Shulou(Shulou.com)06/01 Report--

Editor to share with you how to use SSSD and Realm to integrate Ubuntu to Samba4 AD DC. I hope you will get something after reading this article. Let's discuss it together.

Request:

Create an active Directory schema with Samba4 on Ubuntu

Step 1: initial configuration

1. Make sure the hostname is set correctly before adding Ubuntu to the active Directory. Use the hostnamectl command to set the machine name or manually edit the / etc/hostname file.

$sudo hostnamectl set-hostname your_machine_short_hostname $cat / etc/hostname $hostnamectl

Next, edit the machine network interface settings and add the appropriate IP settings, and point the correct DNS IP server address to the Samba active Directory domain controller, as shown in the following figure.

If you have configured the DHCP service to automatically assign IP settings for LAN machines including the appropriate AD DNS IP addresses, you can skip this step.

Set up the network interface

In the figure above, 192.168.1.254 and 192.168.1.253 represent the IP address of the Samba4 domain controller.

3. Use GUI (graphical user interface) or command line to restart the network service to apply changes, and issue a series of ping requests to your domain name to test DNS parsing as expected. Also use the host command to test DNS parsing.

$sudo systemctl restart networking.service $host your_domain.tld $ping-c2 your_domain_name $ping-c2 adc1 $ping-c2 adc2

4. * to ensure that the machine time is synchronized with the Samba4 AD. Install the ntpdate package and use the following instructions to synchronize time with AD.

$sudo apt-get install ntpdate $sudo ntpdate your_domain_name

Step 2: install the required packages

5. This step installs the software and dependencies necessary to join Ubuntu to the Samba4 active Directory domain controller: Realmd and SSSD services.

$sudo apt install adcli realmd krb5-user samba-common-bin samba-libs samba-dsdb-modules sssd sssd-tools libnss-sss libpam-sss packagekit policykit-1

6. Enter the default realm name in uppercase, and then press enter to continue the installation.

Enter Realm name

7. Next, create a SSSD configuration file that contains the following.

$sudo nano / etc/sssd/sssd.conf

Add the following to the sssd.conf file.

[nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [sssd] domains = tecmint.lan config_file_version = 2 services = nss Pam default_domain_suffix = TECMINT.LAN [domain/tecmint.lan] ad_domain = tecmint.lan krb5_realm = TECMINT.LAN realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = / bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = / home/%d/%u access_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad Ldap_schema = ad dyndns_update = true dyndsn_refresh_interval = 43200 dyndns_update_ptr = true dyndns_ttl = 3600

Make sure that you replace the domain names of the following parameters accordingly:

Domains = tecmint.lan default_domain_suffix = TECMINT.LAN [domain/tecmint.lan] ad_domain = tecmint.lan krb5_realm = TECMINT.LAN

8. Next, give the appropriate permissions to the SSSD configuration file with the following command:

$sudo chmod 700 / etc/sssd/sssd.conf

9. Now, open and edit the Realmd configuration file and enter the following line:

$sudo nano / etc/realmd.conf

Excerpt from realmd.conf file:

[active-directory] os-name = Linux Ubuntu os-version = 17.04 [service] automatic-install = yes [users] default-home = / home/%d/%u default-shell = / bin/bash [tecmint.lan] user-principal = yes fully-qualified-names = no

10. * * the files to be modified belong to the Samba daemon. Open the / etc/samba/smb.conf file for editing, and then add the following code at the beginning of the file, as shown in the following figure after [global].

Workgroup = TECMINT client signing = yes client use spnego = yes kerberos method = secrets and keytab realm = TECMINT.LAN security = ads

Configure the Samba server

Make sure you replace the domain name value, especially the realm value of the corresponding domain name, and run the testparm command to check that the settings file contains errors.

$sudo testparm

Test Samba configuration

11. After making all the necessary changes, verify the Kerberos authentication with the AD administrator account and list the ticket with the following command.

$sudo kinit ad_admin_user@DOMAIN.TLD $sudo klist

Verify Kerberos authentication

Step 3: join Ubuntu to Samba4 Realm

Type the following command to add the Ubuntu machine to the Samba4 active Directory. Use the name of the AD DC account with administrator privileges so that the binding realm works as expected and replaces the corresponding domain name value.

