Debian-Based Distributions
Install Prerequisite Packages
# When prompted...
# Modify smb.conf to use WINS settings from DHCP? Answer: Yes
sudo apt install -y sssd realmd krb5-user samba-common packagekit*
Join the System to the Domain
Make sure the conditions are right for the system to communicate with the Domain Controller(s) over the required TCP ports.
Be sure to replace domain-admin-username
and domain.tld
with the correct username and local domain per your envrionment!
# Join to the domain using the domain administrator account
sudo realm join -U domain-admin-username domain.tld --verbose
Add the Domain Admins Group as Sudoers
For password-less sudo operations replace ALL
with NOPASSWD:ALL
at the end of the line.
Edit the /etc/sudoers
file using visudo
.
sudo visudo -f /etc/sudoers.d/ad_groups
Add this group to the file.
Be sure to change domain.tld
to your local domain!
# Add AD Domain Admins Group to SUDOERS
%domain\ admins@domain.tld ALL=(ALL) ALL
If that doesn't work, try the group name without the domain (e.g. remove @ad.lab
)
Allow SSH Password Authentication
Add Active Directory Group Match Policy
sudo nano /etc/ssh/sshd_config
Go to the end of the fill and append these lines:
Alternatively, if you don't want to use the ?
pattern match in the SSHd Match
statement, you could create a security group in Active Directory named something like linux_ssh_users
, which does not contain any spaces.
# Case-sensitive match
# ? : match on any single character
# which covers the space in the name
Match Group domain?admins
PasswordAuthentication yes
Match Group domain?users
PasswordAuthentication yes
Restart the SSH Daemon
sudo systemctl restart sshd.service