Skip to content

Linux Active Directory join script Wiki

Jump to bottom
PierreGode edited this page Apr 16, 2020 · 8 revisions

Welcome to the Linux-Active-Directory-join-script wiki!

On AD: Prepare with creating a group object in AD matching the hostname of the client or server. Example: DNSserver01 and in the Group DNSserver01 add users to the existing or created group.

On Client:

  1. Download script using git clone <--Linux-Active-Directory-join-script repo -->.
  2. cd Linux-Active-Directory-join-script
  3. sudo sh ADconnection.sh
  4. for joining to active directory press 1 ( script will autodetect OS and realm )
  5. Script will start installing packages and verify success.
  6. Script will search the network for a realm and suggest to use it or promt for it.(If script fail to find your domain you can try to type it in.)
  7. Script will determine what distro and if it supported and prepare for setup.
  8. Admin will be prompted to enter admin user. type in your Active directory admin user without domain Example:Pierreadmin
  9. Admin will be prompted to enter password
  10. Script will ask if you want ssh security ( will block all other local and domian users except for allowed group "DNSserver01" and local account administrator (make sure to have it), by disabeling ssh login security, all users in the domain will be able to log in but only groups i sudoers will have sudo if you accept sudoers later. if not averyone will be able to log in but noone will have sudo.
  11. Script will ask for sudo permissions, on yes it will give domaingroup "DNSserver01" and local administrator sudo access.
  12. Script will promt if success and check for errors.
  13. reboot and then login with AD user Example ADadmin and password.

Home folders will be crated for each user that logs in and the format is /home/netbios.domain/user user will show as Example: pierre (User logon name:) . ( all / and @ is removed from user and folder. )

On yes to ssh allow the script will create ssh login.group.allowed where it puts administrator, domain admins and grupobject (DNSserver01 in this example) all other users are not allowed to ssh or login to the client NOTE ALL other users will be banned, even local.

If script fails at start with error message : Installing pakages failed.. please check connection and dpkg and try again. then try to reboot and verify the ethernet has connection and try running the script again or verify dpkg first with sudo apt-get update.

At the end of the script it will print out what it has written to sudoers and ssh-allow verify those are correct before restarting.

Note: if you are setting up an AD server, make sure to check you dns configuration if the script fails detecting domain.

Example output from script for Ubuntu 18:

Active directory connection tool Created by Pierre Goude This script will edit several critical files.. DO NOT attempt this without expert knowledge

    1. Join to AD on Linux (Ubuntu/Rasbian/Kali/Fedora/Debian)
    1. Check for errors
    1. Search with ldap
    1. Reauthenticate
    1. Leave Domain

Please enter a menu option and enter or ctrl + c to exit.

Please enter a menu option and enter or enter to exit.
1

Installing on Linux Client/Server
Ubuntu detected

Checking if it is a Desktop or server
Ubuntu Desktop detected

Installing pakages do no abort!.......

ii realmd 0.16.3-1 amd64 DBus service for configuring kerberos and other online identities

Pakages installed
hostname is HOSTNAME
Looking for Realms.. please wait

I searched for an available domain and found >>> DOMAIN.COM <<<
Do you wish to use it (y/n)?y

No LSB modules are available.
Detecting Ubuntu 18

Realm=DOMAIN.COM
Joining Ubuntu 18

Please log in with domain admin to DOMAIN.COM to connect
Please type Admin user:
domainadmin

  • Resolving: _ldap._tcp.DOMAIN.COM

  • Performing LDAP DSE lookup on: 192.168.1.0

  • Performing LDAP DSE lookup on: 192.168.1.23

  • Performing LDAP DSE lookup on: fd3:27e:5ca:192::23

  • Successfully discovered: DOMAIN.COM
    Password for domainadmin: ***********

  • Assuming packages are installed

  • LANG=C /usr/sbin/adcli join --verbose --domain DOMAIN.COM --domain-realm DOMAIN.COM --domain-controller 192.168.1.23 --login-type user --login-user domainadmin --stdin-password

  • Using domain name: DOMAIN.COM

  • Calculated computer account name from fqdn: HOSTNAME

  • Using domain realm: DOMAIN.COM

  • Sending netlogon pings to domain controller: cldap://192.168.1.23

  • Received NetLogon info from: SEDCSRV01.DOMAIN.COM

  • Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-pemCyP/krb5.d/adcli-krb5-conf-eWt3hp

  • Authenticated as user: domainadmin@DOMAIN.COM

  • Looked up short domain name: DOMAIN

  • Using fully qualified name: HOSTNAME

  • Using domain name: DOMAIN.COM

  • Using computer account name: HOSTNAME

  • Using domain realm: DOMAIN.COM

  • Calculated computer account name from fqdn: HOSTNAME

  • Generated 120 character computer password

  • Using keytab: FILE:/etc/krb5.keytab

  • Found computer account for HOSTNAME$ at: CN=HOSTNAME,CN=Computers,DC=DOMAIN,DC=com

  • Set computer password

  • Retrieved kvno '9' for computer account in directory: CN=HOSTNAME,CN=Computers,DC=DOMAIN,DC=com

  • Modifying computer account: userAccountControl

  • Modifying computer account: operatingSystemVersion, operatingSystemServicePack

  • Modifying computer account: userPrincipalName
    ! Couldn't set service principals on computer account CN=HOSTNAME,CN=Computers,DC=DOMAIN,DC=com: 00002083: AtrErr: DSID-03151785, #1:
    0: 00002083: DSID-03151785, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90303 (servicePrincipalName)

  • Discovered which keytab salt to use

  • Added the entries to the keytab: HOSTNAME$@DOMAIN.COM: FILE:/etc/krb5.keytab

  • Added the entries to the keytab: host/HOSTNAME@DOMAIN.COM: FILE:/etc/krb5.keytab

  • Added the entries to the keytab: host/HOSTNAME@DOMAIN.COM: FILE:/etc/krb5.keytab

  • Added the entries to the keytab: RestrictedKrbHost/HOSTNAME@DOMAIN.COM: FILE:/etc/krb5.keytab

  • Added the entries to the keytab: RestrictedKrbHost/HOSTNAME@DOMAIN.COM: FILE:/etc/krb5.keytab

  • /usr/sbin/update-rc.d sssd enable

  • Successfully enrolled machine in realm
    ############################
    Configuratig files..
    Verifying the setup
    Synchronizing state of sssd.service with SysV service script with /lib/systemd/systemd-sysv-install.
    Executing: /lib/systemd/systemd-sysv-install enable sssd

Do you wish to enable SSH login.group.allowed(y/n)?n
Disabled SSH login.group.allowed

Do you wish to give users on this machine sudo rights?(y/n)?y
Cheking if there is any previous configuration
Do you wish to DISABLE password promt for users in terminal?(y/n)?y
administrator ALL=(ALL) NOPASSWD:ALL
%HOSTNAMEsudoers ALL=(ALL) NOPASSWD:ALL
%DOMAIN\ admins ALL=(ALL) NOPASSWD:ALL
pam_mkhomedir.so configured
50-ubuntu.conf is already configured.. skipping

override_homedir = /home/%d/%u
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 600
#entry_cache_user_timeout = 5400
#entry_cache_group_timeout = 5400
#cache_credentials = TRUE
entry_cache_nowait_percentage = 75
Checking sssd config.. OK
Realm configured?.. OK

Clone this wiki locally