Client Linux in dominio Windows

Tags: linux, mint, redhat, ubuntu, debian, slackware, fedora, unix, windows, 2012, R2, 2016, 2019, sssd

Questa guida spiega come configurare un client linux (nel mio caso mint) e aggiungerlo ad un dominio microsoft windows utilizzando sssd in quanto winbind è deprecato.

# Prima di tutto... :)
sudo passwd

# Si parte
su -

# Aggiorniamo i repository
apt-get update

# Installazione SSH per accedere da remoto
apt-get install openssh-server

# /etc/hosts # il file hosts deve contenere sia il nostro computer che i server di dominio
127.0.0.1 miocomputer.miodominio.local miocomputer
127.0.1.1 MIOCOMPUTER
10.10.14.3 mioserverdidominio.miodominio.local mioserverdidominio # ad - dns1
10.10.14.4 mioserverdidominiosecondario.miodominio.local mioserverdidominiosecondario # ad - dns2
192.168.0.250 mioserverdidominioterziario.miodominio.local mioserverdidominioterziario # ad - dns3

# Installazione software necessari
apt-get install oddjob oddjob-mkhomedir sssd samba-common-bin adcli libpam-sss libnss-sss sssd-tools
apt-get install krb5-user
apt-get install realmd

# Ricerca dominio
realm discover -v miodominio.local

# Join dominio
realm join -v MIODOMINIO.LOCAL -U administrator # -U con qualsiasi utenza Admin

# Configurazione samba # /etc/samba/smb.conf
[global]
netbios name = MIOCOMPUTER
workgroup = MIODOMINIO
realm = MIODOMINIO.LOCAL
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
#realm = MIOCOMPUTER.MIODOMINIO.LOCAL
security = ads
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d

passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .

pam password change = yes
map to guest = bad user

template shell = /bin/bash
template homedir = /home/%D/%U

[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700

[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no

# Verifica permessi SSSD
chown root:root /etc/sssd/sssd.conf
chmod 600 /etc/sssd/sssd.conf

# /etc/sssd/sssd.conf
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[sssd]
domains = miodominio.local
config_file_version = 2
services = nss, pam

[domain/miodominio.local]
ad_domain = miodominio.local
krb5_realm = MIODOMINIO.LOCAL
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad

# common-auth
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth sufficient pam_sss.so use_first_pass
#auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so
# end of pam-auth-update config

# common-account
# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account sufficient pam_localuser.so
#account [default=bad success=ok user_unknown=ignore] pam_sss.so
# end of pam-auth-update config

# common-password
# here are the per-package modules (the "Primary" block)
password requisite pam_pwquality.so retry=3
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password sufficient pam_sss.so use_authtok
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
password optional pam_gnome_keyring.so
password optional pam_ecryptfs.so
# end of pam-auth-update config

# common-session
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_sss.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
session optional pam_systemd.so
session optional pam_ecryptfs.so unwrap
# end of pam-auth-update config


# Abilitare nel common-session la possibilità di creare la propria home alla login # /etc/pam.d/common-session
#session optional pam_mkhomedir.so skel = /etc/skel/ umask=0077

# Abilitare login remoto grafico # /usr/share/lightdm/lightdm.conf.d/50-greeter-wrapper.conf
[Seat:*]
greeter-wrapper=/usr/lib/lightdm/lightdm-greeter-session
greeter-hide-users=false
greeter-show-manual-login=true
allow-guest=false

# Visudo membro che può avere previlegi root - visudo
administrator@miodominio.local ALL=(ALL) ALL

# Autenticazione Kerberos
kinit -V administrator


# LOGIN

MIODOMINIO@marco.ratti

Commenti

 Aggiungi commento

---

---

Le ultime notizie relative a questo argomento

 Trasformare un vecchio raspberry pi 1 in un gateway... vpn :) (18/12/2019 - 11:41, letto 3589 volte)
 Client Linux in dominio Windows (18/12/2019 - 01:39, letto 7608 volte)

---

Tutte le notizie relative a questo argomento