Realmd
Step 1: Check resolving
cat /etc/resolv.conf
here should be some think like
search domain.local
nameserver 192.168.16.1
Step 2: Install Software
Debian:
sudo apt-get install sssd realmd sssd-tools libnss-sss libpam-sss adcli packagekit
RedHat:
dnf -y install realmd adcli sssd oddjob oddjob-mkhomedir samba-common-tools krb5-workstation authselect-compat
Step 3: Make sure DNS follows files on hosts field
/etc/nsswitch.conf
passwd: compat sss
group: compat sss
shadow: compat
...
netgroup: nis sss
sudoers: files sss
hosts: files dns mdns4_minimal [NOTFOUND=return]
Step 4: Join Domain
realm join domain.com --user=DomainAdmin
Step 5: Check join settings
realm list
biopack.be
type: kerberos
realm-name: BIOPACK.BE
domain-name: biopack.be
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U@biopack.be
login-policy: allow-realm-logins
Step 6: Check ID to make sure you resolve users
id administrator
id: administrator: no such user
uid=1829600500...
Step 7: Configure SSSD - Edit lines accordingly
vim /etc/sssd/sssd.conf
default_shell = /usr/bin/zsh
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
#create these new lines
case_sensitive = False
enumerate = True
ldap_idmap_range_min = 9700000
ldap_idmap_range_max = 2009700000
ldap_idmap_range_size = 2000000000
ad_gpo_access_control = permissive
Stop the service: service sssd stop
Then delete the cache files from /var/lib/sss/db
then restart service: service sssd start
if you don't do this, the service will most likely crash
gpo access control can mess with ssh and other services, so if you're not using it, then disable or set it to permissive mode. More here:
https://docs.pagure.org/sssd.sssd/design_pages/active_directory_gpo_integration.html#
Step 8: Have home directories made automatically
Debian:
vim /etc/pam.d/common-session
add to bottom of the file:
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
RedHat:
authselect select sssd with-mkhomedir
systemctl enable --now oddjobd.service
Step 9: Restrict which users on the domain that can authenticate
Allow all domain Access
realm permit --all
Remove all domain Access
realm deny --all
Allow only the groups that should have access
realm permit -g "group name"@domainname
Grant access to specific users
realm permit user@domainname
Deny access to specified uses
realm permit -x user@domainname
Step 10: Disable unneeded sockets
systemctl disable sssd-nss.socket
systemctl disable sssd-pam-prov.socket
systemctl disable sssd-pam.socket
https://help.ubuntu.com/lts/serverguide/sssd-ad.html
https://4sysops.com/archives/join-a-debian-linux-server-to-an-active-directory-domain/
https://community.spiceworks.com/how_to/144319-join-debian-to-ad