CentOS 7Installation Post installation tasks Join Active Directory SELinux Configuration Install Cockpit Create a Logical Volume (1) Create a Logical Volume (2) Creating an iSCSI Target (1) Creating an iSCSI Target (2) Creating an iSCSI Client Installing a Samba Server Installing an Apache Server Installing an NFS Server Installing a TFTP Server
Debian 8Installation Post installation tasks Join Active Directory Installing an Apache Server Installing a Samba Server
Ubuntu 16Post installation tasks Join Active Directory Installing Apache/Samba Servers
Linux Commandsfdisk + LVM htop vi - line numbering
Install the required packages
Discover the Active Directory domain
Example.com type: kerberos realm-name: EXAMPLE.COM domain-name: Example.com configured: no server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools example.com type: kerberos realm-name: EXAMPLE.COM domain-name: example.com configured: no
If your discovery printout is the same as above we can now join the domain. You will note that I have used the realm-name (all CAPS) not the domain-name, it may not be necessary but I have found that it is more likely to work this way.
* Resolving: _ldap._tcp.example.com * Performing LDAP DSE lookup on: xx.xx.xx.xx * Performing LDAP DSE lookup on: xx.xx.xx.xx * Successfully discovered: Example.com Password for user@EXAMPLE.COM: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.TB0XVY -U user@EXAMPLE.COM ads join Example.com Enter user@EXAMPLE.COM's password:DNS update failed: NT_STATUS_INVALID_PARAMETER Using short domain name -- EXAMPLE Joined 'linuxsvr01' to dns domain 'Example.com' No DNS domain configured for linuxsvr01. Unable to perform DNS Update. * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.TB0XVY -U john@EXAMPLE.COM ads keytab create Enter user@EXAMPLE.COM's password:> * /usr/bin/systemctl enable sssd.service Created symlink from /etc/systemd/system/multi-user.target.wants/sssd.service to /usr/lib/systemd/system/sssd.service. * /usr/bin/systemctl restart sssd.service * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service * Successfully enrolled machine in realm
To leave the domain is simple, issue the following command
The following command shows the two important lines (highlight yellow) the "login-formats" and "login-policy", the first needs a firstname.lastname@example.org login, the second affirms that logins are possible from the domain.
Example.com type: kerberos realm-name: EXAMPLE.COM domain-name: example configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common login-formats: %U@example.com login-policy: allow-realm-logins
If you wish to use only your user name without the FQDN then you must change the sssd.conf file as follows
[sssd] domains = Example.com config_file_version = 2 services = nss, pam [domain/Example.com] ad_domain = Example.com krb5_realm = EXAMPLE.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True change to False fallback_homedir = /home/%u@%d delete @%d access_provider = ad
To add your AD administrators to the sudoers you must first find out the exact name of the administrators group which can be done by the following
which will give the uid, gid groups etc and in my case I belonged to the group - domain admins - (all in lower case), which can be verified as follows, you must add a backslash when there is a space
which will return a list of all who are in that group, so to change sudo permissions add the following at the end of the file that opens
%domain\ admins ALL=(ALL:ALL) ALL
To ensure that a home directory is created for each AD user issue the following command.
All that is left is to login with your AD user name and try something using sudo, you will be asked for your password and that's it. If you are here from the Debian 8 page click here to go back.