Difference between revisions of "Ubuntu Active Directory"
Jump to navigation
Jump to search
| Line 15: | Line 15: | ||
echo "dyndns_update = True" | sudo tee -a /etc/sssd/sssd.conf | echo "dyndns_update = True" | sudo tee -a /etc/sssd/sssd.conf | ||
echo "ad_hostname =FQDN" | sudo tee -a /etc/sssd/sssd.conf | echo "ad_hostname =FQDN" | sudo tee -a /etc/sssd/sssd.conf | ||
| + | echo "ignore_group_members = True" | sudo tee -a /etc/sssd/sssd.conf | ||
sudo systemctl restart sssd | sudo systemctl restart sssd | ||
sudo pam-auth-update --enable mkhomedir | sudo pam-auth-update --enable mkhomedir | ||
Revision as of 15:28, 17 May 2022
Join Domain
#!/usr/bin/env bash
set -e
ad_username=myuser
ad_userpass=mypass
ad_domain=example.com
sudo apt install -y sssd-ad sssd-tools realmd adcli packagekit
# echo $ad_userpass | sudo realm leave -U ${ad_username} -v ${ad_domain}
echo $ad_userpass | sudo realm join -U ${ad_username} -v ${ad_domain}
echo "ad_gpo_ignore_unreadable = True" | sudo tee -a /etc/sssd/sssd.conf
echo "dyndns_update = True" | sudo tee -a /etc/sssd/sssd.conf
echo "ad_hostname =FQDN" | sudo tee -a /etc/sssd/sssd.conf
echo "ignore_group_members = True" | sudo tee -a /etc/sssd/sssd.conf
sudo systemctl restart sssd
sudo pam-auth-update --enable mkhomedir
# You can now login, use realm to limit login access to specific ad groups/users
# sudo realm permit -g "domain users@example.io"
# sudo realm permit myuser@example.io
- sudo apt install sssd-ad sssd-tools realmd adcli
20.04
ssh-copy-id -i .ssh/id_ed25519 'busk@exampel.org'@10.x.x.x ssh 'busk@extendhealth.com'@10.x.x.x realm permit busk@example.org realm permit -x jebusk@example.org realm permit -g 'Domain Users@example.org' ssh 10.250.6.180 # or for all # echo "ad_gpo_access_control = permissive" >> /etc/sssd/sssd.conf # sudo systemctl restart sssd
/etc/sssd/sssd.conf needs the following entry.
[domain/your.domain] ad_gpo_access_control = permissive
sudo systemctl restart sssd
In order to fix this make sure that this AD object has following attributes readable: nTSecurityDescriptor, cn, gPCFileSysPath, gPCMachineExtensionNames, gPCFunctionalityVersion
Other
- https://wiki.ubuntu.com/Enterprise/Authentication/sssd
- https://ubuntu.com/server/docs/service-sssd
- sudo apt-get install sssd libpam-sss libnss-sss sssd-tools
access_provider = simple simple_allow_users = $ simple_allow_groups = admin@mydomain.com, server administrators@mydomain.com
/etc/sudoers.d/90_admin
%server\ administrators@mydomain.com ALL=(ALL) ALL
sssd[: Group Policy Container with DN xxxx is unreadable or has unreadable or missing attributes. In order to fix this make sure that this AD object has following attributes readable: nTSecurityDescriptor, cn, gPCFileSysPath, gPCMachineExtensionNames, gPCFunctionalityVersion, flags. Alternatively if you do not have access to the server or can not change permissions on this object, you can use option ad_gpo_ignore_unreadable = True which will skip this GPO. See ad_gpo_ignore_unreadable in 'man sssd-ad' for details