$sudo realm discover-v DOMAIN.TLD $sudo realm list $sudo realm join TECMINT.LAN-U ad_admin_user-v $sudo net ads join-k

Join Ubuntu to Samba4 Realm

List Realm Domain information

Add users to Realm Domain

Add Domain to Realm

After the zone is bound, run the following command to ensure that all domain accounts are allowed to authenticate on this machine.

$sudo realm permit-all

Then you can use the following example realm command to allow or disable domain user account or group access.

$sudo realm deny-a $realm permit-- groups' domain.tld\ Linux Admins' $realm permit user@domain.lan $realm permit DOMAIN\\ User2

14. From a Windows machine with RSAT tools installed, you can open AD UC and browse the "computer computers" container, and verify that an object account using your machine name has been created.

Ensure that the domain is joined to the AD DC

Step 4: configure AD account authentication

15. In order to use domain account authentication on Ubuntu machines, you need to run the pam-auth-update command with root privileges and allow all PAM configuration files, including the option to automatically create a home directory for each domain account during * registration.

Press the [Space] key to verify all configuration items and click ok to apply the configuration.

$sudo pam-auth-update

PAM configuration

16. Manually edit the / etc/pam.d/common-account file on the system. The following lines are used to automatically create a home directory for authenticated domain users.

Session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

17. If active Directory users cannot change their password with the linux command line, open the / etc/pam.d/common-password file and remove the use_authtok statement on the password line, as follows:

Password [success=1 default=ignore] pam_winbind.so try_first_pass

18, *, restart and enable to apply changes to the Realmd and SSSD services with the following command:

$sudo systemctl restart realmd sssd $sudo systemctl enable realmd sssd

19. To test whether the Ubuntu machine is successfully integrated into realm, install the winbind package and run the wbinfo command to list the domain accounts and groups, as shown below.

$sudo apt-get install winbind $wbinfo-u $wbinfo-g

List domain accounts

Similarly, you can use the getent command to verify the Winbind nsswitch module for a specific domain user or group.

$sudo getent passwd your_domain_user $sudo getent group 'domain admins'

Verify Winbind Nsswitch

21. You can also use the Linux id command to obtain the information of your AD account, as follows:

$id tecmint_user

Verify AD user information

22. Use su-followed by the domain user name parameter to authenticate a Samba4 AD account of the Ubuntu host. Run the id command to get more information about the AD account.

$su-your_ad_user

AD user authentication

Use the pwd command to view the current working directory of your domain users, and use the passwd command to change the password.

23. To use a domain account with root permission on Ubuntu, you need to add the AD user name to the sudo system group with the following command:

$sudo usermod-aG sudo your_domain_user@domain.tld

Log in to Ubuntu with a domain account and run the apt update command to update your system to verify root permissions.

24. Give a domain group root permission, use the visudo command to open and edit the / etc/sudoers file, and add the following line:

% domain\ admins@tecmint.lan ALL= (ALL:ALL) ALL

25. To use domain account authentication on the Ubuntu desktop, modify the LightDM display manager by editing the / usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf file, add the following two lines and restart the lightdm service or restart the machine to apply the changes.

Greeter-show-manual-login=truegreeter-hide-users=true

The domain account logs in to the Ubuntu desktop in the format "your domain users" or "your domain users @ your domain".

26. To use the abbreviated format of the Samba AD account, edit the / etc/sssd/sssd.conf file and add the following lines of commands in the [sssd] block.

Full_name_format =% 1$ s

And restart the SSSD daemon to apply changes.

$sudo systemctl restart sssd

You will notice that the bash prompt becomes the AD user name with no domain name attached.

27. In case you cannot log in because of the enumerate=true parameter setting in sssd.conf, you have to clear the sssd cache data with the following command:

After reading this article, $rm / var/lib/sss/db/cache_tecmint.lan.ldb, I believe you have some understanding of "how to integrate Ubuntu to Samba4 AD DC with SSSD and Realm". If you want to know more about it, please follow the industry information channel. Thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.