Skip to main content

Debian-Based Distributions

Install Prerequisite Packages

# When prompted...
# Modify smb.conf to use WINS settings from DHCP? Answer: Yes 
sudo apt install -y sssd realmd krb5-user samba-common packagekit*

Join the System to the Domain

Make sure the conditions are right for the system to communicate with the Domain Controller(s) over the required TCP ports.

Be sure to replace domain-admin-username and domain.tld with the correct username and local domain per your envrionment!

# Join to the domain using the domain administrator account
sudo realm join -U domain-admin-username domain.tld --verbose

Add the Admin Group as Sudoers

For password-less sudo operations replace ALL with NOPASSWD:ALL at the end of the line.

sudo visudo -f /etc/sudoers.d/ad_groups

Edit the /etc/sudoers file using visudo.

Be sure to change domain.tld to your local domain!
If that doesn't work, try the group name without the domain (e.g. remove @ad.lab)

Also, doesn't have to be the Domain Admins group. You could create a security group called linux_admins, add members, and use this group instead.

# Add AD Domain Admins Group to SUDOERS
%domain\ admins@domain.tld ALL=(ALL) ALL

Add group to the file

Allow SSH Password Authentication

Add Active Directory Group Match Policy

sudo nano /etc/ssh/sshd_config

Alternatively, if you don't want to use the ? pattern match in the SSHd Match statement, you could create a security group in Active Directory named something like linux_ssh_admins and linux_ssh_users, which does not contain any spaces.

# Case-sensitive match
# ? : match on any single character
#     which covers the space in the name
Match Group domain?admins
  PasswordAuthentication yes

Match Group domain?users
  PasswordAuthentication yes

Go to the end of the file and append these lines

Restart the SSH Daemon

sudo systemctl restart sshd.service

Login with Domain Credentials

ssh username@domain.tld@10.80.80.10

Using target host IP address and password authentication

Back to top