Install following packages :
sudo apt install realmd sssd sssd-tools adcli krb5-user packagekit samba-common samba-common-bin samba-libs resolvconf
Check the DNS server is correctly set on the network interface
sudo nano /etc/network/interfaces
dns-nameservers 192.168.XXX.XXX
Restart the network service
sudo systemctl restart ifup@<cardname> resolvconf
Edit the file /etc/pam.d/common-session to automatically create the home directory when a user logs in
sudo nano /etc/pam.d/common-session
Add
session optional pam_mkhomedir.so skel=/etc/skel umask=077
Perform an Active Directory discover to check the connection
sudo realm discover DOMAINE.TLD
You should get a similar answer
domaine.tld
type: kerberos
realm-name: DOMAINE.TLD
domain-name: domaine.tld
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U
login-policy: allow-permitted-logins
permitted-logins:
permitted-groups:
Now you can join the computer to the domain
sudo realm join DOMAINE.TLD -U<username>
Change the configuration files if needed
sudo vim /etc/krb5.conf
[libdefaults]
default_realm = DOMAINE.TLD
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
DOMAINE.TLD = {
}
[domain_realm]
domaine.tld = DOMAINE.TLD
.domaine.tld = DOMAINE.TLD
sudo nano /etc/sssd/sssd.conf
[sssd]
domains = domaine.tld
config_file_version = 2
services = nss, pam
[domain/domaine.tld]
ad_domain = domaine.tld
krb5_realm = DOMAINE.TLD
#realmd_tags = manages-system joined-with-adcli
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_sasl_authid = NOM_DE_LA_MACHINE$
ldap_id_mapping = True
use_fully_qualified_names = False
#fallback_homedir = /home/%u@%d
fallback_homedir = /home/%u
#access_provider = ad
access_provider = simple
Change the rights of sssd.conf
sudo chmod 600 /etc/sssd/sssd.conf
Start the service sssd
sudo systemctl restart sssd
Query Active Directory with a user account
id DOMAINE\\username
Restart the computer to apply the changes
Then test again the authentication
su - DOMAINE\\username
You should get this
Creating directory '/home/username'.