Difference between revisions of "Ubuntu Active Directory"

From UVOO Tech Wiki
Jump to navigation Jump to search
(Created page with "# 20.04 /etc/sssd/sssd.conf needs the following entry. ``` [domain/your.domain] ad_gpo_access_control = permissive ``` sudo systemctl restart sssd")
 
 
(18 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
 +
 +
# Join Domain
 +
- https://ubuntu.com/server/docs/service-sssd
 +
```
 +
#!/usr/bin/env bash
 +
set -e
 +
ad_username=myuser
 +
ad_userpass=mypass
 +
ad_domain=example.com
 +
sudo apt install -y sssd-ad sssd-tools realmd adcli packagekit
 +
# echo $ad_userpass | sudo realm leave -U ${ad_username} -v ${ad_domain}
 +
echo $ad_userpass | sudo realm join -U ${ad_username} -v ${ad_domain}
 +
echo "ad_gpo_ignore_unreadable = True" | sudo tee -a /etc/sssd/sssd.conf
 +
echo "dyndns_update = True" | sudo tee -a /etc/sssd/sssd.conf
 +
echo "ad_hostname =FQDN" | sudo tee -a /etc/sssd/sssd.conf
 +
echo "ignore_group_members = True" | sudo tee -a /etc/sssd/sssd.conf
 +
sudo systemctl restart sssd
 +
sudo pam-auth-update --enable mkhomedir
 +
# You can now login, use realm to limit login access to specific ad groups/users
 +
# sudo realm permit -g "domain users@example.io"
 +
# sudo realm permit myuser@example.io
 +
```
 +
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/trouble
 +
 +
- sudo apt install sssd-ad sssd-tools realmd adcli
 +
 
# 20.04
 
# 20.04
 +
```
 +
ssh-copy-id -i .ssh/id_ed25519 'busk@exampel.org'@10.x.x.x
 +
ssh 'busk@extendhealth.com'@10.x.x.x
 +
realm permit busk@example.org
 +
realm permit -x jebusk@example.org
 +
realm permit -g 'Domain Users@example.org'
 +
 +
ssh 10.250.6.180
 +
# or for all
 +
# echo "ad_gpo_access_control = permissive" >> /etc/sssd/sssd.conf
 +
# sudo systemctl restart sssd
 +
```
 +
 +
 +
 +
  
 
/etc/sssd/sssd.conf needs the following entry.
 
/etc/sssd/sssd.conf needs the following entry.
Line 7: Line 50:
 
```
 
```
 
sudo systemctl restart sssd
 
sudo systemctl restart sssd
 +
 +
In order to fix this make sure that this AD object has following attributes readable: nTSecurityDescriptor, cn, gPCFileSysPath, gPCMachineExtensionNames, gPCFunctionalityVersion
 +
 +
 +
 +
# Other
 +
- https://wiki.ubuntu.com/Enterprise/Authentication/sssd
 +
- https://ubuntu.com/server/docs/service-sssd
 +
- sudo apt-get install sssd libpam-sss libnss-sss sssd-tools
 +
 +
```
 +
access_provider = simple
 +
simple_allow_users = $
 +
simple_allow_groups = admin@mydomain.com, server administrators@mydomain.com
 +
```
 +
 +
/etc/sudoers.d/90_admin
 +
```
 +
%server\ administrators@mydomain.com  ALL=(ALL) ALL
 +
```
 +
 +
```
 +
sssd[: Group Policy Container with DN  xxxx is unreadable or has unreadable or missing attributes. In order to fix this make sure that this AD object has following attributes readable: nTSecurityDescriptor, cn, gPCFileSysPath, gPCMachineExtensionNames, gPCFunctionalityVersion, flags. Alternatively if you do not have access to the server or can not change permissions on this object, you can use option ad_gpo_ignore_unreadable = True which will skip this GPO. See ad_gpo_ignore_unreadable in 'man sssd-ad' for details
 +
```

Latest revision as of 15:28, 17 May 2022

Join Domain

#!/usr/bin/env bash
set -e
ad_username=myuser
ad_userpass=mypass
ad_domain=example.com
sudo apt install -y sssd-ad sssd-tools realmd adcli packagekit
# echo $ad_userpass | sudo realm leave -U ${ad_username} -v ${ad_domain}
echo $ad_userpass | sudo realm join -U ${ad_username} -v ${ad_domain}
echo "ad_gpo_ignore_unreadable = True" | sudo tee -a /etc/sssd/sssd.conf
echo "dyndns_update = True" | sudo tee -a /etc/sssd/sssd.conf
echo "ad_hostname =FQDN" | sudo tee -a /etc/sssd/sssd.conf
echo "ignore_group_members = True" | sudo tee -a /etc/sssd/sssd.conf
sudo systemctl restart sssd
sudo pam-auth-update --enable mkhomedir
# You can now login, use realm to limit login access to specific ad groups/users
# sudo realm permit -g "domain users@example.io"
# sudo realm permit myuser@example.io

20.04

ssh-copy-id -i .ssh/id_ed25519 'busk@exampel.org'@10.x.x.x
ssh 'busk@extendhealth.com'@10.x.x.x
realm permit busk@example.org
realm permit -x jebusk@example.org
realm permit -g 'Domain Users@example.org'

ssh 10.250.6.180
# or for all
# echo "ad_gpo_access_control = permissive" >> /etc/sssd/sssd.conf
# sudo systemctl restart sssd

/etc/sssd/sssd.conf needs the following entry. 

[domain/your.domain]
ad_gpo_access_control = permissive

sudo systemctl restart sssd

In order to fix this make sure that this AD object has following attributes readable: nTSecurityDescriptor, cn, gPCFileSysPath, gPCMachineExtensionNames, gPCFunctionalityVersion

Other

access_provider = simple
simple_allow_users = $
simple_allow_groups = admin@mydomain.com, server administrators@mydomain.com

/etc/sudoers.d/90_admin 

%server\ administrators@mydomain.com   ALL=(ALL) ALL

sssd[: Group Policy Container with DN  xxxx is unreadable or has unreadable or missing attributes. In order to fix this make sure that this AD object has following attributes readable: nTSecurityDescriptor, cn, gPCFileSysPath, gPCMachineExtensionNames, gPCFunctionalityVersion, flags. Alternatively if you do not have access to the server or can not change permissions on this object, you can use option ad_gpo_ignore_unreadable = True which will skip this GPO. See ad_gpo_ignore_unreadable in 'man sssd-ad' for details
Retrieved from "https://tech.uvoo.io/index.php?title=Ubuntu_Active_Directory&oldid=3045"