Joindre une machine Debian 9 Stretch sur un domaine Active Directory |
Version de l’OS | Debian 9.3 |
Installer les paquets nécessaires suivants:
1 |
$ sudo apt install krb5-user realmd adcli sssd sssd-tools samba-common samba-libs resolvconf samba-common-bin packagekit |
Configurer le realm
1 |
$ sudo vim /etc/network/interfaces |
1 |
dns-nameservers 192.168.100.100 |
1 |
$ sudo systemctl restart ifup@eth0 resolvconf |
1 |
$ sudo vim /etc/pam.d/common-session |
1 |
session optional pam_mkhomedir.so skel=/etc/skel umask=077 |
Pour ne pas ajouter le nom de domaine de l’utilisateur AD, éditer le fichier sssd.conf et passer la valeur de True a False
1 |
$ sudo vim /etc/sssd/sssd.conf |
1 |
use_fully_qualified_names = False |
Puis redemarrer le service.
1 |
$ sudo systemctl restart sssd |
Interroger l’AD
1 |
$ sudo realm discover DOMAINE.TLD |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
domaine.tld type: kerberos realm-name: DOMAINE.TLD domain-name: domaine.tld configured: kerberos-member server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin login-formats: %U login-policy: allow-permitted-logins permitted-logins: permitted-groups: |
Joindre la machine a l’AD
1 |
$ sudo realm join DOMAINE.TLD |
1 |
Password for Administrator: |
Il faut maintenant vérifier les différents fichiers de configuration et ajuster.
Fichier de conf krb5.conf
1 |
$ sudo vim /etc/krb5.conf |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
[libdefaults] default_realm = DOMAINE.TLD # The following krb5.conf variables are only for MIT Kerberos. kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # The only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java). # default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1 # The following libdefaults parameters are only for Heimdal Kerberos. fcc-mit-ticketflags = true [realms] DOMAINE.TLD = { } [domain_realm] domaine.tld = DOMAINE.TLD .domaine.tld = DOMAINE.TLD |
Fichier de conf nsswitch.conf
1 |
$ sudo vim /etc/nsswitch.conf |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat sss group: compat sss shadow: compat sss gshadow: files hosts: files dns networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss sudoers: files sss |
Fichier de conf common-auth
1 |
$ sudo vim /etc/pam.d/common-auth |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
# # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_sss.so use_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config |
Fichier de conf common-account
1 |
$ sudo vim /etc/pam.d/common-account |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
# # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # # here are the per-package modules (the "Primary" block) account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) account sufficient pam_localuser.so account [default=bad success=ok user_unknown=ignore] pam_sss.so # end of pam-auth-update config |
Fichier de conf sssd.conf
1 |
$ sudo vim /etc/sssd/sssd.conf |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
[sssd] domains = domaine.tld config_file_version = 2 services = nss, pam [domain/domaine.tld] ad_domain = domaine.tld krb5_realm = DOMAINE.TLD #realmd_tags = manages-system joined-with-adcli realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_sasl_authid = NOM_DE_LA_MACHINE$ ldap_id_mapping = True use_fully_qualified_names = False #fallback_homedir = /home/%u@%d fallback_homedir = /home/%u #access_provider = ad access_provider = simple |
Redémarrer le service sssd
1 |
$ sudo systemctl restart sssd |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
root@srv-prox-4:/etc# systemctl status sssd ● sssd.service - System Security Services Daemon Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor pre Active: active (running) since Fri 2018-01-26 13:12:32 CET; 7s ago Main PID: 18336 (sssd) Tasks: 4 (limit: 4915) Memory: 34.7M CPU: 188ms CGroup: /system.slice/sssd.service ├─18336 /usr/sbin/sssd -i -f ├─18345 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain oodri ├─18355 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --uid 0 --gid └─18356 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --uid 0 --gid Jan 26 13:12:32 srv-prox-4 systemd[1]: Starting System Security Services Jan 26 13:12:32 srv-prox-4 sssd[18336]: Starting up Jan 26 13:12:32 srv-prox-4 sssd[be[18345]: Starting up Jan 26 13:12:32 srv-prox-4 sssd[18356]: Starting up Jan 26 13:12:32 srv-prox-4 sssd[18355]: Starting up Jan 26 13:12:32 srv-prox-4 systemd[1]: Started System Security Services |
Faire un test, interroger l’administrateur ou un compte utilisateur
1 |
$ id DOMAINE\\administrator ou id administrator |
1 |
uid=1291600500(administrator) gid=1291600513(domain users) groups=1291600513(domain users),1291600520(group policy creator owners),1291600519(enterprise admins),1291600512(domain admins),1291600518(schema admins),1291600572(denied rodc password replication group) |
1 |
$ id DOMAINE\\bef ou id bef |
1 |
uid=1291601165(bef) gid=1291600513(domain users) groups=1291600513(domain users) |
Puis tester l’authentification
1 |
$ su - DOMAINE\\bef |
1 2 3 |
Password: Creating directory '/home/bef'. bef@debian9:~$ |
Pour finir connecter vous en SSH avec votre compte utilisateur
FAQ:
Erreur a l’authentification, juste avec le login
1 2 3 |
Jan 28 16:41:32 srv-prox-4 sshd[8930]: PAM unable to dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory Jan 28 16:41:32 srv-prox-4 sshd[8930]: PAM adding faulty module: pam_winbind.so Jan 28 16:41:35 srv-prox-4 sshd[8930]: Connection closed by 192.168.4.41 port 49196 [preauth] |
Après recherche cela venait du fichier nsswitch.conf qui était en authentification winbind au lieu de sss (voir plus haut)
/!\ Nouvelle article : Joindre une machine Debian 10 Buster sur un domaine Active Directory
Merci pour ce tuto et pour ton site en général
hello.
pas de soucis
une idée messieurs du problème d’authentification ?
Nous sommes en LDAPS !
root@FR-SRV-IMATEQ:~# id DOMAIN\\USER
id: « DOMAIN\\USER » : utilisateur inexistant
root@FR-SRV-IMATEQ:~# id DOMAIN.LTD\\USER
id: « DOMAIN.LTD\\USER » : utilisateur inexistant
root@FR-SRV-IMATEQ:~# id USER
id: « USER » : utilisateur inexistant
Hello,
Je n’ai plus cet environnement sous la main, il faudrait tester avec un ou plusieurs de ces champs
ldap_uri, ldap_id_use_start_tls, ldap_service_port
https://forums.centos.org/viewtopic.php?t=51081
https://linux.die.net/man/5/sssd-ldap
Bonne continuation