Linux windows domain user

Join Ubuntu machine to Windows Domain

In this short guide we will learn how to connect machine with Ubuntu (20.04) installation to Active Directory.

Before we begin

Domain data:

I already set Active Directory on Windows Server 2019 Standard.

Domain Controller name: WinLinDC

Domain Controller IP address: 10.0.0.31/24

Active Directory DNS IP: 10.0.0.31/24

I installed DNS on the domain controller itself.

I also created domain user named: zeljko.m@winlin.local

Ubuntu client data:

I used Ubuntu 20.04 as a client for this guide.

Machine IP address: 10.0.0.34

Prerequisites

First, we will start with updating

Hostname and DNS

Since we want to join Ubuntu machine (name winlinubcl2) to Windows domain named winlin.local, we need to change Ubuntu machine name to match active directory (AD) naming…

sudo hostnamectl set-hostname winlinubcl2.winlin.local

We will check machine name by entering

For the DNS part, like with Windows client machine you wish to join to AD – linux machines also need to have domain controller (or separate DNS server for domain, if configured) IP address under DNS.

In my case, DNS server IP is same as my domain controller ip – 10.0.0.31.

There are a couple of ways to do this.

If your Linux machine is getting IP address and DNS from DHCP server, make sure that you are in the same network, and that DNS IP is already in domain or on domain controller.

I’m doing this manually on Ubuntu 20.04 that has GUI.So this is how my settings look like. I set everything manually.

If you are doing this on a machine without GUI, only in shell you will have to do it through netplan.

Again, check your IP settings by entering

Then check DNS settings by entering

systemd-resolve --status | grep Current

and you can also check default gateway by typing in

If there is a need to change IP and DNS settings, do following

First we need to find out how your netplan file is named. To find out type following in

My file is named 01-network-manager-all.yaml. Your may be named differently, so mark that.

Next, we need to edit that file (change 01-network-mananger-all.yaml to your filename.

sudo nano /etc/netplan/01-network-manager-all.yaml

You should enter something like this. Be very careful about indentations, because yaml files are very picky on that front.

If you want to check your indentation to be sure it is ok, you can install tool like yamllint.

network: ethernets: ens33: addresses: - 10.0.0.34/24 gateway4: 10.0.0.1 nameservers: addresses: - 10.0.0.31 version: 2

Ok ,that is it for the hostnames and DNS, I like to reboot machine after these settings to be sure everything is fine.

Installation

We will now install all required packages for our domain join adventure

sudo apt update -y sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

Discover domain

We will now check if we can discover our windows domain. Change winlin.local for your domain name.

sudo realm discover winlin.local

The information we got back is good, we can proceed further.

Add Ubuntu machine to Active Directory

Finally, we will join our Ubuntu machine to our windows domain.

Change Administrator if the account name of your domain admin is different. Change winlin.local to your domain name.

sudo realm join -U Administrator winlin.local

If everything went ok, you will be asked for your domain admin password, and that will be it.

Let’s check if the authentication is working and we can get id of domain users. I will use domain user named zeljko.m@winlin.local, change that for your domain user and domain name.

If we go to the Windows Server 2019 that serves as a domain controller for winlin.local domain, under Users and Computers in Computers container we can see that winLinUbCL2 machine is added to the domain. That is great.

Before we do a first login from Ubuntu to Windows Domain

First, we will set creation of home directories for domain users.

sudo nano /etc/pam.d/common-session

and enter following to the end of the file

session optional pam_mkhomedir.so skel=/etc/skel umask=077

Optionally, you can set your system to login only using name without domain part. So, I could login to my Ubuntu install by only using zeljko.m instead of zeljko.m@winlin.local.

If you wish to enable this:

sudo nano /etc/sssd/sssd.conf

Change line use_fully_qualified_names = True to

use_fully_qualified_names = False

Ok, let’s now try and login with our domain user to our Ubuntu machine.

If we done everything correctly, we should be prompted for domain users password, and there should also be message that home directory for the user is created.

Limit access for domain users to ssh/console

If you want to permit user to access ssh or console, you will use following command. By the way, on my Ubuntu 20.04 install domain users can login via ssh to Ubuntu install by default.

To permit access to user, use following

sudo realm permit zeljko.m@winlin.local

To permit access to group, type in following

sudo realm permit -g 'Domain Admins'

Practical way would be, to deny login to all, and then add permits to exceptions, so that would look like this

sudo realm deny --all sudo realm permit zeljko.m@winlin.local sudo realm permit -g 'Domain Admins'

You can also permit all, and add multiple user or groups using one line, so that would look like

sudo realm permit --all sudo realm permit zeljko.m@winlin.local mario.l@winlin.local sudo realm permit -g 'Domain Admins' 'Users'

On winlinubcl1 I entered deny –all command and then tried to access that machine from winlinubcl2.

Deny works, nobody from domain can log in into winlinubcl1 machine.

After I entered permit command for user zeljko.m, he was able to login, while user mario.l was still unable to login.

