Connecting Linux to Microsoft Windows Server Active Directory for management and easy access — SSSD/Kerberos/LDAP/SAMBA (Debian)

Connecting Linux to Microsoft Windows Server Active Directory for management and easy access — SSSD/Kerberos/LDAP/SAMBA (Debian)

One of the many items people will ask me is: How do you manage your Linux machines in a Windows environment and can you add them to AD?

The solution? You can add them and it makes ACL and moving through the environment so much easier and allows for easier access granting.

There are a few things to keep in mind:

  1. Functional Windows Active Directory Environment:?The Windows Active Directory environment should be configured and operational before integrating a Linux machine.
  2. Linux Machine with a Supported Distribution:?The device should run a supported distribution such as Ubuntu, CentOS, or Debian. It should also be up-to-date with the latest patches and updates.
  3. Samba Software:?Samba is a free, open-source software suite that provides file and print services for Linux and Windows clients. You must install Samba on the Linux machine to enable an Active Directory integration.
  4. DNS Configuration:?The Linux machine should be able to resolve the DNS queries for the Windows Active Directory domain. You can achieve this by configuring the Linux machine to use the domain controller as its DNS server or adding its DNS records to the Linux machine’s host’s file.
  5. Domain User Account with Administrative Privileges:?You need a domain user account with administrative privileges to join the Linux machine to the Windows Active Directory domain.
  6. Firewall Configuration:?Ensure that the Linux machine’s firewall is configured to allow the traffic to and from the Windows Active Directory domain controller.
  7. Styles:?SSSD/Kerberos/LDAP Each one of these can work independently of each other, in this guide we will cover and install each of them to allow the flexibility of services and use cases. However, if you just want to join the domain, SSSD will work.

The Steps

  1. First lets configure the hostname, network, and dns:

No alt text provided for this image
No alt text provided for this image

2) Install the needed packages:

apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit        

3) Discover our domain and join:

realm discover
realm join -U Administrator --verbose
realm list        

4) Lets auto create home dirs:

bash -c "cat > /usr/share/pam-configs/mkhomedir" <<EOF
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
        required               umask=0022 skel=/etc/skel
No alt text provided for this image

5) Configure SSSD and SUDO:

# Turn off sudo support in sssd - we're doing it directly in /etc/sudoers.d/
# and leaving this enabled results in spurious emails being sent to root
sudo_provider = none
# Define some defaults for accounts that are not already on this box.
# We appear to need these settings as well as the PAM configuration.
fallback_homedir = /home/%d/%u
default_shell = /bin/bash
skel_dir = /etc/skel
systemctl restart sssd        

Create a file /etc/sudoers.d/ad-linux-admins to allow the members of the Linux Admins AD group to sudo to root and add:

%Linux\ Admins ALL = (ALL) ALL        

Lets check and see if the integration worked:

No alt text provided for this image

If you can see the accounts, then we are successfully quering the AD DS.

Test logging in:

No alt text provided for this image
No alt text provided for this image

Things to keep in mind:

You can use sss_cache -E to clear the cache of the groups when the user logs in. Use ID to ensure the group matches if you get a denied. Adding to the group in sudoers worked for me:

No alt text provided for this image
No alt text provided for this image

6) Clean up steps:

Set NTP server to domain controller to prevent time issues

nano /etc/ntp.conf

server ADDS1.TRUV.IS        

7) For ACL steps:

Access to the server enrolled can be limited by allowing only specific users/ and groups.

Limit to users

To permit a user access via SSH and console, use the command:

realm permit [email protected]
realm permit [email protected] [email protected]        

Permit Access by Group

realm permit -g sysadmins
realm permit -g 'Security Users'
realm permit 'Domain Users' 'admin users'        


apt-get install krb5-user
nano /etc/krb5.conf

    # This relation identifies the default realm to be used in a client host's
    # Kerberos activity.
    default_realm = TRUV.IS

    # Indicate whether DNS TXT records should be used to determine the Kerberos
    # realm of a host. The default is not to use these records.
    dns_lookup_realm = false

    # Indicate whether DNS SRV records should be used to locate the KDCs
    # and other servers for a realm, if they are not listed in the information
    # for the realm. The default is to use these records.
    # We set this explicitly since we're setting the admin_server anyway.
    dns_lookup_kdc = false

    # The value of this tag is the default lifetime for initial tickets. The
    # default value for the tag is 1 day (1d).        

= 24h

# The value of this tag is the default renewable lifetime for initial

    # tickets. The default value for the tag is 0.
    renew_lifetime = 7d

    # If this flag is set, initial tickets by default will be forwardable.
    # The default value for this flag is false.
    # See for details.        

