Nach der Grundinstallation von Ubuntu 16.04 LTS Desktop, wird das System auf den neusten Stand gebracht.
sudo su - oder sudo -i apt update -y && apt upgrade -y
Nach dem das System up to date ist, kann man manuell die Netzwerkkarte konfigurieren, wichtig ist hier das der DNS Server vom Domaincontroller angesprochen wird.
cp /etc/hosts{,.old}
nano /etc/hosts
##### /etc/hosts ##################################
127.0.0.1 localhost
192.168.xxx.xxx clienthostname.htdom.local clienthostname
192.168.xxx.xxx ads01.htdom.local ads01 htdom.local
###################################################
dig -t SRV _ldap._tcp.htdom.local | grep -A2 "ANSWER SECTION
;; ANSWER SECTION:
_ldap._tcp.htdom.local. 600 IN SRV 0 100 389 ads01.htdom.local.
apt install fping
fping ads01.htdom.local
fping htdom.local
fping ads01
ads01.htdom.local is alive
Wenn der DNS Server für den Client konfiguriert wurde, installieren wir alle benötigten Pakete um den Client an das AD anzubinden.
apt install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli ntp vim -y
NTP Service konfigurieren
cp /etc/ntp.{conf,old}
nano /etc/ntp.conf
##### /etc/ntp.conf ###############################
server ads01.htdom.local
###################################################
systemctl start ntp.service
systemctl status ntp.service
Realmd konfigurieren
nano /etc/realmd.conf ##### /etc/realmd.conf ############################ [users] default-home = /home/%D/%U ## default-home = /home/%U@%D ## default-home = /nfs/home/%D-%U default-shell = /bin/bash ## default-shell = /bin/sh [active-directory] default-client = sssd ## default-client = winbind os-name = Ubuntu Linux Desktop os-version = 16.04 [service] automatic-install = no ## automatic-install = yes [htdom.local] computer-ou = OU=Clients,OU=Company,DC=htdom,DC=local fully-qualified-names = no automatic-id-mapping = yes user-principal = yes manage-system = no ###################################################
default-home: set the default homedir for each Active Directory User. In our example it will be something like /home/dom.example.int/domainuser.
default-shell: the default shell used by the users. bash is usually the preferred default shell.default-client: we are using sssd in our scenario. winbind is also a possible option.
os-name: the operating system name as it will appear in our Active Directory.
os-version: the operating system version as it will appear in our Active Directory.automatic-install: we want to prevent realmd to try to install its dependencies.
fully-qualified-names: this will allow users to use just their username instead of the combination of domain and username. For example we can use the username domainuser instead of DOM\domainuser or domainuser@dom.example.int. Note, however, that this could cause conflicts with local users, if they have the same username as a domain user.
automatic-id-mapping: this option will auto-generate the user and group ids (UID, GID) for newly created users, if set to yes.
user-principal: this will set the necessary attributes for the Ubuntu machine when it joins the domain.
manage-system: if you don’t want policies from the Active Directory environment to be applied on this machine, set this option to no.
Kerberos konfigurieren
cp /etc/krb5.{conf,old} && rm -rf /etc/krb5.conf
nano /etc/krb5.conf
##### /etc/krb5.conf ##############################
[logging]
default = FILE:/var/log/krb5/krb5.log
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
[libdefaults]
default_realm = HTDOM.LOCAL
clockskew = 300
## The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
HTDOM.LOCAL = {
kdc = ads01.htdom.local
default_domain = htdom.local
admin_server = ads01.htdom.local
}
[domain_realm]
.htdom.local = HTDOM.LOCAL
htdom.local = HTDOM.LOCAL
###################################################
Client zur Domain hinzufügen
realm discover htdom.local realm --verbose join htdom.local --user-principal=administrator@HTDOM.LOCAL ## Wer darf sich am System anmelden? realm deny --all realm permit helmut.thurnhofer realm list ## Alle Domainadmins dürfen sich am System anmelden. realm permit --groups Domänen-Admins@htdom.local ## Domain Admins der sudoers hinzufügen visudo %Domänen-Admins@htdom.local ALL=(ALL:ALL) ALL AD Account berechtigen usermod -a -G adm,cdrom,sudo,dip,plugdev,lpadmin,sambashare username
SSSD konfigurieren
cat /etc/sssd/sssd.conf
## cp /etc/sssd/sssd.{conf,old} && rm -rf /etc/sssd/sssd.conf
## nano /etc/sssd/sssd.conf
### /etc/sssd/sssd.conf ###########################
[sssd]
domains = htdom.local
config_file_version = 2
services = nss, pam
[domain/htdom.local]
ad_domain = htdom.local
krb5_realm = HTDOM.LOCAL
realmd_tags = joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
simple_allow_users = $
access_provider = simple
###################################################
ls -la /etc/sssd/sssd.conf
-rw------- 1 root root 486 Sep 18 01:07 /etc/sssd/sssd.conf
## chown root:root /etc/sssd/sssd.conf
## chmod 600 /etc/sssd/sssd.conf
systemctl start sssd.service
systemctl enable sssd.service
systemctl status sssd.service
Pam common-session konfigurieren für das Home Laufwerk
cp /etc/pam.d/common-session /etc/pam.d/common-session.old nano /etc/pam.d/common-session session required pam_mkhomedir.so umask=0022 skel=/etc/skel ## echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" | sudo tee -a /etc/pam.d/common-session
Ubuntu 16.04 Login anpassen
nano /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf greeter-show-manual-login=true greeter-hide-users=true
So das war es schon wieder
Viel Spaß damit
Gruß Helmut