apt-get update
apt-get install -y realmd
This configuration provides some default options to make things easier-you can modify the options such as computer-ou to reflect your Active Directory OU structure.
[service]
automatic-install = no
[users]
default-home = /home/%D/%U
default-shell = /bin/bash
[mydomain.net]
computer-ou = OU=Computers,DC=mydomain,DC=net
automatic-id-mapping = yes
fully-qualified-names = no
Copy your configuration to /etc/realmd.conf
apt-get install -y sssd sssd-tools samba-common krb5-user adcli ntp
There is a shell interactive prompt asking for the default domain to associate users with, this is your domain name in all caps.
You will need to copy these using sudo and your preferred text editor.
Replace the default_realm of MYDOMAIN.NET with your domain's name in caps.
[libdefaults]
default_realm = MYDOMAIN.NET
ticket_lifetime = 24h
renew_lifetime = 7d
passwd: files winbind sss
group: files winbind sss
shadow: compat winbind
hosts: files dns winbind
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files
Replace the workgroup MYDOMAIN with the name of your domain without the extension and replace the netbios name myservername with your server's name
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = MYDOMAIN
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
netbios name = myservername
# server string is the equivalent of the NT Description field
server string = %h server (Samba, Ubuntu)
# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = no
#### Networking ####
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0
# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = yes
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Cap the size of the individual log files (in KiB).
max log size = 1000
# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
# syslog only = no
# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
syslog = 0
# Do something sensible when Samba crashes: mail the admin a backtrace
# panic action = /usr/share/samba/panic-action %d
####### Authentication #######
# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller".
#
# Most people will want "standalone sever" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
server role = standalone server
# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.
passdb backend = tdbsam
obey pam restrictions = yes
# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes
# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
pam password change = yes
# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
map to guest = bad user
Replace SERVER 0 DC1.MYDOMAIN.NET and SERVER 1 DC2.MYDOMAIN.NET (specifically DC1.MYDOMAIN.NET and DC2.MYDOMAIN.NET) with your two domain controllers-if you only have one domain controller, simply use SERVER DC1.MYDOMAIN.NET.
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift
# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# Specify one or more NTP servers.
# Use your Domain Controllers for ntp.
server 0 DC1.MYDOMAIN.NET
server 1 DC2.MYDOMAIN.NET
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
Replace the default_domain_suffix of mydomain.net with your domain name.
# Ensure you set permissions for this file to 0600
[sssd]
services = nss, pam
config_file_version = 2
default_domain_suffix = mydomain.net
sudo shutdown -r now
You must first sudo su into the root account to avoid issues. Then, you will need to use an AD account with permission to join computers to AD. After you enter the command you will be prompted for the password. If everything else in the previous configuration files is set correctly, this will work.
sudo su
kinit youraccountname
This step WILL not work unless you followed the previous step and got the kerberos ticket. You will not receive any notification when using the --unattended flag unless there is an error. In Ubuntu 16.04 you need to include the --install flag to avoid the error regarding missing packages
realm join MYDOMAIN.NET --unattended --install=/
sed -i "/pam_unix.so/a session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" /etc/pam.d/common-session
Step 10: Update your sudoers file to include your domain administrators security group with full sudo access
Still using the root account, add a file to sudoers.d which follows the standard format for permissions-but enter the group as follows:
%mydomainadmingroup@MYDOMAIN.NET ALL=(ALL) NOPASSWD:ALL
realm permit -g mydomainadmingroup@MYDOMAIN.NET
To login using ssh, you will need to ensure that your SSH configuration on the server allows password authentication.
ssh -l myusername@mydomain.net myserver
for step 10 how would i write a group For Domain Admins and a domain of CSMA.COM?