overview of AD login on Ubuntu
This is an overview of how to configure Ubuntu to use AD credentials on login, but also how to use new features from canonical for Ubuntu integration to AD and how to use GPO to configure Ubuntu client on AD.
Links:
https://ubuntu.com/blog/new-active-di...
https://github.com/ubuntu/adsys
Commands:
Required packages:
sudo apt install sssd-ad sssd-tools realmd adcli sssd libnss-sss libpam-sss samba-common-bin oddjob oddjob-mkhomedir packagekit -y
Check/configure Resolv.conf or dns settings / NTP client
Verify DNS works and domain resolv:
realm -v discover kotilab.local
Join to domain
realm join -v kotilab.local
OR Different user
realm join -v kotilab.local -U user --computer-ou=OU=UbuntuComputers
sssd.conf should look like this:
[sssd]
domains = kotilab.local
config_file_version = 2
services = nss, pam
default_domain_suffix = kotilab.local
[domain/kotilab.local]
enumerate = false
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = KOTILAB.LOCAL
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = kotilab.local
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad
auth_provider = ad
chpass_provider = ad
dyndns_update = false
ldap_schema = ad
ldap_id_mapping = true
ldap_sasl_mech = gssapi
krb5_keytab = /etc/krb5.keytab
ldap_krb5_init_creds = true
cache_credentials = true
account_cache_expiration = 14
entry_cache_timeout = 14400
krb5_store_password_if_offline = true
user_fully_qualified_names = false
[pam]
reconnection_retries = 3
debug_level = 10
offline_credentials_expiration = 3
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
addons value to sssd.conf
Configure Kerberos
Addons packages for kerberos:
sudo apt install krb5-user adsys libpam-krb5 -y
first check ticket:
klist
Check that krb5.conf have following:
[libdefaults]
default_realm = KOTILAB.LOCAL
rdns = false
dns_lookup_kdc = true
dns_lookup_realm = true
default_ccache_name = FILE:/home/%{username}/krb5cc
ticker_lifetime = 24h
renew_lifetime = 7d
forwardable = true
udp_preference_limit = 0
[realms]
KOTILAB.LOCAL = {
default_domain = KOTILAB.LOCAL
}
sudo chmod 0600 /etc/krb5.keytab
sudo chown root:root /etc/krb5.keytab
ADD ad member computer to ubuntu adv.
sudo ua attach token
Enable sssd and realmd service
systemctl start realmd sssd
systemctl enable realmd sssd
then try log in after reboot!
Extra for homefolders
sudo pam-auth-update --enable mkhomedir
OR configure pam.d / common-sessions and common-account files
Смотрите видео overview of AD login on Ubuntu онлайн без регистрации, длительностью часов минут секунд в хорошем качестве. Это видео добавил пользователь Heikki Koivisto 16 Октябрь 2022, не забудьте поделиться им ссылкой с друзьями и знакомыми, на нашем сайте его посмотрели 876 раз и оно понравилось 10 людям.