caveatlector/gist:d744af4e186d9b5646bdedee744eb8cb

## gistfile1.txt
# Packages:

apt update && apt upgrade
apt install -y realmd sssd sssd-tools libnss-sss libpam-sss krb5-user adcli samba-common-bin

# Add the following to /etc/krb5.conf under [libdefaults] (following default_realm):

dns_lookup_kdc = true
dns_lookup_realm = true

# If necessary, configure NTP on the host.

# Add the following to /etc/realmd.conf:

[users]
 default-home = /home/%D/%U
 default-shell = bin/bash
[active-directory]
 default-client = sssd
 os-name = Ubuntu Server
 os-version = 16.04
[service]
 automatic-install = no
[${domain}]
 fully-qualified-names = yes
 automatic-id-mapping = no
 user-principal = yes
 manage-system = yes

# Enable "Create home directory on login" via:

pam-auth-update

# Test discovery:

realm discover -v ${DOMAIN}

sudo realm --verbose join s-ad.ctrl.nl --user-principal=${HOSTNAME}/administator@${DOMAIN} --install=/

# Configure /etc/sssd/sssd.conf:
# Add ssh to services:

services = nss, pam, ssh

# Verify:

ldap_id_mapping = True

# Verify:

use_fully_qualified_names = False

# Add:

[domain/${domain}]
ad_domain = ${domain}
krb5_realm = ${DOMAIN}

# Add:

ldap_user_ssh_public_key = altSecurityIdentities

# Reboot (or reload services).

# Configure /etc/ssh/sshd_config:

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys %u
AuthorizedKeysCommandUser root

# Log on to the DC. In ADUC, enable Advanced Features via the View menu. Open a user account and browse to the Attribute Editor tab.
# In Attribute Editor, paste your openssh-generated SSH public key into the altSecurityIdentities attribute.
# You should now be able to SSH to the host using your AD user.
	# Packages:

	apt update && apt upgrade
	apt install -y realmd sssd sssd-tools libnss-sss libpam-sss krb5-user adcli samba-common-bin

	# Add the following to /etc/krb5.conf under [libdefaults] (following default_realm):

	dns_lookup_kdc = true
	dns_lookup_realm = true

	# If necessary, configure NTP on the host.

	# Add the following to /etc/realmd.conf:

	[users]
	default-home = /home/%D/%U
	default-shell = bin/bash
	[active-directory]
	default-client = sssd
	os-name = Ubuntu Server
	os-version = 16.04
	[service]
	automatic-install = no
	[${domain}]
	fully-qualified-names = yes
	automatic-id-mapping = no
	user-principal = yes
	manage-system = yes

	# Enable "Create home directory on login" via:

	pam-auth-update

	# Test discovery:

	realm discover -v ${DOMAIN}

	sudo realm --verbose join s-ad.ctrl.nl --user-principal=${HOSTNAME}/administator@${DOMAIN} --install=/

	# Configure /etc/sssd/sssd.conf:
	# Add ssh to services:

	services = nss, pam, ssh

	# Verify:

	ldap_id_mapping = True

	# Verify:

	use_fully_qualified_names = False

	# Add:

	[domain/${domain}]
	ad_domain = ${domain}
	krb5_realm = ${DOMAIN}

	# Add:

	ldap_user_ssh_public_key = altSecurityIdentities

	# Reboot (or reload services).

	# Configure /etc/ssh/sshd_config:

	AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys %u
	AuthorizedKeysCommandUser root

	# Log on to the DC. In ADUC, enable Advanced Features via the View menu. Open a user account and browse to the Attribute Editor tab.
	# In Attribute Editor, paste your openssh-generated SSH public key into the altSecurityIdentities attribute.
	# You should now be able to SSH to the host using your AD user.