Join a Debian 9 server to Active Directory domain

Install following packages :

sudo apt install realmd sssd sssd-tools adcli krb5-user packagekit samba-common samba-common-bin samba-libs resolvconf

Check the DNS server is correctly set on the network interface

sudo nano /etc/network/interfaces
dns-nameservers 192.168.XXX.XXX

Restart the network service

sudo systemctl restart ifup@<cardname> resolvconf

Edit the file /etc/pam.d/common-session to automatically create the home directory when a user logs in

sudo nano /etc/pam.d/common-session


session optional skel=/etc/skel umask=077

Perform an Active Directory discover to check the connection

sudo realm discover DOMAINE.TLD

You should get a similar answer

type: kerberos
realm-name: DOMAINE.TLD
domain-name: domaine.tld
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U
login-policy: allow-permitted-logins

Now you can join the computer to the domain

sudo realm join DOMAINE.TLD -U<username>

Change the configuration files if needed

sudo vim /etc/krb5.conf
default_realm = DOMAINE.TLD

# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.

fcc-mit-ticketflags =


domaine.tld = DOMAINE.TLD
.domaine.tld = DOMAINE.TLD

sudo nano /etc/sssd/sssd.conf

domains = domaine.tld
config_file_version = 2
services = nss, pam

ad_domain = domaine.tld
krb5_realm = DOMAINE.TLD
#realmd_tags = manages-system joined-with-adcli
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_sasl_authid = NOM_DE_LA_MACHINE$
ldap_id_mapping = True
use_fully_qualified_names = False
#fallback_homedir = /home/%u@%d
fallback_homedir = /home/%u
#access_provider = ad
access_provider = simple

Change the rights of sssd.conf

sudo chmod 600 /etc/sssd/sssd.conf

Start the service sssd

sudo systemctl restart sssd

Query Active Directory with a user account

id DOMAINE\\username

Restart the computer to apply the changes

Then test again the authentication

su - DOMAINE\\username

You should get this

Creating directory '/home/username'.

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée.

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.