Difference between revisions of "Ubuntu Active Directory"
Jump to navigation
Jump to search
| Line 50: | Line 50: | ||
- sudo apt-get install sssd libpam-sss libnss-sss sssd-tools | - sudo apt-get install sssd libpam-sss libnss-sss sssd-tools | ||
| + | ``` | ||
| + | access_provider = simple | ||
| + | simple_allow_users = $ | ||
| + | simple_allow_groups = admin@mydomain.com, Server Administrators@mydomain.com | ||
| + | ``` | ||
| + | |||
| + | /etc/sudoers.d/90_admin | ||
| + | ``` | ||
| + | %server\ administrators@mydomain.com ALL=(ALL) ALL | ||
| + | ``` | ||
``` | ``` | ||
sssd[: Group Policy Container with DN xxxx is unreadable or has unreadable or missing attributes. In order to fix this make sure that this AD object has following attributes readable: nTSecurityDescriptor, cn, gPCFileSysPath, gPCMachineExtensionNames, gPCFunctionalityVersion, flags. Alternatively if you do not have access to the server or can not change permissions on this object, you can use option ad_gpo_ignore_unreadable = True which will skip this GPO. See ad_gpo_ignore_unreadable in 'man sssd-ad' for details | sssd[: Group Policy Container with DN xxxx is unreadable or has unreadable or missing attributes. In order to fix this make sure that this AD object has following attributes readable: nTSecurityDescriptor, cn, gPCFileSysPath, gPCMachineExtensionNames, gPCFunctionalityVersion, flags. Alternatively if you do not have access to the server or can not change permissions on this object, you can use option ad_gpo_ignore_unreadable = True which will skip this GPO. See ad_gpo_ignore_unreadable in 'man sssd-ad' for details | ||
``` | ``` | ||
Revision as of 22:49, 4 November 2020
Join Domain
sudo apt install -y sssd-ad sssd-tools realmd adcli
sudo realm join -U ${myuser} -v ${mydomain}
echo "ad_gpo_ignore_unreadable = True" | sudo tee -a /etc/sssd/sssd.conf
sudo systemctl restart sssd
sudo pam-auth-update --enable mkhomedir
# You can now login, use realm to limit login access to specific ad groups/users
# sudo realm permit -g "domain users@example.io"
# sudo realm permit myuser@example.io
- sudo apt install sssd-ad sssd-tools realmd adcli
20.04
ssh-copy-id -i .ssh/id_ed25519 'busk@exampel.org'@10.x.x.x ssh 'busk@extendhealth.com'@10.x.x.x realm permit busk@example.org realm permit -x jebusk@example.org realm permit -g 'Domain Users@example.org' ssh 10.250.6.180 # or for all # echo "ad_gpo_access_control = permissive" >> /etc/sssd/sssd.conf # sudo systemctl restart sssd
/etc/sssd/sssd.conf needs the following entry.
[domain/your.domain] ad_gpo_access_control = permissive
sudo systemctl restart sssd
In order to fix this make sure that this AD object has following attributes readable: nTSecurityDescriptor, cn, gPCFileSysPath, gPCMachineExtensionNames, gPCFunctionalityVersion
Other
- https://wiki.ubuntu.com/Enterprise/Authentication/sssd
- https://ubuntu.com/server/docs/service-sssd
- sudo apt-get install sssd libpam-sss libnss-sss sssd-tools
access_provider = simple simple_allow_users = $ simple_allow_groups = admin@mydomain.com, Server Administrators@mydomain.com
/etc/sudoers.d/90_admin
%server\ administrators@mydomain.com ALL=(ALL) ALL
sssd[: Group Policy Container with DN xxxx is unreadable or has unreadable or missing attributes. In order to fix this make sure that this AD object has following attributes readable: nTSecurityDescriptor, cn, gPCFileSysPath, gPCMachineExtensionNames, gPCFunctionalityVersion, flags. Alternatively if you do not have access to the server or can not change permissions on this object, you can use option ad_gpo_ignore_unreadable = True which will skip this GPO. See ad_gpo_ignore_unreadable in 'man sssd-ad' for details