Skip to content

Instantly share code, notes, and snippets.

@tomaszwostal

tomaszwostal/joinin_ad_domain_on_raspbian.md

Last active November 18, 2018 13:08
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tomaszwostal/7d1b833a77998595782bc8ff3aa3172e to your computer and use it in GitHub Desktop.
Save tomaszwostal/7d1b833a77998595782bc8ff3aa3172e to your computer and use it in GitHub Desktop.
Download ZIP
Joining AD domain on Raspbian Stretch
Raw
joinin_ad_domain_on_raspbian.md

Joining AD domain on raspbian stretch

Install required packages

sudo apt install adcli realmd sssd sssd-tools packagekit policykit-1

sudo apt install samba-common-bin samba-libs samba-dsdb-modules

sudo apt install krb5-user

Join the realm

sudo realm join wostal.eu

Update the /etc/sssd/sssd.conf file

[sssd]
domains = wostal.eu
config_file_version = 2
services = nss, pam

[domain/wostal.eu]
ad_domain = wostal.eu
krb5_realm = WOSTAL.EU
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = ad

Configure PAM by editing /etc/pam.d/common-session file

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required        pam_unix.so
session optional                        pam_sss.so
session optional        pam_systemd.so
session optional        pam_chksshpwd.so
# end of pam-auth-update config
session optional  pam_mkhomedir.so skel=/etc/skel umask=077

Restart sssd service

sudo service sssd restart

Edit /etc/samba/smb.conf file

[global]
        netbios name = ALTAIR
        workgroup = WOSTAL
        security = ADS
        realm = WOSTAL.EU
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab

        idmap config *:backend = tdb
        idmap config *:range = 70001-80000
        idmap config *:backend = ad
        idmap config *:schema_mode = rfc2307
        idmap config *:range = 3000000-4000000


        winbind nss info = rfc2307
        winbind trusted domains only = no
        winbind use default domain = yes
        winbind enum users  = yes
        winbind enum groups = yes
        winbind refresh tickets = Yes

        load printers = no
        printcap name = /dev/null
        disable spoolss = yes

        vfs objects = acl_xattr
        map acl inherit = Yes
        store dos attributes = Yes

Joining domain

kinit Administrator

sudo net ads join -U administrator

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment