sudo apt install adcli realmd sssd sssd-tools packagekit policykit-1
sudo apt install samba-common-bin samba-libs samba-dsdb-modules
sudo apt install krb5-user
sudo realm join wostal.eu
[sssd]
domains = wostal.eu
config_file_version = 2
services = nss, pam
[domain/wostal.eu]
ad_domain = wostal.eu
krb5_realm = WOSTAL.EU
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = ad
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_sss.so
session optional pam_systemd.so
session optional pam_chksshpwd.so
# end of pam-auth-update config
session optional pam_mkhomedir.so skel=/etc/skel umask=077
sudo service sssd restart
[global]
netbios name = ALTAIR
workgroup = WOSTAL
security = ADS
realm = WOSTAL.EU
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config *:backend = ad
idmap config *:schema_mode = rfc2307
idmap config *:range = 3000000-4000000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
load printers = no
printcap name = /dev/null
disable spoolss = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
kinit Administrator
sudo net ads join -U administrator