Skip to main content

Debian-Based Distributions

Install Prerequisite Packages

# When prompted...
# Modify smb.conf to use WINS settings from DHCP? Answer: Yes 
sudo apt install -y sssd realmd krb5-user samba-common packagekit*

Join the System to the Domain

Make sure the conditions are right for the system to communicate with the Domain Controller(s) over the required TCP ports.

Be sure to replace domain-admin-username and domain.tld with the correct username and local domain per your envrionment!

# Join to the domain using the domain administrator account
sudo realm join -U domain-admin-username domain.tld --verbose

Add the Domain Admins Group as Sudoers

For password-less sudo operations replace ALL with NOPASSWD:ALL at the end of the line.

Edit the /etc/sudoers file using visudo.

sudo visudo -f /etc/sudoers.d/ad_groups

Add this group to the file.

Be sure to change domain.tld to your local domain!

# Add AD Domain Admins Group to SUDOERS
%domain\ admins@domain.tld ALL=(ALL) ALL

If that doesn't work, try the group name without the domain (e.g. remove @ad.lab)

Allow SSH Password Authentication

Add Active Directory Group Match Policy

sudo nano /etc/ssh/sshd_config

Go to the end of the fill and append these lines:

Alternatively, if you don't want to use the ? pattern match in the SSHd Match statement, you could create a security group in Active Directory named something like linux_ssh_users, which does not contain any spaces.

# Case-sensitive match
# ? : match on any single character
#     which covers the space in the name
Match Group domain?admins
  PasswordAuthentication yes

Match Group domain?users
  PasswordAuthentication yes

Restart the SSH Daemon

sudo systemctl restart sshd.service

Back to top