Linux powershell active directory module

Powerhell Core Ubuntu 18.04 – PSRemoting to an Active Directory Machine

Sometime there’s the need to do PowerShell remoting from Linux to a Windows System. In my lab environment, I was able to install, configure, and established a PowerShell Remote connection from a Linux Ubuntu 18.04 system to *Active Directory joined Windows System.

*Note: Before trying to following steps, if you’re in a corporate domain, consult with your security team. I would recommend that you try this scenario in virtual machine environment.

I’ve been struggling trying to OpenSSH in both Windows 10 (Build 1803) and Windows Server 2019 with no success connecting from Linux. So, I decided to try install Kerberos component on my Ubuntu system and it works! And, with no need to joined my Linux system to my virtual Active Directory domain.

Install and configuring Kerberos Client

$ sudo apt-get install krb5-user
[libdefaults] default_realm = DOMAINNAME.COM # The following are custom settings for "DOMAINNAME" Kerberos: dns_lookup_realm = true dns_lookup_kdc = true default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 [realms] TRINITY.COM = < kdc = DOMAINMACHINENAME admin_server = DOMAINMACHINENAME >[domain_realm] .com = DOMAINNAME

*Note: Make a copy of the krb5.conf file before any changes.

One thing to point out! Both DOMAINNAME and DOMAINMACHINENAME, must be in uppercase.

Configuring ssh

Next step involves in configuring the ssh for Kerberos negotiation. This is the ssh_config file (not sshd_config).

$ sudo vim /etc/ssh/ssh_config

Make sure the following parameters are set at the end of the *ssh_config file:

SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication yes GSSAPIDelegateCredentials no GSSAPIKeyExchange yes

*Note: If there are missing ones, don’t touch the commented ones. Just copy/paste and set the values.

After completing the changes, I would recommend a reboot.

Читайте также:  Linux для 5 класса

Testing and working Kerberos Client

Here are a few linux commands to work with Kerberos client. If the krb5.conf setting are set correctly, then the following commands should work without any issues.

1. This command will verify user domain, asking for password.

2. Shows the list of Kerberos Cached tickets and credential.

3. To delete\clear all Kerberos Cache entries:

What about setting in Windows Systems?

I’m will cover the whole PowerShell remoting setup. But, I will highlight what’s needed to make Linux connect to a Active Directory Domain system.

In PowerShell Conscole, run the “Enable-PSRemoting -force” command line on both client and server. This command will add the firewall rule to allow PowerShell remoting to work.

Check the Windows Remote Management service is running. By default, in Windows 10 client, this is set to “Manual”.
On the server, just verify that the service running.

Before, connecting Linux to a windows domain system, make sure to test PowerShell remoting between Windows machines. This will guarantee that you got everything working correctly.

Name Resolution Tip

I don’t join my Linux system to my AD domain. So, to resolve my name resolution issues, I manually update the hosts file on my systems. This will include the domain ip-address as well as all other systems

hosts file : xxx.xxx.xxx.xxx domainname.com :

Testing connectivity

Ubuntu 18.04 Connecting to a domain system final test.

1. In Linux, open PowerShell:

2. Prepare the domain user:

PS /home/user> kinit domainuser

3. Create a *PowerShell Remote interactive session:

PS /home/user> Enter-PSSession -ComputerName wincomputer -Authentication Negotiate -Credential user@domainname.com

*Note: This remote connection will open Windows PowerShell and not PowerShell Core.

Summary

So, in Ubuntu 18.04 installing and configuring Kerberos user client only, you can connect your Linus system to a Active Directory Domain systems. But remember, this will connect to a Windows PowerShell session only.

Читайте также:  Archer t3u linux drivers

I’m hoping that in the near future we can have the ability to select a PowerShell versions. Wait!! There’s a way to open a PowerShell Core session instead of Windows PowerShell!!

How To Connect to PowerShell Core

So, by default you’re going to connect to Windows PowerShell. But, if you use the following parameter ‘-ConfigurationName’ folllowed by either ‘ PowerShell.6 ‘ or ‘ PowerShell.6-Preview ‘ then you’ll get PowerShell Core session. Also, you can use an specific version ‘ PowerShell.6.1.0 ‘.

Enter-PSSession -ComputerName venus -Authentication Negotiate -Credential max_t@trinity.com -ConfigurationName PowerShell.6

Thanks to Steve Lee (Microsoft PowerShell Team) for letting me know this is already available.

References

The following links help figured out the needed components to make my lab environment work.

Sponsors

Top 30 SQL blog 2018

Recent Posts

Источник

Try to import module ActiveDirectory on a linux powershell

In my webpage I wanted to change the password of some accounts. So I got a script powershell. In this one I need to import the module Active-Directory to change the password of accounts. My server is on CentOS, so I install powershell on it. But when I do : Import-Module ActiveDirectory, the console return ‘Import-Module: The specified module ‘ActiveDirectory’ was not loaded because no valid module file was found in any module directory.’ Thanks

2 Answers 2

The short answer is. you can’t. The centos platform version of .net does not support the [System.DirectoryServices] types/classes yet, and I doubt they’ll be migrated over soon. Powershell’s ActiveDirectory module requires those to run, so this cannot currently be done in Powershell:

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() MethodInvocationException: Exception calling "GetCurrentDomain" with "0" argument(s): "System.DirectoryServices is not supported on this platform." 

An alternative is using ldap commands from centos packages. Here’s some examples:

# Change a password that you already know - works with almost any configuration # You can provide the password from a file or as a parameter. By default it will prompt. # part of package samba-common-tools smbpasswd -U MyUsername -r ad.domain.tld Old SMB password: New SMB password: Retype new SMB password: 

Changing a password for an AD user when you don’t know the current one is more complicated and requires a much more specific configuration on your machine, but can be done with just passwd if:

  • your centos machine is joined to the domain correctly
  • you are using an admin account with write permission to AD
  • You have sssd configured with chpass_provider=ad in \etc\sssd\sssd.conf
passwd DOMAIN\\SomeUsername 

Otherwise, the best option on linux is through python’s ldap module. I’m not as familiar with it, so I’m only linking working example code from a similar question: Modifying Active Directory Passwords via ldapmodify

Читайте также:  Linux ubuntu обновить пакеты

Источник

Оцените статью
Adblock
detector