[Linux] Joindre une machine Debian 9 Stretch sur un domaine Active Directory

Installer les paquets nécessaires suivants:

$ sudo apt install krb5-user realmd adcli sssd sssd-tools samba-common samba-libs resolvconf samba-common-bin packagekit

Configurer le realm

$ sudo vim /etc/network/interfaces

dns-nameservers 192.168.100.100

$ sudo systemctl restart ifup@eth0 resolvconf

$ sudo vim /etc/pam.d/common-session

session optional        pam_mkhomedir.so skel=/etc/skel umask=077

Pour ne pas ajouter le nom de domaine de l’utilisateur AD, éditer le fichier sssd.conf et passer la valeur de True a False

$ sudo vim /etc/sssd/sssd.conf

use_fully_qualified_names = False

Puis redemarrer le service.

$ sudo systemctl restart sssd

Interroger l’AD

$ sudo realm discover DOMAINE.TLD

domaine.tld
 type: kerberos
 realm-name: DOMAINE.TLD
 domain-name: domaine.tld
 configured: kerberos-member
 server-software: active-directory
 client-software: sssd
 required-package: sssd-tools
 required-package: sssd
 required-package: libnss-sss
 required-package: libpam-sss
 required-package: adcli
 required-package: samba-common-bin
 login-formats: %U
 login-policy: allow-permitted-logins
 permitted-logins: 
 permitted-groups:

Joindre la machine a l’AD

$ sudo realm join DOMAINE.TLD

Password for Administrator:

Il faut maintenant vérifier les différents fichiers de configuration et ajuster.

Fichier de conf krb5.conf

$ sudo vim /etc/krb5.conf

[libdefaults]
 default_realm = DOMAINE.TLD

# The following krb5.conf variables are only for MIT Kerberos.
 kdc_timesync = 1
 ccache_type = 4
 forwardable = true
 proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
 fcc-mit-ticketflags = true

[realms]
 DOMAINE.TLD = {
 }

[domain_realm]
 domaine.tld = DOMAINE.TLD
 .domaine.tld = DOMAINE.TLD

Fichier de conf nsswitch.conf

$ sudo vim /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat sss
group: compat sss
shadow: compat sss
gshadow: files

hosts: files dns
networks: files

protocols: db files
services: db files sss
ethers: db files
rpc: db files

netgroup: nis sss
sudoers: files sss

Fichier de conf common-auth

$ sudo vim /etc/pam.d/common-auth

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

Fichier de conf common-account

$ sudo vim  /etc/pam.d/common-account

#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
#

# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
# end of pam-auth-update config

Fichier de conf sssd.conf

$ sudo vim /etc/sssd/sssd.conf

[sssd]
domains = domaine.tld
config_file_version = 2
services = nss, pam

[domain/domaine.tld]
ad_domain = domaine.tld
krb5_realm = DOMAINE.TLD
#realmd_tags = manages-system joined-with-adcli
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_sasl_authid = NOM_DE_LA_MACHINE$
ldap_id_mapping = True
use_fully_qualified_names = False
#fallback_homedir = /home/%u@%d
fallback_homedir = /home/%u
#access_provider = ad
access_provider = simple

Redémarrer le service sssd

$ sudo systemctl restart sssd

root@srv-prox-4:/etc# systemctl status sssd
● sssd.service - System Security Services Daemon
 Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor pre
 Active: active (running) since Fri 2018-01-26 13:12:32 CET; 7s ago
 Main PID: 18336 (sssd)
 Tasks: 4 (limit: 4915)
 Memory: 34.7M
 CPU: 188ms
 CGroup: /system.slice/sssd.service
 ├─18336 /usr/sbin/sssd -i -f
 ├─18345 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain oodri
 ├─18355 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --uid 0 --gid
 └─18356 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --uid 0 --gid

Jan 26 13:12:32 srv-prox-4 systemd[1]: Starting System Security Services
Jan 26 13:12:32 srv-prox-4 sssd[18336]: Starting up
Jan 26 13:12:32 srv-prox-4 sssd[be[18345]: Starting up
Jan 26 13:12:32 srv-prox-4 sssd[18356]: Starting up
Jan 26 13:12:32 srv-prox-4 sssd[18355]: Starting up
Jan 26 13:12:32 srv-prox-4 systemd[1]: Started System Security Services

Faire un test, interroger l’administrateur ou un compte utilisateur

$ id DOMAINE\\administrator ou id administrator

uid=1291600500(administrator) gid=1291600513(domain users) groups=1291600513(domain users),1291600520(group policy creator owners),1291600519(enterprise admins),1291600512(domain admins),1291600518(schema admins),1291600572(denied rodc password replication group)

$ id DOMAINE\\bef ou id bef

uid=1291601165(bef) gid=1291600513(domain users) groups=1291600513(domain users)

Puis tester l’authentification

$ su - DOMAINE\\bef

Password: 
Creating directory '/home/bef'.
bef@debian9:~$

Pour finir connecter vous en SSH avec votre compte utilisateur

FAQ:

Erreur a l’authentification, juste avec le login

Jan 28 16:41:32 srv-prox-4 sshd[8930]: PAM unable to dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory
Jan 28 16:41:32 srv-prox-4 sshd[8930]: PAM adding faulty module: pam_winbind.so
Jan 28 16:41:35 srv-prox-4 sshd[8930]: Connection closed by 192.168.4.41 port 49196 [preauth]

Après recherche cela venait du fichier nsswitch.conf qui était en authentification winbind au lieu de sss (voir plus haut)

/!\ Nouvelle article : Joindre une machine Debian 10 Buster sur un domaine Active Directory