Join Linux to Active Directory and mount mobile profile

Easier than it looks

As in any connection made in Windows environment, the main thing is to use the DNS of your domain, for this we configure the network card with these DNS and domain to use in our case TESTS.LOCAL and ip 192.168.10.45

Install NTP and configure it so that our time server is the DC.

apt ntp install

nano /etc/ntp.conf

and replace the pools with our DCs

Restart ntp service

service ntp restart

And verify with ntpq -p that it synchronizes correctly with our DCs

Now we proceed to install the necessary packages

apt -y install realmd sssd adcli libwbclient-sssd krb5-user sssd-tools samba-common packagekit samba-common-bin samba-libs

We will be asked if we want to modify smb.conf to use WINS, where we will indicate that No is the default option.

Next it will ask us for the Kerberos realm where we will put our domain TEST.LOCAL, in capital letters, although we are going to put it in small letters so that you observe the error that will give us if it is not introduced in capital letters.

and then the servers in our case 192.168.10.45, it is the full name of the server FQDN

The same for the administrative server

Well, we already have the main thing installed, but in previous versions in some distributions you had to patch the packagekit as in Ubuntu 16.04 from this repository

add-apt-repository ppa:xtrusia/packagekit-fix

apt update

apt upgrade packagekit

Our lab machine as we saw in a previous post was upgraded to Debian Buster, we will see at the end if we encounter any problems.

We move on to configure nsswitch, edit /etc/nsswitch.conf and add sss in the following sections, in the case of Debian Buster it already does it automatically.

passwd: compat sss

group: compat sss

….

netgroup: nis sss

sudoers: files sss

But very important to modify the line

hosts:          files  mdns4_minimal [NOTFOUND=return] dns

for this one, where the only thing we do is to change the order by putting dns after files, without this change the connection will fail.

hosts:          files dns mdns4_minimal [NOTFOUND=return]

We create a kerberos ticket, in the following way

kinit -V usarioadministradordominio

WARNING without the domain name because it will take it from the default_realm which is the one that we put in the installation, you will see that it will fail with the message

kinit: KDC reply did not match expectations while getting initial credentials

This is the typical error that happens frequently and we wanted to reproduce in this post, this is because when we asked the realm we put it in lowercase to reproduce this typical error, just edit /etc/krb5.conf and put it in uppercase both in default_realm and in the realms, also add at the bottom in section

[domain_realm]

pruebas.local = PRUEBAS.LOCAL

.pruebas.local = PRUEBAS.LOCAL

Of course with your domain

Once correctly set, we will obtain

Authenticated to Kerberos v5

Once we have the ticket we join our machine to the domain, in the OU we want and with your domain, in our case we have created an OU called Linux Computers

realm join pruebas.local --computer-ou="ou=Linux Computers,dc=pruebas,dc=local" -U usuarioadministradordominio

and we will obtain

* Successfully enrolled machine in realm

We already have our machine joined to the domain, now we are going to mount the mobile profiles, to do this we first install

apt install smbclient gvfs-fuse gvfs-backends gvfs-bin cifs-utils libpam-mount

Once installed we edit /etc/sssd/sssd.conf

nano /etc/sssd/sssd.conf 

and we set the following line to False

use_fully_qualified_names = False

We edit the following

nano /etc/security/pam_mount.conf.xml

and below

<!-- Volume definitions -->

We mount the profile by setting the location where we have these user profiles

<volume user="*" fstype="cifs" server="servidor" path="/%(USER)" mountpoint="/home/%(USER)" options="sec=ntlm,mfsymlinks,nodev,nosuid" />

The whole process of joining the domain and mounting the mobile profile in the user's /home can be done through scripts, as for example it is very useful when you have a virtual desktop platform launching the script automatically in the last step of creating the desktop from the broker.

TL.