Debian and Ad
By Tony Hoyle
Adding debian to Active Directory
I setup a samba4 server for single signon - originally I had kerberos/ldap but making windows talk to that turned out to be more trouble than it was worth.
Using realmd and sssd I was able to get enrollment for a server down to this script:
DOMAIN=$(hostname -d)
REALM=$(echo $DOMAIN | tr "[:lower:]" "[:upper:]")
apt-get update
apt-get -y install sssd-ad sssd-tools realmd adcli packagekit krb5-user samba-libs cr
udini
realm --automatic-id-mapping=no join $REALM
pam-auth-update --enable mkhomedir
crudini --set /etc/sssd/sssd.conf sssd default_domain_suffix $DOMAIN
crudini --set /etc/sssd/sssd.conf sssd implicit_pac_responder false
crudini --set /etc/sssd/sssd.conf domain/$DOMAIN ad_gpo_access_control permissive
crudini --set /etc/sssd/sssd.conf domain/$DOMAIN full_name_format "%1\$s"
crudini --set /etc/sssd/sssd.conf domain/$DOMAIN enumerate True
crudini --set /etc/sssd/sssd.conf domain/$DOMAIN fallback_homedir /home/%u
dpkg --purge crudini
apt-get -y --purge autoremove
systemctl restart sssd
That includes some patches to the sssd.conf as follows:
- default_domain_suffix - since I have only one domain this saves having to specify it
- implicit_pac_responder - Fix for debian bug#1037930 - 12 months old at the time of writing!
- ad_gpo_access_control - Bug fix (more below)
- full_name_format - Strip the domain from the users, as I only have one
- enumerate - Not strictly needed, but if using a desktop machine allows the user to appear on the login screen
The ad_gpo_access_control appears to be a longstanding issue that stops linux machines logging in by default.
The implication is there’s something that you can set in gpo1 to allow this, but, it’s not documented what, and it’s not clear why the defaults aren’t the same as windows.
Anyway, with all that it’s somewhat trivial to add linux machines to the domain, which is a massive improvement to the situation a few years ago.
The one thing that doesn’t work is sharing drives to windows - samba (smbd) doesn’t play with sssd, so you have to use winbind and configure things differently, which is much harder and a whole other post (a whole new set of gotchas!).
-
The redhat site says ‘For a permanent solution evaluate GPO rule in Active Directory and make appropriate changes to allow user login’ which is about as much use as a chocolote teapot. ↩︎