Upload
adaucyjr
View
139
Download
5
Embed Size (px)
DESCRIPTION
Integrate Linux Mint 17.1 to Windows Server 2012 Active Directory Domain Controller
Citation preview
Integrate Linux Mint 17.1 to Windows Server 2012 Active Directory Domain Controllerby bytelinux 14/02/2015This tutorial will describe how you can join machines that run Linux Mint 17.1 OS to Windows 2012 Active Directory Domain Controller in order to authenticate remote accounts from AD back end identity provider to local Linux workstations with the help of SSSD service and Realmd system DBus service.The System Security Services Daemon (SSSD) is a relative new service which provides cross-domain compatible methods for Active Directory users to authenticate to local machines using a combination of usernames and domain back end name to create the login identity, even if the Domain Controller goes offline (SSSD caches credentials).REQUIREMENTSWindows Server 2012 configured as an Active Directory Domain Controller
A Linux Mint 17.1 client machine which will be integrated to Windows PDC
Domain Settings: Domain Name: caezsar.lan
Windows Server 2012 AD FQDN: server.caezsar.lan
Windows Server 2012 AD IP Address: 192.168.1.130
Linux Mint Hostname: mint-desktop
Linux Mint IP Address: automatically assigned by DHCP
Linux Mint first DNS IP Address: Manually assigned to point to AD PDC 192.168.1.130
STEP ONE Linux Mint Network Configuration1. Before starting with
installing the required services in order to integrate the local
machine to the PDC Server, first we need to assure that Windows
Domain Controller is reachable through DNS resolution on Linux Mint
host by adding the DNS PDC IP Address on our Network Configuration.
To achieve this goal, first open Network Settings, go to the
Network Interface Card (in this case is the Wired Connection, but
you can use a Wireless Connection also), open it for editing (hit
the settings icon from bottom right) and add your PDC IP Address on
IPv4 DNS filed (switch Automatic DNS to OFF) as illustrated in the
following screenshots:network settingsnetwork settingsedit network
interface settingsedit network interface settingsadd DNS IP
Addressadd DNS IP AddressIf multiple Domain Controllers machines
exists on your network then you can also add their IP Addresses on
IPv4 DNS settings fields.
2. After youre done, hit on Apply button and switch the edited
Network Interface from ON to OFF and then back to ON in order to
apply the new settings. After the network interface is started
again, open a Terminal console and issue a ping command against
your PDC domain name in order to verify if the settings are
successfully applied and the domain name responds with the correct
IP Address and FQDN of the PDC.apply network settingsapply network
settingsping domain controllerping domain controllerIf you want to
avoid all this manual settings, then configure a DHCP server at
your premises to automatically assign network settings, especially
DNS entries, that will point to your Windows PDC IP Addresses
needed for DNS resolution in order to reach the AD PDC.STEP TWO
Install Required Software PackagesAs presented at the beginning of
this tutorial, in order to integrate a Linux Mint machine to an
Active Directory Domain Controller you need to install the SSSD
service along with the following software packages and dependency:
SSSD service (responsible with back end realm authentication) with
the following dependencies: sssd-tools (optional, but useful for
sssd cache, user and groups manipulation), libpam-sss (PAM modules
for local authentication) and libnss-sss (NSS modules for local DNS
resolution) Realmd (system DBus service which manages domain
integration and local resources permissions) The following Samba
Modules: samba-common-bin and samba-libs (File sharing
compatibility between Windows and Linux machines) Krb5-user (Client
network authentication and communication with the PDC server) ADcli
(Tools for joining domain and perform other actions on an AD)
PackageKit (Linux cross-platform packages management for
interoperabillity and user privileges for software installations)3.
Now, lets start installing the above enumerated packages by opening
a Terminal console on Linux Mint and issuing the following commands
with sudo privileges:First install Realmd and SSSD service:sudo
apt-get install realmd sssd sssd-tools libpam-sss libnss-sssinstall
realmd and sssd serviceinstall realmd and sssd service
4. Next install Samba modules (by default this modules might be
already installed on your system):sudo apt-get install samba-libs
samba-common-bininstall samba modulesinstall samba modules
5. Last, install the other remained packages: krb5-user, adcli and
packagekit. On krb5-user package, the installer will prompt you to
enter the realm that will be used for Kerberos authentication. Use
the name of the domain configured for your PDC with UPPERCASE (in
this case the domain is CAEZSAR.LAN), then hit Enter key to
continue further with the installation packages.sudo apt-get
install krb5-user adcli packagekitinstall kerberos, adcli and
packagekit packages install kerberos, adcli and packagekit
packagesConfigure Kerberos realmConfigure Kerberos realmSTEP THREE
Edit Configuration Files for SSSD, Realmd and PAM6. Next step
before starting joining Linux Mint to Windows Server AD PDC is to
configure the local services for AD network authentication. By
default the SSSD service has no configuration file defined on
/etc/sssd/ path. In order to create a default configuration file
for SSSD service, issue the following command to create
andsimultaneous edit the file:sudo nano /etc/sssd/sssd.conf
SSSD configuration file excerpt:[nss]filter_groups =
rootfilter_users = rootreconnection_retries =
3[pam]reconnection_retries = 3[sssd]domains =
CAEZSAR.LANconfig_file_version = 2services = nss,
pam[domain/CAEZSAR.LAN]ad_domain = CAEZSAR.LANkrb5_realm =
CAEZSAR.LANrealmd_tags = manages-system
joined-with-adclicache_credentials = Trueid_provider =
adkrb5_store_password_if_offline = Truedefault_shell =
/bin/bashldap_id_mapping = Trueuse_fully_qualified_names =
Falsefallback_homedir = /home/%d/%uaccess_provider = adsssd
configuration filesssd configuration fileWhile editing the file
make sure you replace domains, [domain/],ad_domain
andkrb5_realmparameters accordingly. Use the UPPERCASES as the
above file excerpt suggests.The fallback_homedir = /home/%d/%u
parameter will cause the system to create home directories for all
domain logged in users with the following path:
/home/domain_name/domain_user, so practically all your domain users
homes will be stored into a single directory named after your
domain name on /home path. If you want to change this behavior so
all domain users homes should be created as normal system users,
/home/username, just remove %d variable and youre done.For other
options and parameters concerning sssd.conf file run man sssd
command.After you finish editing the file, save it with CTRL+O ,
close it with CTRL+X and proceed further with the below
instructions.7. The next step is to create and edit a configuration
file for Realmd in order to avoid some eventual package dependency
problems by issuing the following command:sudo nano
/etc/realmd.conf
Use the following configurations for realmd
file:[service]automatic-install = norealmd conf filerealmd conf
fileAfter you add the above lines, save the file and close it.8.
