Last active
June 28, 2019 08:30
-
-
Save caveatlector/d744af4e186d9b5646bdedee744eb8cb to your computer and use it in GitHub Desktop.
Azure: join an Ubuntu 16.04 LTS VM to AD DS for key-based login with SSH
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Packages: | |
apt update && apt upgrade | |
apt install -y realmd sssd sssd-tools libnss-sss libpam-sss krb5-user adcli samba-common-bin | |
# Add the following to /etc/krb5.conf under [libdefaults] (following default_realm): | |
dns_lookup_kdc = true | |
dns_lookup_realm = true | |
# If necessary, configure NTP on the host. | |
# Add the following to /etc/realmd.conf: | |
[users] | |
default-home = /home/%D/%U | |
default-shell = bin/bash | |
[active-directory] | |
default-client = sssd | |
os-name = Ubuntu Server | |
os-version = 16.04 | |
[service] | |
automatic-install = no | |
[${domain}] | |
fully-qualified-names = yes | |
automatic-id-mapping = no | |
user-principal = yes | |
manage-system = yes | |
# Enable "Create home directory on login" via: | |
pam-auth-update | |
# Test discovery: | |
realm discover -v ${DOMAIN} | |
sudo realm --verbose join s-ad.ctrl.nl --user-principal=${HOSTNAME}/administator@${DOMAIN} --install=/ | |
# Configure /etc/sssd/sssd.conf: | |
# Add ssh to services: | |
services = nss, pam, ssh | |
# Verify: | |
ldap_id_mapping = True | |
# Verify: | |
use_fully_qualified_names = False | |
# Add: | |
[domain/${domain}] | |
ad_domain = ${domain} | |
krb5_realm = ${DOMAIN} | |
# Add: | |
ldap_user_ssh_public_key = altSecurityIdentities | |
# Reboot (or reload services). | |
# Configure /etc/ssh/sshd_config: | |
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys %u | |
AuthorizedKeysCommandUser root | |
# Log on to the DC. In ADUC, enable Advanced Features via the View menu. Open a user account and browse to the Attribute Editor tab. | |
# In Attribute Editor, paste your openssh-generated SSH public key into the altSecurityIdentities attribute. | |
# You should now be able to SSH to the host using your AD user. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment