{"id":1285,"date":"2015-05-06T15:16:00","date_gmt":"2015-05-06T20:16:00","guid":{"rendered":"http:\/\/www.alandmoore.com\/blog\/?p=1285"},"modified":"2015-05-06T16:33:44","modified_gmt":"2015-05-06T21:33:44","slug":"joining-debian-8-to-active-directory","status":"publish","type":"post","link":"https:\/\/alandmoore.com\/blog\/2015\/05\/06\/joining-debian-8-to-active-directory\/","title":{"rendered":"Joining Debian 8 to Active Directory"},"content":{"rendered":"

Joining a GNU\/Linux machine to a Microsoft Active Directory has been possible for years, but it’s always been a bit of a science project that involved touching half-a-dozen obscure config files and usually resulted in me getting completely locked out of the machine. Various commercial packages such as Likewise and Centrify aimed to smooth out the process, but they weren’t universally accessible across distros, and often produced inconsistent results. <\/p>\n

After upgrading a system to Debian 8, I noticed a new option for joining the domain, courtesy of the folks at RedHat: realmd<\/b>. Realmd puports to make joining an Active Directory domain dead simple. How does it do? <\/p>\n

<\/p>\n

\n

What means this “join”?<\/h2>\n
\n

When I think of “joining a domain”, my expectation is that I should be able to login to my system as a domain user, have a computer account created in the directory, have a home directory created for me, and potentially have some appropriate permissions granted to me (e.g., sudo privileges for domain admins). Apparently that’s not what everyone means, including the developers of realmd. <\/p>\n

realmd will get us part of the way there, but unfortunately we’ll still have to do some config file twiddling to get the last nine yards. <\/p>\n<\/div>\n<\/div>\n

\n

Pre-Setup<\/h2>\n
\n<\/div>\n
\n

Sanity checks<\/h3>\n
\n
    \n
  • Make sure you have Debian 8 installed.\n<\/li>\n
  • Make sure your machine is on the network, of course, and that you have a domain admin account ready (or one that can join machines to the domain).\n<\/li>\n
  • Make sure your DNS server is pointing to a DNS server that knows about AD. We have some pre-AD ones that don’t, and I ran into trouble with this. Most people probably don’t need to worry about this.\n<\/li>\n
  • I use sudo<\/b> in these examples because I prefer it. If you don’t, make sure you’re root and omit the “sudo” whenever you see it.\n<\/li>\n<\/ul>\n<\/div>\n<\/div>\n
    \n

