Thanks to everyone who helped out at the CDC! This guide is a fork of the original designed to be specifically targeted for the ISU CDC AD setup as of 10/15/22
For this guide, we'll pretend we're team 12, our ad server is at ad.team12.isucdc.com, and everything is on 192.168.1.0/24
Anything surrounded by "<>" is a placeholder and should be replaced in its entirety.
Proceed to download the files in step 6 and step 8 in a new linux box using the web, and name them something memorable. This can assist in setting up multiple boxes in a row, as you won't have to manually type out the long configuration files each time.
Please don't forget to do this. If anything goes wrong, you'll want a way back.
hostnamectl set-hostname <boxname>.team12.isucdc.com
reboot
apt update
apt upgrade
If you are having trouble with APT getting refused even after a enviroment proxy has been set (because it's not going thru the proxy), you can force apt to use the proxy like so:
sudo echo "Acquire::http::Proxy \"http://<keyhole IP>:<keyhole port>/\";" >> /etc/apt/apt.conf.d/proxy.conf
For some reason, the system seems to need to have the IP for the active directory box hardcoded. Add the following line to the file with your perferred text editor. Seperate the fields with tabs.
<ip of ad box> ad.team12.isucdc.com ad
apt install -y realmd
This configuration provides some default options to make things easier-you can modify the options such as computer-ou to reflect your Active Directory OU structure.
[service]
automatic-install = no
[users]
default-home = /home/%D/%U
default-shell = /bin/bash
[mydomain.net]
computer-ou = CN=Computers,DC=team12,DC=isucdc,DC=com
automatic-id-mapping = yes
fully-qualified-names = no
Copy your configuration to /etc/realmd.conf using your preferred text editor.
Note: it does not seem that you have to rename the [mydomain.net] part. I don't believe our team did, and we got our app and db connected.
If you set up a box to hold these files, you can use scp, like so:
sudo scp <user for box you have file on>@<box ip>:<absolute path to file> <absolute path to destination>
In this case the destination would be /etc/realmd.conf
apt install -y sssd sssd-tools samba-common krb5-user adcli ntp
There is a shell interactive prompt asking for the default domain to associate users with, this is your domain name in all caps. The Kerberos and Administrative server are: ad.team12.isucdc.com
Sometimes NTP and timesyncd conflict. If that's the case, just ignore it. Ignore configuring /etc/ntp.conf later in that case also.
You could probably instead use the /etc/timesyncd.conf and set NTP to ad.team12.isucdc.com and uncomment the line, but this is untested.
You will need to copy these using sudo and your preferred text editor. Alternativly, you can use the scp method discussed earlier
Here are the files:
passwd: files winbind sss
group: files winbind sss
shadow: compat winbind
hosts: files dns winbind
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files
Replace the workgroup MYDOMAIN with the name of your domain without the extension and replace the netbios name myservername with your ad server's name
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = TEAM12.ISUCDC
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
netbios name = ad.team12.isucdc.com
# server string is the equivalent of the NT Description field
server string = %h server (Samba, Ubuntu)
# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = no
#### Networking ####
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0
# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = yes
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Cap the size of the individual log files (in KiB).
max log size = 1000
# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
# syslog only = no
# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
syslog = 0
# Do something sensible when Samba crashes: mail the admin a backtrace
# panic action = /usr/share/samba/panic-action %d
####### Authentication #######
# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller".
#
# Most people will want "standalone sever" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
server role = standalone server
# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.
passdb backend = tdbsam
obey pam restrictions = yes
# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes
# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
pam password change = yes
# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
map to guest = bad user
Replace SERVER 0 DC1.MYDOMAIN.NET and SERVER 1 DC2.MYDOMAIN.NET (specifically DC1.MYDOMAIN.NET and DC2.MYDOMAIN.NET) with your two domain controllers-if you only have one domain controller, simply use SERVER DC1.MYDOMAIN.NET. For example:
# Use your Domain Controllers for ntp.
server ad.team12.isucdc.com
Replace the default_realm of MYDOMAIN.NET with your domain's name in caps.
[libdefaults]
default_realm = TEAM12.ISUCDC.COM
ticket_lifetime = 24h
renew_lifetime = 7d
Replace the default_domain_suffix of mydomain.net with your domain name.
# Ensure you set permissions for this file to 0600
[sssd]
services = nss, pam
config_file_version = 2
default_domain_suffix = team12.isucdc.com
Additionally, confirm that the line
use_fully_qualified_names = True
is present in the next section of the file. If not, add it.
Finally, perform the following command
chmod 0600 /etc/sssd/sssd.conf
sudo shutdown -r now
You must first sudo su into the root account to avoid issues. Then, you will need to use an AD account with permission to join computers to AD. After you enter the command you will be prompted for the password. If everything else in the previous configuration files is set correctly, this will work.
sudo su
kinit youraccountname
Typically this account wll be "Administrator"
This step WILL not work unless you followed the previous step and got the kerberos ticket. You will not receive any notification when using the --unattended flag unless there is an error. In Ubuntu 16.04 you need to include the --install flag to avoid the error regarding missing packages
realm join ad.team12.isucdc.com --unattended --install=/
sed -i "/pam_unix.so/a session required\tpam_mkhomedir.so skel=/etc/skel/ umask=0022" /etc/pam.d/common-session
Step 14: Update your sudoers file to include your domain administrators security group with full sudo access
Still using the root account, add a file to sudoers.d which follows the standard format for permissions-but enter the group as follows:
%mydomainadmingroup@MYDOMAIN.NET ALL=(ALL) NOPASSWD:ALL
An example way to do this (and the way our teeam did it) would be to run
sudo visudo -f /etc/sudoers.d/ad
and add the following
%Domain\ Admins@MYDOMAIN.NET ALL=(ALL) NOPASSWD:ALL
%Administrators@MYDOMAIN.NET ALL=(ALL) NOPASSWD:ALL
Note: you can also specify specific users by excluding the percent sign and entering a username instead of a groupname
realm permit -g mydomainadmingroup@MYDOMAIN.NET
for a specific group, or
realm permit --all
for everyone.
To login using ssh, you will need to ensure that your SSH configuration on the server allows password authentication.
This can be performed by editing /etc/ssh/sshd_config by replacing
PasswordAuthentication no
with
PasswordAuthentication yes
and restart the ssh daemon with whatever daemon controller you have on your box (systemctl, services, /etc/init.d/sshd, etc.). Or you can restart your box.
You can verify your setup by attempting to ssh into the box from a different one with the following format:
ssh -l myusername@mydomain.net myserver
For example, connecting to a www box as user "john.doe" would be as follows:
ssh -l john.doe@team12.isucdc.com www