Add domain users/groups as local sudoers on Ubuntu

And, the last one for this guide, domain users are unable to execute sudo commands on Ubuntu.

To change this we will have to edit sudoers file, there are a couple of ways to do it, I will show you one.

You will have to do this obviously as a local account on Ubuntu, not the domain one.

sudo usermod -aG sudo zeljko.m@winlin.local

In case you defined in sssd.conf that you don’t use domain extension then you will have to run above command without winlin.local domain extension.

Option number 2

Everything works after executing command. You can do this by also editing /etc/sudoers file.

If you do it that way, you will have to execute it with visudo

To add sudo permissions to a user, you will have to edit

zeljko.m@winlin.local ALL=(ALL) ALL

If you wish to add a group, you will enter (in section for groups in the file)

%group1@winlin.local ALL=(ALL) ALL

This can also be done via /etc/sudoers.d/somefilename, but I haven’t managed to get it to work in Ubuntu 20.04 I have installed (I haven’t used . or ~ signs in files, or comamnds…)

Conclusion

That is it, we have basic setup for Ubuntu machine on windows domain.

Источник

Linux windows domain user

Как мне ввести в домен Ubuntu 20.04 | 18.04 к домену Windows? Могу ли я присоединить Debian 10 к домену Active Directory?

Эта статья была написана, чтобы показать вам, как использовать realmd для присоединения сервера или рабочего стола Ubuntu 20.04 | 18.04 / Debian 10 к домену Active Directory. Домен Active Directory является центральным узлом информации о пользователях в большинстве корпоративных сред.

Например, в инфраструктуре моей компании ключевым требованием является то, чтобы все пользователи прошли аутентификацию во всех системах Linux с учетными данными Active Directory. Это должно работать как для Debian, так и для дистрибутивов Linux на основе Red Hat.

В этом руководстве будет показано, как настроить SSSD для получения информации из доменов в одном лесу ресурсов Active Directory. Если вы работаете с несколькими лесами AD, это руководство может вам не подойти. Мы также пойдем дальше и настроим правила sudo для пользователей, которые входят в систему через AD. Вот схема, изображающая установку и как она работает.

Убедитесь, что выбрано “activate mkhomedir” с помощью звездочки – [*]

Затем выберите , чтобы сохранить изменения.

Ваш файл конфигурации sssd.conf находится в /etc/sssd/sssd.conf . При каждом изменении файла требуется перезагрузка.

Статус должен быть запущен.

Если интеграция работает, должна быть возможность получить информацию о пользователе AD.
$ id jmutai@example.com
uid=1783929917(jmutai@example.com) gid=1784800513(domain users@example.com) groups=1783870513(domain users@example.com)

Шаг 6. Контроль доступа – Ограничьте до пользователя / группы

Доступ к зарегистрированному серверу можно ограничить, разрешив только определенных пользователей и группы.

Ограничение для пользователей

Чтобы разрешить пользователю доступ через SSH и консоль, используйте команду:

$ sudo realm permit user1@example.com
$ sudo realm permit user2@example.com user3@example.com
Разрешить доступ к группе – Примеры
$ sudo ream permit -g sysadmins
$ sudo realm permit -g ‘Security Users’
$ sudo realm permit ‘Domain Users’ ‘admin users’

Это изменит файл sssd.conf .

Если вместо этого вы хотите разрешить доступ всем пользователям, запустите:

$ sudo realm permit —all
Чтобы запретить доступ всем пользователям домена, используйте:
$ sudo realm deny —all

Шаг 7. Настройте доступ через Sudo

По умолчанию у пользователей домена не будет разрешения на повышение привилегий до root. Пользователям должен быть предоставлен доступ на основе имен пользователей или групп.

Давайте сначала создадим файл разрешений sudo.

$ sudo vi /etc/sudoers.d/domain_admins
Добавить одного пользователя:
user1@example.com ALL=(ALL) ALL
Добавить еще одного пользователя:
user1@example.com ALL=(ALL) ALL
user2@example.com ALL=(ALL) ALL
Добавить группу
%group1@example.com ALL=(ALL) ALL

Добавьте группу с пробелами.

%security\ users@example.com ALL=(ALL) ALL
%system\ super\ admins@example.com ALL=(ALL) ALL

Шаг 8. Проверьте доступ по SSH

Получите доступ к серверу удаленно, поскольку пользователю AD разрешено входить в систему.

$ ssh user1@localhost
The authenticity of host ‘localhost (::1)’ can’t be established.
ECDSA key fingerprint is SHA256:wmWcLi/lijm4zWbQ/Uf6uLMYzM7g1AnBwxzooqpB5CU.
ECDSA key fingerprint is MD5:10:0c:cb:22:fd:28:34:c6:3e:d7:68:15:02:f9:b4:e9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘localhost’ (ECDSA) to the list of known hosts.

Это подтверждение того, что наша конфигурация прошла успешно.

Посетите вики-страницы realmd и sssd, чтобы узнать больше.

Оригинал статьи на английском здесь.

Источник