Easier than it looks
As in any connection made in Windows environment, the main thing is to use the DNS of your domain, for this we configure the network card with these DNS and domain to use in our case TESTS.LOCAL and ip 192.168.10.45
Install NTP and configure it so that our time server is the DC.
apt ntp install
and replace the pools with our DCs
Restart ntp service
service ntp restart
And verify with ntpq -p that it synchronizes correctly with our DCs
Now we proceed to install the necessary packages
apt -y install realmd sssd adcli libwbclient-sssd krb5-user sssd-tools samba-common packagekit samba-common-bin samba-libs
We will be asked if we want to modify smb.conf to use WINS, where we will indicate that No is the default option.
Next it will ask us for the Kerberos realm where we will put our domain TEST.LOCAL, in capital letters, although we are going to put it in small letters so that you observe the error that will give us if it is not introduced in capital letters.
and then the servers in our case 192.168.10.45, it is the full name of the server FQDN
The same for the administrative server
Well, we already have the main thing installed, but in previous versions in some distributions you had to patch the packagekit as in Ubuntu 16.04 from this repository
apt upgrade packagekit
Our lab machine as we saw in a previous post was upgraded to Debian Buster, we will see at the end if we encounter any problems.
We move on to configure nsswitch, edit /etc/nsswitch.conf and add sss in the following sections, in the case of Debian Buster it already does it automatically.
passwd: compat sss
group: compat sss
netgroup: nis sss
sudoers: files sss
But very important to modify the line
hosts: files mdns4_minimal [NOTFOUND=return] dns
for this one, where the only thing we do is to change the order by putting dns after files, without this change the connection will fail.
hosts: files dns mdns4_minimal [NOTFOUND=return]
We create a kerberos ticket, in the following way
kinit -V usarioadministradordominio
WARNING without the domain name because it will take it from the default_realm which is the one that we put in the installation, you will see that it will fail with the message
kinit: KDC reply did not match expectations while getting initial credentials
This is the typical error that happens frequently and we wanted to reproduce in this post, this is because when we asked the realm we put it in lowercase to reproduce this typical error, just edit /etc/krb5.conf and put it in uppercase both in default_realm and in the realms, also add at the bottom in section
pruebas.local = PRUEBAS.LOCAL
.pruebas.local = PRUEBAS.LOCAL
Of course with your domain
Once correctly set, we will obtain
Authenticated to Kerberos v5
Once we have the ticket we join our machine to the domain, in the OU we want and with your domain, in our case we have created an OU called Linux Computers
realm join pruebas.local --computer-ou="ou=Linux Computers,dc=pruebas,dc=local" -U usuarioadministradordominio
and we will obtain
* Successfully enrolled machine in realm
We already have our machine joined to the domain, now we are going to mount the mobile profiles, to do this we first install
apt install smbclient gvfs-fuse gvfs-backends gvfs-bin cifs-utils libpam-mount
Once installed we edit /etc/sssd/sssd.conf
and we set the following line to False
use_fully_qualified_names = False
We edit the following
<!-- Volume definitions -->
We mount the profile by setting the location where we have these user profiles
<volume user="*" fstype="cifs" server="servidor" path="/%(USER)" mountpoint="/home/%(USER)" options="sec=ntlm,mfsymlinks,nodev,nosuid" />
The whole process of joining the domain and mounting the mobile profile in the user's /home can be done through scripts, as for example it is very useful when you have a virtual desktop platform launching the script automatically in the last step of creating the desktop from the broker.