Integrate Linux Mint 17.1 to Windows Server 2012 Active Directory Domain Controllerby bytelinux 14/02/2015This tutorial will describe how you can join machines that run Linux Mint 17.1 OS to Windows 2012 Active Directory Domain Controller in order to authenticate remote accounts from AD back end identity provider to local Linux workstations with the help of SSSD service and Realmd system DBus service.The System Security Services Daemon (SSSD) is a relative new service which provides cross-domain compatible methods for Active Directory users to authenticate to local machines using a combination of usernames and domain back end name to create the login identity, even if the Domain Controller goes offline (SSSD caches credentials).REQUIREMENTSWindows Server 2012 configured as an Active Directory Domain Controller

A Linux Mint 17.1 client machine which will be integrated to Windows PDC

Domain Settings: Domain Name: caezsar.lan

Windows Server 2012 AD FQDN: server.caezsar.lan

Windows Server 2012 AD IP Address: 192.168.1.130

Linux Mint Hostname: mint-desktop

Linux Mint IP Address: automatically assigned by DHCP

Linux Mint first DNS IP Address: Manually assigned to point to AD PDC 192.168.1.130

STEP ONE Linux Mint Network Configuration1. Before starting with installing the required services in order to integrate the local machine to the PDC Server, first we need to assure that Windows Domain Controller is reachable through DNS resolution on Linux Mint host by adding the DNS PDC IP Address on our Network Configuration. To achieve this goal, first open Network Settings, go to the Network Interface Card (in this case is the Wired Connection, but you can use a Wireless Connection also), open it for editing (hit the settings icon from bottom right) and add your PDC IP Address on IPv4 DNS filed (switch Automatic DNS to OFF) as illustrated in the following screenshots:network settingsnetwork settingsedit network interface settingsedit network interface settingsadd DNS IP Addressadd DNS IP AddressIf multiple Domain Controllers machines exists on your network then you can also add their IP Addresses on IPv4 DNS settings fields.
2. After youre done, hit on Apply button and switch the edited Network Interface from ON to OFF and then back to ON in order to apply the new settings. After the network interface is started again, open a Terminal console and issue a ping command against your PDC domain name in order to verify if the settings are successfully applied and the domain name responds with the correct IP Address and FQDN of the PDC.apply network settingsapply network settingsping domain controllerping domain controllerIf you want to avoid all this manual settings, then configure a DHCP server at your premises to automatically assign network settings, especially DNS entries, that will point to your Windows PDC IP Addresses needed for DNS resolution in order to reach the AD PDC.STEP TWO Install Required Software PackagesAs presented at the beginning of this tutorial, in order to integrate a Linux Mint machine to an Active Directory Domain Controller you need to install the SSSD service along with the following software packages and dependency: SSSD service (responsible with back end realm authentication) with the following dependencies: sssd-tools (optional, but useful for sssd cache, user and groups manipulation), libpam-sss (PAM modules for local authentication) and libnss-sss (NSS modules for local DNS resolution) Realmd (system DBus service which manages domain integration and local resources permissions) The following Samba Modules: samba-common-bin and samba-libs (File sharing compatibility between Windows and Linux machines) Krb5-user (Client network authentication and communication with the PDC server) ADcli (Tools for joining domain and perform other actions on an AD) PackageKit (Linux cross-platform packages management for interoperabillity and user privileges for software installations)3. Now, lets start installing the above enumerated packages by opening a Terminal console on Linux Mint and issuing the following commands with sudo privileges:First install Realmd and SSSD service:sudo apt-get install realmd sssd sssd-tools libpam-sss libnss-sssinstall realmd and sssd serviceinstall realmd and sssd service
4. Next install Samba modules (by default this modules might be already installed on your system):sudo apt-get install samba-libs samba-common-bininstall samba modulesinstall samba modules
5. Last, install the other remained packages: krb5-user, adcli and packagekit. On krb5-user package, the installer will prompt you to enter the realm that will be used for Kerberos authentication. Use the name of the domain configured for your PDC with UPPERCASE (in this case the domain is CAEZSAR.LAN), then hit Enter key to continue further with the installation packages.sudo apt-get install krb5-user adcli packagekitinstall kerberos, adcli and packagekit packages install kerberos, adcli and packagekit packagesConfigure Kerberos realmConfigure Kerberos realmSTEP THREE Edit Configuration Files for SSSD, Realmd and PAM6. Next step before starting joining Linux Mint to Windows Server AD PDC is to configure the local services for AD network authentication. By default the SSSD service has no configuration file defined on /etc/sssd/ path. In order to create a default configuration file for SSSD service, issue the following command to create andsimultaneous edit the file:sudo nano /etc/sssd/sssd.conf