The last file that you need to edit before joining the domain is
the common-session PAM file. So, open this file for editing by
running the below command and add the following line after the
session optional pam_sss.so line in order for the system to
automatically create home directories for the new authenticated AD
users .sudo nano /etc/pam.d/common-session
Add the following line as presented on the below screenshot:session
optional pam_mkhomedir.so skel = /etc/skel/ mask=0077PAM
common-session filePAM common-session fileAfter you have edited the
file, save it and close it, and proceed to the next step in order
to make Linux Mint a part of the Windows Domain Controller.STEP
FOUR Join Linux Mint to Windows Server 2012 Active Directory Domain
Controller9. Before joining the Linux Mint client to Windows PDC,
first issue the discovery command against your domain name in order
to view the complete realm configurations and a package list of
software that must be installed on the client machine before you
enroll it in the realm.sudo realm discover domain.tldrealm discover
domainrealm discover domain10. If everything is correctly setup at
the client side and the domain controller responds, issue the
following command in order to integrate Linux Mint client machine
to Windows Server 2012 AD PDC.sudo realm join domain.tld -U
domain_administrator --verbosejoin AD domainjoin AD domainUse the
-U option to specify an Active Directory administrative user with
privileges to add machines on the server and the --verbose option
to get debug output in case something goes wrong with the
integration process.Once the command returns successfully status
and ads Linux Mint to AD you can use the sudo realm list command to
view full details and the default configurations for your
domain.list realmlist realmTo manage sssd service use the following
command switches (you dont need to manually start the sssd service
because its automatically started by the realmd when the machine is
enrolled to realm):sudo service sssd status|start|stop11. To check
if the machine appears on the Domain Controller, go to your Windows
Server 2012, open Active Directory Users and Computers utility and
search your Linux Mint hostname.Active Directory Users and
ComputersActive Directory Users and ComputersSTEP FIVE Log In on
Linux Mint with Active Directory Accounts12. To authenticate on
Linux Mint with and an Active Directory user, first you need to add
a permit rule on local policies in order to grant access for all
realm users on local machine, by issuing the following command:sudo
realm permit --all
To grant access just for a specific AD user or group use the
following command syntax:sudo realm permit -u AD_usernamesudo realm
permit -g AD_groupTo withdraw access for a user use the command
with --x switch:sudo realm permit domain --x domain\AD_username13.
To perform Terminal console command line authentications on Linux
Mint host with an Active Directory account, use double backslashes
to escape the backslash which separates the domain string from
user, as shown in the below syntax (you can append the dot domain
or use just the domain string):su - domain.tld\\AD_usernameorsu -
domain\\AD_usernameAD user loginAD user loginad user login without
dot domainad user login without dot domain14. To log in with an AD
account on Linux using Putty or to perform Linux Mint MDM GUI
logins use the following
syntax:domain\AD_usernamedomain.tld\AD_usernameAD user Putty
loginAD user Putty loginAd user GUI loginAd user GUI login15. In
case you have issues with AD users authentication on Linux Mint
Logon Screen, log in with a local user account and change the Login
Window Theme from an HTML theme to a GDM theme, log out, hit Escape
key is case the last logged in user appears on username Login filed
and continue the authentication process with a AD account as
presented above.Use GDM themeUse GDM themeGDM login screenGDM login
screenSTEP SIX Add Root Permissions to AD Domain Admins Users16. In
case you want to allow all Active Directory Domain Admins to have
full administrative permissions in order to execute any command
with root privileges on the Linux Mint machine, open the local
sudoers file for editing and add the following line:sudo nano
/etc/sudoersorsudo visudo
Add this line after %sudo line:%domain\ [email protected] ALL=(ALL)
ALLadd domain admins root privilegesadd domain admins root
privileges17. In case you dont want your Linux Mint machine to be a
part of the domain anymore, issue the following command to leave
the domain:sudo realm leave domain.tld -U AD_admin_user
--verboseleave AD PDCleave AD PDCThats all! Now, the machine
running Linux Mint 17.1 is integrated as a part of Windows Active
Directory Domain Controller and can successfully replace your old
Windows XP machine, for which Microsoft has stopped its support,
but keep in mind that some features and, especially, a huge part of
Active Directory Group Policy, dont apply on Linux systems.