- How can I list the Active Directory user attributes from a linux computer?
- 4 Answers 4
- Ubuntu 22.04 — Microsoft Active Directory Group Policy
- Environment
- Join the Ubuntu 22.04 to Active Directory
- Manage Linux GPO from Windows AD
- Create GPO for sudo
- Your support is our everlasting motivation, that cup of coffee is what keeps us going!
- Blog Series
How can I list the Active Directory user attributes from a linux computer?
How can I list the Active directory user attributes from a Linux computer? The Linux computer is already joined to the domain. I can use ‘getent’ to get the user and group information, but it does not display the complete active directory user attributes.
4 Answers 4
You can use ldapsearch to query an AD Server. For example, the following query will displya all attributes of all the users in the domain:
ldapsearch -x -h adserver.domain.int -D "user@domain.int" -W -b "cn=users,dc=domain,dc=int"
Command options explained:
- -x use simple authentication (as opposed to SASL)
- -h your AD server
- -D the DN to bind to the directory. In other words, the user you are authenticating with.
- -W Prompt for the password. The password should match what is in your directory for the the binddn (-D). Mutually exclusive from -w.
- -b The starting point for the search
A much simpler command is
For this command to work, your machine must have already joined the domain; you can verify that via
If the OS is integrated with Active directory, then simply running «id» command should be sufficient to list the AD groups assigned to the user.
The commands like id/gid will give results just the way they do when OS is not integrated with AD.
[oracle@wlsserver1~]$ id s_dhan uid=1356186729(s_dhan) gid=1356000513(domain users) groups=1356000513(domain users),1356162912(linux-skl-prod-login),1356177219(linux-tom-dv-login).
Ubuntu 22.04 — Microsoft Active Directory Group Policy
In this Post I will show you the new Active Directory Group Policy integration in Ubuntu 22.04.
Environment
- AD Server:
- Domain Server: Windows Server 20119
- Domain Name: devopstales.intra
- Hostname: dc01.devopstales.intra
- NetBIOS Name: DC01
- Realm: DEVOPSTALES.INTRA
Join the Ubuntu 22.04 to Active Directory
First install some required packages.
sudo apt install sssd-ad sssd-tools realmd adcli adsys -y
Change the DNS and NTP server to the Active Directory Domain Controller
sudo vi /etc/netplan/01-netcfg.yaml --- . nameservers: addresses: [192.168.100.100] sudo netplan apply
sudo vi /etc/ntp.conf . server 192.168.100.100 iburst sudo systemctl restart ntp ntpq -p
Test Active Directory Domain Connection
realm discover dc01.devopstales.intra devopstales.intra type: kerberos realm-name: DEVOPSTALES.INTRA domain-name: devopstales.intra configured: no server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin
Join to the Active Directory Domain
sudo realm join dc01.devopstales.intra Password for Administrator: id developer-user@devopstales.intra uid=1259201103(developer-user@devopstales.intra) gid=1259200513(domain users@devopstales.intra) groups=1259200513(domain users@devopstales.intra),1259200512(domain admins@devopstales.intra),1259200572(denied rodc password replication group@devopstales.intra)
If you want to cut down the domain name from the username:
sudo vi /etc/sssd/sssd.conf use_fully_qualified_names = False systemctl restart sssd id Administrator uid=1259200500(administrator) gid=1259200513(domain users) groups=1259200513(domain users),1259200572(denied rodc password replication group),1259200512(domain admins),1259200518(schema admins),1259200520(group policy creator owners),1259200519(enterprise admins)
Enable home folder creation for domain users:
sudo pam-auth-update --enable mkdir
Now you can login wit and AD user to the Ubuntu:
exit Ubuntu 22.04 LTS dlp.srv.world ttyS0 ubuntu-client login: developer-user@devopstales.intra Password: Welcome to Ubuntu 22.04 LTS (GNU/Linux 5.15.0-25-generic x86_64)
Manage Linux GPO from Windows AD
To manage Linux clients from AD Group Policy we need to install the custom Group Policies to the AD Domain Controller sysvol folder.
Firs we generate the custom Group Policy files:
sudo adsysctl policy admx all
On AD Domain Controller copy these files to:
.admx C:\Windows\SYSWOL\domain\Policies\PolicyDefinitions\ .adml C:\Windows\SYSWOL\domain\Policies\PolicyDefinitions\en-US\
Create GPO for sudo
On the Windows Active Directory Domain Controller open Group Policy Management Console
Create a new GPO and right click Edit
Go to Computer Configuration > Policies > Administrative Templates > Ubuntu > Client Management > Privilege Authorization . Then Select Client Administrators Select Enable and add the usernames.
Now force sync the GPOs on the Ubuntu client:
adsysctl policy update -av adsysctl policy applied --details
Now you can sudo with the selected user.
Your support is our everlasting motivation,
that cup of coffee is what keeps us going!As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.
Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.
Blog Series
- container-runtimes (18)
- k3s (7)
- k8s-authentication (9)
- k8s-gitops (7)
- k8s-lessons (10)
- k8s-network (23)
- k8s-operators (10)
- k8s-security (59)
- kubernetes (29)
- mikrotik (5)
- virtualization (3)