Install required tools:
sudo apt install krb5-user samba sssd chrony
Kerberos
Modify the Kerberos config:
sudo nano /etc/krb5.conf
[libdefaults] default_realm = DOMAIN.COM ticket_lifetime = 24h renew_lifetime = 7d
Time Sync
Modify the Chrony config:
sudo nano /etc/chrony/chrony.conf
Comment out existing servers and add domain controller (or other time servers):
server dc.domain.com iburst
Samba
Modify the samba config:
sudo nano /etc/samba/smb.conf
[global] workgroup = DOMAIN client signing = yes client use spnego = yes kerberos method = secrets and keytab realm = DOMAIN.COM security = ads
SSSD
No default SSSD config exists, create it:
sudo nano /etc/sssd/sssd.conf
[sssd] services = nss, pam config_file_version = 2 domains = DOMAIN.COM [domain/DOMAIN.COM] id_provider = ad access_provider = ad # Use this if users are being logged in at /. # This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so override_homedir = /home/%d/%u override_shell = /bin/bash
Set permissions to config file:
sudo chown root:root /etc/sssd/sssd.conf sudo chmod 600 /etc/sssd/sssd.conf
Join Domain
Restart services to apply configuration changes:
sudo systemctl restart chrony.service sudo systemctl restart smbd.service nmbd.service sudo systemctl start sssd.service
Test the configuration by obtaining a Kerberos ticket:
sudo kinit Administrator
Verify the ticket with:
sudo klist
If there is a ticket with an expiration date listed, then it is time to join the domain:
sudo net ads join -k
Autocreate Home Directory
Since no home directory exists for domain users, create on login:
sudo nano /etc/pam.d/common-session
Directly after session required pam_unix.so:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
You should be able to login as a domain user now and have a home directory.
If login isn’t working, try rebooting the server first to refresh all services and try logging in again.
Be First to Comment