Ubuntu Active Directory

From UVOO Tech Wiki
Revision as of 15:28, 17 May 2022 by Busk (talk | contribs)
Jump to navigation Jump to search

Join Domain

#!/usr/bin/env bash
set -e
ad_username=myuser
ad_userpass=mypass
ad_domain=example.com
sudo apt install -y sssd-ad sssd-tools realmd adcli packagekit
# echo $ad_userpass | sudo realm leave -U ${ad_username} -v ${ad_domain}
echo $ad_userpass | sudo realm join -U ${ad_username} -v ${ad_domain}
echo "ad_gpo_ignore_unreadable = True" | sudo tee -a /etc/sssd/sssd.conf
echo "dyndns_update = True" | sudo tee -a /etc/sssd/sssd.conf
echo "ad_hostname =FQDN" | sudo tee -a /etc/sssd/sssd.conf
echo "ignore_group_members = True" | sudo tee -a /etc/sssd/sssd.conf
sudo systemctl restart sssd
sudo pam-auth-update --enable mkhomedir
# You can now login, use realm to limit login access to specific ad groups/users
# sudo realm permit -g "domain users@example.io"
# sudo realm permit myuser@example.io
  • sudo apt install sssd-ad sssd-tools realmd adcli

20.04

ssh-copy-id -i .ssh/id_ed25519 'busk@exampel.org'@10.x.x.x
ssh 'busk@extendhealth.com'@10.x.x.x
realm permit busk@example.org
realm permit -x jebusk@example.org
realm permit -g 'Domain Users@example.org'

ssh 10.250.6.180
# or for all
# echo "ad_gpo_access_control = permissive" >> /etc/sssd/sssd.conf
# sudo systemctl restart sssd

/etc/sssd/sssd.conf needs the following entry. 

[domain/your.domain]
ad_gpo_access_control = permissive

sudo systemctl restart sssd

In order to fix this make sure that this AD object has following attributes readable: nTSecurityDescriptor, cn, gPCFileSysPath, gPCMachineExtensionNames, gPCFunctionalityVersion

Other

access_provider = simple
simple_allow_users = $
simple_allow_groups = admin@mydomain.com, server administrators@mydomain.com

/etc/sudoers.d/90_admin 

%server\ administrators@mydomain.com   ALL=(ALL) ALL

sssd[: Group Policy Container with DN  xxxx is unreadable or has unreadable or missing attributes. In order to fix this make sure that this AD object has following attributes readable: nTSecurityDescriptor, cn, gPCFileSysPath, gPCMachineExtensionNames, gPCFunctionalityVersion, flags. Alternatively if you do not have access to the server or can not change permissions on this object, you can use option ad_gpo_ignore_unreadable = True which will skip this GPO. See ad_gpo_ignore_unreadable in 'man sssd-ad' for details
Retrieved from "https://tech.uvoo.io/index.php?title=Ubuntu_Active_Directory&oldid=3044"