | ||
+ | SYSVOL | ||
+ | SMB1 disabled -- no workgroup available | ||
+ | user@example.com@fs: | ||
+ | Ticket cache: FILE:/ | ||
+ | Default principal: tplecko-adm@GAMEPIRES.COM | ||
+ | |||
+ | Valid starting | ||
+ | 03/29/2021 08: | ||
+ | renew until 03/30/2021 08:59:11 | ||
+ | 03/29/2021 08: | ||
+ | user@example.com@fs: | ||
+ | </ | ||
+ | ===== SAMBA integration ===== | ||
+ | This part needs review since it is broken in the fresh versions | ||
+ | <code bash> | ||
+ | su@fs:~$ sudo apt install samba cifs-utils libwbclient-sssd | ||
+ | su@fs:~$ sudo vim / | ||
+ | [global] | ||
+ | | ||
+ | realm = EXAMPLE.COM | ||
+ | | ||
+ | # | ||
+ | idmap config * : backend = tdb | ||
+ | idmap config * : range = 10000-199999 | ||
+ | idmap config EXAMPLE : backend = sss | ||
+ | idmap config EXAMPLE : range = 1000000-19999999 | ||
+ | idmap config EXAMPLE : rangesize = 1000000 | ||
+ | | ||
+ | | ||
+ | # | ||
+ | # | ||
+ | | ||
+ | | ||
+ | log file = / | ||
+ | max log size = 1000 | ||
+ | | ||
+ | panic action = / | ||
+ | | ||
+ | # | ||
+ | obey pam restrictions = yes | ||
+ | unix password sync = yes | ||
+ | | ||
+ | | ||
+ | pam password change = yes | ||
+ | map to guest = bad user | ||
+ | | ||
+ | max protocol = SMB3 | ||
+ | min protocol = NT1 | ||
+ | [public] | ||
+ | comment = Public share | ||
+ | path = / | ||
+ | read only = no | ||
+ | guest ok = no | ||
+ | browsable = yes | ||
+ | writable = yes | ||
+ | #admin users = | ||
+ | valid users = Domain\ users\@example.com | ||
+ | #invalid users = | ||
+ | #read list = | ||
+ | write list = Domain\ users\@example.com | ||
+ | create mask = 0770 | ||
+ | directory mask = 0770 | ||
+ | force create mode = 0770 | ||
+ | force directory mode = 0770 | ||
+ | |||
+ | |||
+ | #get your domain SID from powershell with get-addomain example.com | ||
+ | su@fs:~$ sudo net setdomainsid S-1-5-21-111111111-2222222222-33333333 | ||
+ | su@fs:~$ sudo systemctl restart smbd nmbd | ||
+ | </ |