{"id":5729,"date":"2021-05-06T10:01:16","date_gmt":"2021-05-06T08:01:16","guid":{"rendered":"https:\/\/nil.uniza.sk\/?p=5729"},"modified":"2021-05-08T21:54:08","modified_gmt":"2021-05-08T19:54:08","slug":"how-to-join-linux-machine-to-a-windows-domain-with-active-directory","status":"publish","type":"post","link":"https:\/\/nil.uniza.sk\/en\/how-to-join-linux-machine-to-a-windows-domain-with-active-directory\/","title":{"rendered":"How to join a Linux machine to a Windows Active Directory domain using SSSD"},"content":{"rendered":"<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>Author: Tomas Misutka<\/p><\/blockquote>\n\n\n\n<p>This article provides a how-to guide on how to add\/join a Linux-based system (server, workstation) to a Windows domain working with Active Directory.<\/p>\n\n\n\n<p>This tutorial was tested on machines:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>DEBIAN -&gt; version:8.11.1 SSSD version:1.11.7-3+deb8u2 <\/li><li>UBUNTU-SERVER -&gt; version:20.04 SSSD version:2.2.3-3 ]<\/li><li>Win server 2016<\/li><li>For demonstrtation purposes as the configuration of KERBEROS we use Win domain named  WIN.KIS.FRI.UNIZA.SK &#8211; default realm<\/li><\/ul>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<p>Join to a domain follow steps.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo apt-get update<\/pre>\n\n\n\n<p>Install required packages<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo apt-get install krb5-user sssd ntp ntpdate realmd<\/pre>\n\n\n\n<p>Back up default kerberos file<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo mv \/etc\/krb5.conf \/etc\/krb5.conf.default<\/pre>\n\n\n\n<p>Create a new kerberos file<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo nano \/etc\/krb5.conf<\/pre>\n\n\n\n<p>and insert lines<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">[libdefaults]\ndefault_realm = WIN.KIS.FRI.UNIZA.SK\nrdns = no\ndns_lookup_kdc = true\ndns_lookup_realm = true\n\n[realms]\nWIN.KIS.FRI.UNIZA.SK = {\nkdc = dc.kis.fri.uniza.sk\nadmin_server = dc.kis.fri.uniza.sk\n}<\/pre>\n\n\n\n<p>then generate kerberos ticket using the admin or any other admin&#8217;s account<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">kinit administrator <\/pre>\n\n\n\n<p>show generated ticket<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">klist --verbose<\/pre>\n\n\n\n<p>check, if a domain is available<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">realm discover win.kis.fri.uniza.sk --verbose<\/pre>\n\n\n\n<p>join machine to domain, use administrator&#8217;s account or any other admin&#8217;s account<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">realm join --user=administrator@WIN.KIS.FRI.UNIZA.SK WIN.KIS.FRI.UNIZA.SK --verbose <\/pre>\n\n\n\n<p>show domain information<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">realm list (--verbose DOESN'T SHOW MORE INFO)<\/pre>\n\n\n\n<p>and make sure, that the computer is added on dc in computer container (refresh)&nbsp;.<\/p>\n\n\n\n<p>Than make sure, that file in \/etc\/sssd\/sssd.conf has permission to 0600<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ls -l \/etc\/sssd\/sssd.conf<\/pre>\n\n\n\n<p>if not, change that<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">chmod 0600 \/etc\/sssd\/sssd.conf<\/pre>\n\n\n\n<p>edit sssd.conf file and insert<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">[sssd]\nservices = nss, pam, ssh\nconfig_file_version = 2\ndomains = win.kis.fri.uniza.sk\n\n[nss]\nentry_negative_timeout = 0\nreconnection_retries = 3\nentry_cache_timeout = 300\nentry_cache_nowait_percentage = 75\n\n[pam]\nreconnection_retries = 3\noffline_credentials_expiration = 2\noffline_failed_login_attempts = 3\noffline_failed_login_delay = 5\n\ndebug_level = 9\n\n[ssh]\n[domain\/win.kis.fri.uniza.sk]\nenumerate = false\nid_provider = ad\nauth_provider = ad\nchpass_provider = ad\naccess_provider = ad\ndyndns_update = false\nad_hostname = debian-test.win.kis.fri.uniza.sk\nad_server = dc.kis.fri.uniza.sk\nad_domain = win.kis.fri.uniza.sk\nldap_schema = ad\nldap_id_mapping = true\nfallback_homedir = \/home\/%d\/%u\ndefault_shell = \/bin\/bash\nldap_sasl_mech = gssapi\nldap_sasl_authid = DEBIAN-TEST\nkrb5_store_password_if_offline = true\nldap_krb5_init_creds = true\ncache_credentials = true\nrealmd_tags = manages-system joined-with-adcli<\/pre>\n\n\n\n<p>save it and restart SSSD<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart sssd<\/pre>\n\n\n\n<p>and add line to common-session file to create a new home directory while first login<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo nano \/etc\/pam.d\/common-session<\/pre>\n\n\n\n<p>find line with &#8222;session required pam_unix.so&#8220; and paste below<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">session required pam_mkhomedir.so skel=\/etc\/skel umask=0077<\/pre>\n\n\n\n<p>save it and add admins group to sudoers file<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">visudo\n%name_of_group  ALL=(ALL:ALL) ALL \/\/prefered<\/pre>\n\n\n\n<p id=\"block-473015d9-d752-470b-b60e-2604f5b965e9\">or\n\n<\/p>\n\n\n\n<pre id=\"block-473015d9-d752-470b-b60e-2604f5b965e9\" class=\"wp-block-preformatted\">%name_of_group@domain  ALL=(ALL:ALL) ALL<\/pre>\n\n\n\n<p>if a group includes space, use this format<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">%first_name\\ second_name ALL=(ALL:ALL) ALL<\/pre>\n\n\n\n<p>done! Reboot computer and enjoy<\/p>","protected":false},"excerpt":{"rendered":"<p>Author: Tomas Misutka This article provides a how-to guide on how to add\/join a Linux-based system (server, workstation) to a Windows domain working with Active Directory. This tutorial was tested on machines: DEBIAN -&gt; version:8.11.1 SSSD version:1.11.7-3+deb8u2 UBUNTU-SERVER -&gt; version:20.04 SSSD version:2.2.3-3 ] Win server 2016 For demonstrtation purposes as the configuration of KERBEROS we&#8230;<\/p>","protected":false},"author":9,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[685,851],"tags":[],"class_list":["post-5729","post","type-post","status-publish","format-standard","hentry","category-linux_-_howto-en","category-windows-2016-server"],"taxonomy_info":{"category":[{"value":685,"label":"Linux - HOWTO"},{"value":851,"label":"Windows 2016 server"}]},"featured_image_src_large":false,"author_info":{"display_name":"palo73","author_link":"https:\/\/nil.uniza.sk\/en\/author\/palo73\/"},"comment_info":25,"category_info":[{"term_id":685,"name":"Linux - HOWTO","slug":"linux_-_howto-en","term_group":0,"term_taxonomy_id":683,"taxonomy":"category","description":"","parent":0,"count":71,"filter":"raw","cat_ID":685,"category_count":71,"category_description":"","cat_name":"Linux - HOWTO","category_nicename":"linux_-_howto-en","category_parent":0},{"term_id":851,"name":"Windows 2016 server","slug":"windows-2016-server","term_group":0,"term_taxonomy_id":849,"taxonomy":"category","description":"","parent":845,"count":2,"filter":"raw","cat_ID":851,"category_count":2,"category_description":"","cat_name":"Windows 2016 server","category_nicename":"windows-2016-server","category_parent":845}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/5729","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/comments?post=5729"}],"version-history":[{"count":0,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/5729\/revisions"}],"wp:attachment":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/media?parent=5729"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/categories?post=5729"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/tags?post=5729"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}