Difference between revisions of "Ubuntu Active Directory"
Jump to navigation
Jump to search
| (17 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | |||
| + | |||
| + | # Join Domain | ||
| + | - https://ubuntu.com/server/docs/service-sssd | ||
| + | ``` | ||
| + | #!/usr/bin/env bash | ||
| + | set -e | ||
| + | ad_username=myuser | ||
| + | ad_userpass=mypass | ||
| + | ad_domain=example.com | ||
| + | sudo apt install -y sssd-ad sssd-tools realmd adcli packagekit | ||
| + | # echo $ad_userpass | sudo realm leave -U ${ad_username} -v ${ad_domain} | ||
| + | echo $ad_userpass | sudo realm join -U ${ad_username} -v ${ad_domain} | ||
| + | echo "ad_gpo_ignore_unreadable = True" | sudo tee -a /etc/sssd/sssd.conf | ||
| + | echo "dyndns_update = True" | sudo tee -a /etc/sssd/sssd.conf | ||
| + | echo "ad_hostname =FQDN" | sudo tee -a /etc/sssd/sssd.conf | ||
| + | echo "ignore_group_members = True" | sudo tee -a /etc/sssd/sssd.conf | ||
| + | sudo systemctl restart sssd | ||
| + | sudo pam-auth-update --enable mkhomedir | ||
| + | # You can now login, use realm to limit login access to specific ad groups/users | ||
| + | # sudo realm permit -g "domain users@example.io" | ||
| + | # sudo realm permit myuser@example.io | ||
| + | ``` | ||
| + | - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/trouble | ||
| + | |||
| + | - sudo apt install sssd-ad sssd-tools realmd adcli | ||
| + | |||
# 20.04 | # 20.04 | ||
``` | ``` | ||
| Line 8: | Line 35: | ||
ssh 10.250.6.180 | ssh 10.250.6.180 | ||
| − | |||
| − | |||
# or for all | # or for all | ||
# echo "ad_gpo_access_control = permissive" >> /etc/sssd/sssd.conf | # echo "ad_gpo_access_control = permissive" >> /etc/sssd/sssd.conf | ||
# sudo systemctl restart sssd | # sudo systemctl restart sssd | ||
| + | ``` | ||
| + | |||
| + | |||
| Line 22: | Line 50: | ||
``` | ``` | ||
sudo systemctl restart sssd | sudo systemctl restart sssd | ||
| + | |||
| + | In order to fix this make sure that this AD object has following attributes readable: nTSecurityDescriptor, cn, gPCFileSysPath, gPCMachineExtensionNames, gPCFunctionalityVersion | ||
| + | |||
| + | |||
| + | |||
| + | # Other | ||
| + | - https://wiki.ubuntu.com/Enterprise/Authentication/sssd | ||
| + | - https://ubuntu.com/server/docs/service-sssd | ||
| + | - sudo apt-get install sssd libpam-sss libnss-sss sssd-tools | ||
| + | |||
| + | ``` | ||
| + | access_provider = simple | ||
| + | simple_allow_users = $ | ||
| + | simple_allow_groups = admin@mydomain.com, server administrators@mydomain.com | ||
| + | ``` | ||
| + | |||
| + | /etc/sudoers.d/90_admin | ||
| + | ``` | ||
| + | %server\ administrators@mydomain.com ALL=(ALL) ALL | ||
| + | ``` | ||
| + | |||
| + | ``` | ||
| + | sssd[: Group Policy Container with DN xxxx is unreadable or has unreadable or missing attributes. In order to fix this make sure that this AD object has following attributes readable: nTSecurityDescriptor, cn, gPCFileSysPath, gPCMachineExtensionNames, gPCFunctionalityVersion, flags. Alternatively if you do not have access to the server or can not change permissions on this object, you can use option ad_gpo_ignore_unreadable = True which will skip this GPO. See ad_gpo_ignore_unreadable in 'man sssd-ad' for details | ||
| + | ``` | ||
Latest revision as of 15:28, 17 May 2022
Join Domain
#!/usr/bin/env bash
set -e
ad_username=myuser
ad_userpass=mypass
ad_domain=example.com
sudo apt install -y sssd-ad sssd-tools realmd adcli packagekit
# echo $ad_userpass | sudo realm leave -U ${ad_username} -v ${ad_domain}
echo $ad_userpass | sudo realm join -U ${ad_username} -v ${ad_domain}
echo "ad_gpo_ignore_unreadable = True" | sudo tee -a /etc/sssd/sssd.conf
echo "dyndns_update = True" | sudo tee -a /etc/sssd/sssd.conf
echo "ad_hostname =FQDN" | sudo tee -a /etc/sssd/sssd.conf
echo "ignore_group_members = True" | sudo tee -a /etc/sssd/sssd.conf
sudo systemctl restart sssd
sudo pam-auth-update --enable mkhomedir
# You can now login, use realm to limit login access to specific ad groups/users
# sudo realm permit -g "domain users@example.io"
# sudo realm permit myuser@example.io
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/trouble
- sudo apt install sssd-ad sssd-tools realmd adcli
20.04
ssh-copy-id -i .ssh/id_ed25519 'busk@exampel.org'@10.x.x.x ssh 'busk@extendhealth.com'@10.x.x.x realm permit busk@example.org realm permit -x jebusk@example.org realm permit -g 'Domain Users@example.org' ssh 10.250.6.180 # or for all # echo "ad_gpo_access_control = permissive" >> /etc/sssd/sssd.conf # sudo systemctl restart sssd
/etc/sssd/sssd.conf needs the following entry.
[domain/your.domain] ad_gpo_access_control = permissive
sudo systemctl restart sssd
In order to fix this make sure that this AD object has following attributes readable: nTSecurityDescriptor, cn, gPCFileSysPath, gPCMachineExtensionNames, gPCFunctionalityVersion
Other
- https://wiki.ubuntu.com/Enterprise/Authentication/sssd
- https://ubuntu.com/server/docs/service-sssd
- sudo apt-get install sssd libpam-sss libnss-sss sssd-tools
access_provider = simple simple_allow_users = $ simple_allow_groups = admin@mydomain.com, server administrators@mydomain.com
/etc/sudoers.d/90_admin
%server\ administrators@mydomain.com ALL=(ALL) ALL
sssd[: Group Policy Container with DN xxxx is unreadable or has unreadable or missing attributes. In order to fix this make sure that this AD object has following attributes readable: nTSecurityDescriptor, cn, gPCFileSysPath, gPCMachineExtensionNames, gPCFunctionalityVersion, flags. Alternatively if you do not have access to the server or can not change permissions on this object, you can use option ad_gpo_ignore_unreadable = True which will skip this GPO. See ad_gpo_ignore_unreadable in 'man sssd-ad' for details