= true

# If this flag is true, reverse name lookup will be used in addition to

    # forward name lookup to canonicalizing hostnames for use in service principal names.
    # If dns_canonicalize_hostname is set to false, this flag has no effect.
    # The default value is true.
    rdns = false

    TRUV.IS = {
        # This relation identifies the host where the administration server
        # is running. Typically this is the Master Kerberos server.
        # Required setting - cannot be looked up via DNS.
        admin_server = ADFS-HYBRID.TRUV.IS

        # The name or address of a host running a KDC for that realm.
        # This could be looked up via DNS (dns_lookup_kdc) but we must
        # set the admin_server anyway, and this has the same value.
        kdc = ADFS-HYBRID.TRUV.IS

    # The [domain_realm] section provides a translation from a hostname to
    # the Kerberos realm name for the services provided by that host.
    # The tag name can be a hostname, or a domain name, where domain names
    # are indicated by a prefix of a period ('.') character. The value of
    # the relation is the Kerberos realm name for that particular host or
    # domain. Host names and domain names should be in lower case.
    # If no translation entry applies, the host's realm is considered to
    # be the hostname's domain portion converted to upper case.

    # Log everything to syslog. Default is severity of ERR and facility of AUTH.
    default = SYSLOG        

Samba SMBD

apt-get install samba samba-common
systemctl stop nmbd
systemctl disable nmbd
systemctl disable samba
systemctl disable samba-ad-dc

nano /etc/samba/smb.conf

# Configures Samba suite for AD
# These parameters seem to work on the devtest domain.

# Netbios name for the AD domain in upper-case

# This controls whether the client is allowed or required to use SMB
# signing. Possible values are auto, mandatory and disabled.
# When set to auto, SMB signing is offered, but not enforced. When
# set to mandatory, SMB signing is required and if set to disabled,
# SMB signing is not offered either.
# Default: client signing = auto
client signing = auto

# This variable controls whether Samba clients will try to use Simple
# and Protected NEGOciation (as specified by rfc2478) with supporting
# servers (including WindowsXP, Windows2000 and Samba 3.0) to agree
# upon an authentication mechanism. This enables Kerberos authentication
# in particular.
# Default: client use spnego = yes
client use spnego = yes

# This option specifies the kerberos realm to use. The realm is used as the
# ADS equivalent of the NT4 domain. It is usually set to the DNS name of the
# kerberos server. Since it is kerberos it is in capital letters.

# In this mode, Samba will act as a domain member in an ADS realm. To operate
# in this mode, the machine running Samba will need to have Kerberos
# installed and configured and Samba will need to be joined to the ADS realm
# using the net utility.

# Use the keytab to store secrets for authenticating against kerberos
# and to identify the kerberos server.
kerberos method = secrets and keytab

# Logging settings

# This option allows you to override the name of the Samba log file (also
# known as the debug file).
# This option takes the standard substitutions, allowing you to have separate
# log files for each user or machine.
# No default
# Example: log file = /usr/local/samba/var/log.%m
log file = /var/log/samba/smbd.log

# The value of the parameter (a astring) allows the debug level (logging
# level) to be specified in the smb.conf file.
# Values seem to be 0 to 10.
# Default: log level = 0
log level = 10

# This option (an integer in kilobytes) specifies the max size the log file
# should grow to. Samba periodically checks the size and if it is exceeded it
# will rename the file, adding a .old extension.
# A size of 0 means no limit.
# Default: max log size = 5000
max log size = 500

# Turn off printing to avoid log spam
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999

# - You must set a DOMAIN backend configuration
# idmap config for the SAMDOM domain
idmap config TRUV:backend = ad
idmap config TRUV:schema_mode = rfc2307
idmap config TRUV:range = 10000-50000
idmap config TRUV:unix_nss_info = yes

# Ensure that smb.conf file is correct. Investigate and fix any errors.

#Start up smbd and ensure it is enabled:
systemctl restart smbd
systemctl enable smbd        

And there you have it. Your server is now fully connected to your Windows Environment.

We will go more detailed into how to secure a linux machine and make use of ACLs in other articles soon to come.

If you are new to my content, be sure to follow/connect with me on other social media for new ideas and solutions to complicated real world problems.







Truvis T.的更多文章