    Installing packages<\/h3>\n
    \n

    Realmd is easy enough to install using aptitude: <\/p>\n

    \r\nsudo aptitude install realmd\r\n<\/pre>\n
     Ideally, realmd is meant to install other packages required to join your domain (be it Active Directory, openldap, or some other supported directory) automatically when you attempt to join. <\/p>\n
     In practice, I found this unreliable.  So for my AD, I also installed adcli<\/b> and sssd<\/b> manually.  And since time synchronization is critical for Active Directory, I also installed ntp<\/b>. <\/p>\n
    \r\nsudo aptitude install ntp adcli sssd\r\n<\/pre>\n<\/div>\n<\/div>\n
    \n
    Some fixes<\/h3>\n
    \n
     For some reason, the first attempts I made to join a domain failed because a certain samba-related directory didn’t exist.  I don’t know if this is a bug in realmd, or something to do with the way it installs dependencies, but simply creating the directory fixes this: <\/p>\n
    \r\nsudo mkdir -p \/var\/lib\/samba\/private\r\n<\/pre>\n
     Also, sssd was not configured to start at boot for some reason, so this also needed to be done. <\/p>\n
    \r\nsudo systemctl enable sssd\r\n<\/pre>\n
     sssd won’t actually start until it has a config file, which realmd will generate for us. <\/p>\n<\/div>\n<\/div>\n<\/div>\n
    \n
    Join up<\/h2>\n
    \n
     At this point, you should be able to get some information about your domain with this command: <\/p>\n
    \r\nsudo realm discover my-domain.local\r\n<\/pre>\n
     Obviously, replace “my-domain.local” with your AD domain.  You should see some output that looks like this: <\/p>\n
    \r\nmy-domain.local\r\n  type: kerberos\r\n  realm-name: MY-DOMAIN.LOCAL\r\n  domain-name: my-domain.local\r\n  configured: no\r\n  server-software: active-directory\r\n  client-software: sssd\r\n<\/pre>\n
     If this looks good, we can join the domain: <\/p>\n
    \r\nsudo realm join --user=joe.smith my-domain.local\r\n<\/pre>\n
     This assumes joe.smith is a domain admin.  Use whatever domain admin account you have.  You’ll be prompted for a password, of course, and then the magic happens. <\/p>\n
     If all goes well, your machine should be configured to authenticate users to your domain at this point.  You may need to start up sssd: <\/p>\n
    \r\nsudo systemctl start sssd\r\n<\/pre>\n
     We can verify this by trying to get a password entry for a domain user: <\/p>\n
    \r\nsudo getent passwd joe.smith@my-domain.local\r\n<\/pre>\n
     If that returns something that looks like a line from \/etc\/passwd for your joe.smith user, you’re in!  Otherwise, something went wrong. <\/p>\n<\/div>\n<\/div>\n
    \n
    Vital finishing touches<\/h2>\n
    \n
     You can authenticate users at this point, but we’re not quite done.  Two more tweaks are necessary here: <\/p>\n<\/div>\n
    \n
    You want a home directory?<\/h3>\n
    \n
     By default, Debian isn’t going to make a home directory whenever the user logs in.  We need to fix this, because without this you can’t actually log in to the computer.  Fortunately, it takes only one line in one config file to acheive this: <\/p>\n
    \r\necho "session required pam_mkhomedir.so skel=\/etc\/skel\/ umask=0022" | sudo tee -a \/etc\/pam.d\/common-session\r\n<\/pre>\n
     This tells PAM to create a home directory for any authenticating user if they don’t have one, and to copy the default contents from \/etc\/skel.  You can change that to something else if you want a different default home directory for domain users. <\/p>\n<\/div>\n<\/div>\n
    \n
    Local admin privileges<\/h3>\n
    \n
     Typically on a domain, domain admins would get local admin rights so they can do admin things on computers.  Makes sense. <\/p>\n
     To get this in our Debian setup, we need to make sure our sudo supports this, and then configure it. <\/p>\n
    \r\nsudo aptitude install libsss-sudo\r\necho "%domain\\ admins@my-domain.local ALL=(ALL) ALL" | sudo tee -a \/etc\/sudoers.d\/domain_admins\r\n<\/pre>\n
     The first line installs a library to allow sssd and sudo to talk.  The second adds a directive to sudo to allow domain admins at my-domain.local sudo privileges.  (Copy-pasters take note: you need to edit that command with your domain name.) <\/p>\n<\/div>\n<\/div>\n<\/div>\n
    \n
    Prepare for lift-off<\/h2>\n
    \n
     Might as well give it a good reboot at this point just for the heck of it, but it may not actually be required (just a habit from Windows, I guess). <\/p>\n
     At this point you should be able to log in as any domain user, and domain admins should be able to sudo.  Congrats! <\/p>\n
     For the completely lazy, I’ve thrown this script together that should do the job: <\/p>\n
    \r\n#!\/bin\/bash\r\n\r\n# This script should join Debian Jessie (8) to an Active Directory domain.\r\necho "Please authenticate with your sudo password"\r\nsudo -v\r\n\r\nif ! $(sudo which realmd 2>\/dev\/null); then\r\n    sudo aptitude install realmd adcli sssd\r\nfi\r\n\r\nif ! $(sudo which ntpd 2>\/dev\/null); then\r\n    sudo aptitude install ntp\r\nfi\r\n\r\nsudo mkdir -p \/var\/lib\/samba\/private\r\n\r\necho "Please enter the domain you wish to join: "\r\nread DOMAIN\r\n\r\necho "Please enter a domain admin login to use: "\r\nread ADMIN\r\n\r\nsudo realm join --user=$ADMIN $DOMAIN\r\n\r\nif [ $? -ne 0 ]; then\r\n    echo "AD join failed.  Please run 'journalctl -xn' to determine why."\r\n    exit 1\r\nfi\r\n\r\nsudo systemctl enable sssd\r\nsudo systemctl start sssd\r\n\r\necho "session required pam_mkhomedir.so skel=\/etc\/skel\/ umask=0022" | sudo tee -a \/etc\/pam.d\/common-session\r\n\r\n# configure sudo\r\nsudo aptitude install libsss-sudo\r\n\r\necho "%domain\\ admins@$DOMAIN ALL=(ALL) ALL" | sudo tee -a \/etc\/sudoers.d\/domain_admins\r\n\r\necho "The computer is joined to the domain.  Please reboot, ensure that you are connected to the network, and you should be able to login with domain credentials."\r\n<\/pre>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
    Joining Debian to Active Directory has gotten easier in Jessie.  Here’s how!<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[15,20,22,14,34],"class_list":["post-1285","post","type-post","status-publish","format-standard","hentry","category-floss","tag-debian","tag-how-to","tag-instructional","tag-linux","tag-practical-tech"],"_links":{"self":[{"href":"https:\/\/alandmoore.com\/blog\/wp-json\/wp\/v2\/posts\/1285","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/alandmoore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/alandmoore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/alandmoore.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/alandmoore.com\/blog\/wp-json\/wp\/v2\/comments?post=1285"}],"version-history":[{"count":4,"href":"https:\/\/alandmoore.com\/blog\/wp-json\/wp\/v2\/posts\/1285\/revisions"}],"predecessor-version":[{"id":1295,"href":"https:\/\/alandmoore.com\/blog\/wp-json\/wp\/v2\/posts\/1285\/revisions\/1295"}],"wp:attachment":[{"href":"https:\/\/alandmoore.com\/blog\/wp-json\/wp\/v2\/media?parent=1285"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/alandmoore.com\/blog\/wp-json\/wp\/v2\/categories?post=1285"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/alandmoore.com\/blog\/wp-json\/wp\/v2\/tags?post=1285"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}