Unirse a un Dominio

Dependencias

  • Verifique si los pre-requisitos están instalados, si no, instálelos.
$ sudo apt-get install samba smbclient winbind krb5-user krb5-config libnss-winbind libpam-winbind

Revisiones Iniciales

  • Verifique si la lista de DNS en el cliente está configurado correctamente
$ sudo mcedit /etc/resolv.conf

        nameserver 192.168.0.1      # Primary DNServer IP, Active Directory     
        nameserver 192.168.1.1      # Secondary DNServer IP, Active Directory           
        search domainName
  • Verifique el archivo Hosts
$ sudo mcedit /etc/hosts

        127.0.0.1           localhost
        192.168.0.50        LinuxClient.domainName          LinuxClient
        192.168.0.1         primaryDC.domainName            primaryDC
        192.168.1.1         secondaryDC.domainName      secondaryDC
  • Edite el archivo de configuración de Kerberos
$ sudo mcedit /etc/krb5.conf

    [libdefaults]
            default_realm = DOMAINNAME
            clockskew = 300

    [realms]
            DOMAINNAME = {
                kdc = 192.168.0.1
                kdc = 192.168.1.1
                default_domain = domainName
                admin_server = 192.168.0.1
                admin_server = 192.168.1.1
            }

            domainName = {
                kdc = 192.168.0.1
                kdc = 192.168.1.1
                default_domain = domainName
                admin_server = 192.168.0.1
                admin_server = 192.168.1.1
            }

    [logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON

    [domain_realm]
        .domainName = domainName
        domainName = domainName

    [appdefaults]
        pam = {
            ticket_lifetime = 1d
            renew_lifetime = 1d
            forwardable = true
            proxiable = false
            retain_after_close = false
            minimum_uid = 0
            try_first_pass = true
        }
  • Ahora podremos generar los tickets de Kerberos (Utilizando Kerberos REALM)
$ sudo kinit Administrator@DOMAINNAME
  • Edite el archivo de configuración de Samba
$ sudo mcedit  /etc/samba/smb.conf

    [global]
        security = ADS
        netbios name = LinuxClient
        realm = DOMAINNAME
        password server = primaryDC.domainname
        workgroup = WORKGROUPNAME (Domain Short Name)
        log level = 1
        syslog = 0
        idmap uid = 10000-29999
        idmap gid = 10000-29999
        winbind separator = +
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        domain master = no
        server string = Linux Active Directory Client
        encrypt passwords = yes
        idmap cache time = 30
        idmap negative cache time = 12
        winbind cache time = 30
  • Joinee el Cliente al Dominio
$ sudo net ads join -S primaryDC.domainName -U Administrator
  • Ahora deberíamos editar el archivo nsswitch.conf para habilitar usuarios de AD y sus contraseñas.
$ sudo mcedit /etc/nsswitch.conf

    passwd:     files winbind
    group:      files winbind
    shadow:     files winbind
    hosts:      files dns winbind
    networks:   files
    protocols:  db files
    services:   db files
    ethers:     db files
    rpc:        db files
    netgroup:   nis
    sudoers:    files
  • Para configurar el acceso de Usuarios de Domino tambien debemos configurar los archivos PAM:
$ sudo mcedit /etc/pam.d/common-session

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session sufficient pam_winbind.so
session required pam_unix.so try_first_pass

$ sudo mcedit /etc/pam.d/common-password

password sufficient pam_winbind.so
password required pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass

$ sudo mcedit /etc/pam.d/common-auth

auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure try_first_pass

$ sudo mcedit /etc/pam.d/common-account

account sufficient pam_winbind.so
account required pam_unix.so try_first_pass
  • Finalmente, modifique el archivo de sudoers, pero con cuidado o podrías auto-bloquearte en el sistema.
$ sudo mcedit /etc/sudoers


# This file MUST be edited with the 'visudo' command as root.                                                                    
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

%DOMAINNAME+linuxAdmin ALL=(ALL) ALL

%DOMAINNAME+linuxSeg ALL=(ALL) /sbin/iptables -L -n,/usr/bin/less/var/log/*,/usr/sbin/aideinit,/usr/bin/tshark*

Finalmente, puede reiniciar y probar el login de Dominio localmente o con SSH.

Fuente

Last modified at Jun 8, 2023
← Revertir Netplan a Interfaces
Configurar los Dispositivos de Red con Nombre Legacy (eth0) →