SSSD configuration file excerpt:[nss]filter_groups = rootfilter_users = rootreconnection_retries = 3[pam]reconnection_retries = 3[sssd]domains = CAEZSAR.LANconfig_file_version = 2services = nss, pam[domain/CAEZSAR.LAN]ad_domain = CAEZSAR.LANkrb5_realm = CAEZSAR.LANrealmd_tags = manages-system joined-with-adclicache_credentials = Trueid_provider = adkrb5_store_password_if_offline = Truedefault_shell = /bin/bashldap_id_mapping = Trueuse_fully_qualified_names = Falsefallback_homedir = /home/%d/%uaccess_provider = adsssd configuration filesssd configuration fileWhile editing the file make sure you replace domains, [domain/],ad_domain andkrb5_realmparameters accordingly. Use the UPPERCASES as the above file excerpt suggests.The fallback_homedir = /home/%d/%u parameter will cause the system to create home directories for all domain logged in users with the following path: /home/domain_name/domain_user, so practically all your domain users homes will be stored into a single directory named after your domain name on /home path. If you want to change this behavior so all domain users homes should be created as normal system users, /home/username, just remove %d variable and youre done.For other options and parameters concerning sssd.conf file run man sssd command.After you finish editing the file, save it with CTRL+O , close it with CTRL+X and proceed further with the below instructions.7. The next step is to create and edit a configuration file for Realmd in order to avoid some eventual package dependency problems by issuing the following command:sudo nano /etc/realmd.conf
Use the following configurations for realmd file:[service]automatic-install = norealmd conf filerealmd conf fileAfter you add the above lines, save the file and close it.8. The last file that you need to edit before joining the domain is the common-session PAM file. So, open this file for editing by running the below command and add the following line after the session optional pam_sss.so line in order for the system to automatically create home directories for the new authenticated AD users .sudo nano /etc/pam.d/common-session
Add the following line as presented on the below screenshot:session optional pam_mkhomedir.so skel = /etc/skel/ mask=0077PAM common-session filePAM common-session fileAfter you have edited the file, save it and close it, and proceed to the next step in order to make Linux Mint a part of the Windows Domain Controller.STEP FOUR Join Linux Mint to Windows Server 2012 Active Directory Domain Controller9. Before joining the Linux Mint client to Windows PDC, first issue the discovery command against your domain name in order to view the complete realm configurations and a package list of software that must be installed on the client machine before you enroll it in the realm.sudo realm discover domain.tldrealm discover domainrealm discover domain10. If everything is correctly setup at the client side and the domain controller responds, issue the following command in order to integrate Linux Mint client machine to Windows Server 2012 AD PDC.sudo realm join domain.tld -U domain_administrator --verbosejoin AD domainjoin AD domainUse the -U option to specify an Active Directory administrative user with privileges to add machines on the server and the --verbose option to get debug output in case something goes wrong with the integration process.Once the command returns successfully status and ads Linux Mint to AD you can use the sudo realm list command to view full details and the default configurations for your domain.list realmlist realmTo manage sssd service use the following command switches (you dont need to manually start the sssd service because its automatically started by the realmd when the machine is enrolled to realm):sudo service sssd status|start|stop11. To check if the machine appears on the Domain Controller, go to your Windows Server 2012, open Active Directory Users and Computers utility and search your Linux Mint hostname.Active Directory Users and ComputersActive Directory Users and ComputersSTEP FIVE Log In on Linux Mint with Active Directory Accounts12. To authenticate on Linux Mint with and an Active Directory user, first you need to add a permit rule on local policies in order to grant access for all realm users on local machine, by issuing the following command:sudo realm permit --all
To grant access just for a specific AD user or group use the following command syntax:sudo realm permit -u AD_usernamesudo realm permit -g AD_groupTo withdraw access for a user use the command with --x switch:sudo realm permit domain --x domain\AD_username13. To perform Terminal console command line authentications on Linux Mint host with an Active Directory account, use double backslashes to escape the backslash which separates the domain string from user, as shown in the below syntax (you can append the dot domain or use just the domain string):su - domain.tld\\AD_usernameorsu - domain\\AD_usernameAD user loginAD user loginad user login without dot domainad user login without dot domain14. To log in with an AD account on Linux using Putty or to perform Linux Mint MDM GUI logins use the following syntax:domain\AD_usernamedomain.tld\AD_usernameAD user Putty loginAD user Putty loginAd user GUI loginAd user GUI login15. In case you have issues with AD users authentication on Linux Mint Logon Screen, log in with a local user account and change the Login Window Theme from an HTML theme to a GDM theme, log out, hit Escape key is case the last logged in user appears on username Login filed and continue the authentication process with a AD account as presented above.Use GDM themeUse GDM themeGDM login screenGDM login screenSTEP SIX Add Root Permissions to AD Domain Admins Users16. In case you want to allow all Active Directory Domain Admins to have full administrative permissions in order to execute any command with root privileges on the Linux Mint machine, open the local sudoers file for editing and add the following line:sudo nano /etc/sudoersorsudo visudo
Add this line after %sudo line:%domain\ admins@domain.tld ALL=(ALL) ALLadd domain admins root privilegesadd domain admins root privileges17. In case you dont want your Linux Mint machine to be a part of the domain anymore, issue the following command to leave the domain:sudo realm leave domain.tld -U AD_admin_user --verboseleave AD PDCleave AD PDCThats all! Now, the machine running Linux Mint 17.1 is integrated as a part of Windows Active Directory Domain Controller and can successfully replace your old Windows XP machine, for which Microsoft has stopped its support, but keep in mind that some features and, especially, a huge part of Active Directory Group Policy, dont apply on Linux systems.