[Linux] Joindre une machine Debian 9 Stretch sur un domaine Active Directory

 

Joindre une machine Debian 9 Stretch sur un domaine Active Directory
Version de l’OS Debian 9.3

 

 

Installer les paquets nécessaires suivants:

$ sudo apt install realmd sssd sssd-tools adcli krb5-user packagekit samba-common samba-common-bin samba-libs resolvconf

 

Configurer le realm

 

Ajouter le DNS dans l’interface
$ sudo vim /etc/network/interfaces
dns-nameservers 192.168.100.100
Redémarrer le service réseau
$ sudo systemctl restart ifup@eth0 resolvconf
Éditer le fichier common-session et ajouter en fin de ligne pour créer automatiquement le répertoire personnel de l’utilisateur lors de la première connexion
$ sudo vim /etc/pam.d/common-session
session optional        pam_mkhomedir.so skel=/etc/skel umask=077

 

Pour ne pas ajouter le nom de domaine de l’utilisateur AD, éditer le fichier sssd.conf et passer la valeur de True a False

$ sudo vim /etc/sssd/sssd.conf
use_fully_qualified_names = False

Puis redemarrer le service.

$ sudo systemctl restart sssd

 

Interroger l’AD

$ sudo realm discover DOMAINE.TLD
domaine.tld
 type: kerberos
 realm-name: DOMAINE.TLD
 domain-name: domaine.tld
 configured: kerberos-member
 server-software: active-directory
 client-software: sssd
 required-package: sssd-tools
 required-package: sssd
 required-package: libnss-sss
 required-package: libpam-sss
 required-package: adcli
 required-package: samba-common-bin
 login-formats: %U
 login-policy: allow-permitted-logins
 permitted-logins: 
 permitted-groups:

 

Joindre la machine a l’AD

$ sudo realm join DOMAINE.TLD
Password for Administrator:

 

Il faut maintenant vérifier les différents fichiers de configuration et ajuster.

Fichier de conf krb5.conf

$ sudo vim /etc/krb5.conf
[libdefaults]
 default_realm = DOMAINE.TLD

# The following krb5.conf variables are only for MIT Kerberos.
 kdc_timesync = 1
 ccache_type = 4
 forwardable = true
 proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
 fcc-mit-ticketflags = true

[realms]
 DOMAINE.TLD = {
 }

[domain_realm]
 domaine.tld = DOMAINE.TLD
 .domaine.tld = DOMAINE.TLD

 

Fichier de conf nsswitch.conf

$ sudo vim /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat sss
group: compat sss
shadow: compat sss
gshadow: files

hosts: files dns
networks: files

protocols: db files
services: db files sss
ethers: db files
rpc: db files

netgroup: nis sss
sudoers: files sss

 

Fichier de conf common-auth

$ sudo vim /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

 

Fichier de conf common-account

$ sudo vim  /etc/pam.d/common-account
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
#

# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
# end of pam-auth-update config

 

Fichier de conf sssd.conf

$ sudo vim /etc/sssd/sssd.conf
[sssd]
domains = domaine.tld
config_file_version = 2
services = nss, pam

[domain/domaine.tld]
ad_domain = domaine.tld
krb5_realm = DOMAINE.TLD
#realmd_tags = manages-system joined-with-adcli
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_sasl_authid = NOM_DE_LA_MACHINE$
ldap_id_mapping = True
use_fully_qualified_names = False
#fallback_homedir = /home/%u@%d
fallback_homedir = /home/%u
#access_provider = ad
access_provider = simple

 

Redémarrer le service sssd

$ sudo systemctl restart sssd
root@srv-prox-4:/etc# systemctl status sssd
 sssd.service - System Security Services Daemon
 Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor pre
 Active: active (running) since Fri 2018-01-26 13:12:32 CET; 7s ago
 Main PID: 18336 (sssd)
 Tasks: 4 (limit: 4915)
 Memory: 34.7M
 CPU: 188ms
 CGroup: /system.slice/sssd.service
 ├─18336 /usr/sbin/sssd -i -f
 ├─18345 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain oodri
 ├─18355 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --uid 0 --gid
 └─18356 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --uid 0 --gid

Jan 26 13:12:32 srv-prox-4 systemd[1]: Starting System Security Services
Jan 26 13:12:32 srv-prox-4 sssd[18336]: Starting up
Jan 26 13:12:32 srv-prox-4 sssd[be[18345]: Starting up
Jan 26 13:12:32 srv-prox-4 sssd[18356]: Starting up
Jan 26 13:12:32 srv-prox-4 sssd[18355]: Starting up
Jan 26 13:12:32 srv-prox-4 systemd[1]: Started System Security Services

 

Faire un test, interroger l’administrateur ou un compte utilisateur

$ id DOMAINE\\administrator ou id administrator
uid=1291600500(administrator) gid=1291600513(domain users) groups=1291600513(domain users),1291600520(group policy creator owners),1291600519(enterprise admins),1291600512(domain admins),1291600518(schema admins),1291600572(denied rodc password replication group)

 

$ id DOMAINE\\bef ou id bef
uid=1291601165(bef) gid=1291600513(domain users) groups=1291600513(domain users)

 

Puis tester l’authentification

$ su - DOMAINE\\bef
Password: 
Creating directory '/home/bef'.
bef@debian9:~$

 

Pour finir connecter vous en SSH avec votre compte utilisateur

 

FAQ:

Erreur a l’authentification, juste avec le login

Jan 28 16:41:32 srv-prox-4 sshd[8930]: PAM unable to dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory
Jan 28 16:41:32 srv-prox-4 sshd[8930]: PAM adding faulty module: pam_winbind.so
Jan 28 16:41:35 srv-prox-4 sshd[8930]: Connection closed by 192.168.4.41 port 49196 [preauth]

Après recherche cela venait du fichier nsswitch.conf qui était en authentification winbind au lieu de sss (voir plus haut)

 

 

Rating: 4.0/5. From 1 vote.
Please wait...

2 thoughts to “[Linux] Joindre une machine Debian 9 Stretch sur un domaine Active Directory”

  1. Merci pour ce tuto et pour ton site en général

    No votes yet.
    Please wait...
    1. hello.
      pas de soucis

      No votes yet.
      Please wait...

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.