Debian 12 as Active Directory member with limited SSH access

In order to join Debian 12 to an AD, you need to install Samba and change the default authentication. Please make sure that the network configuration is set up correctly and you are using the AD DNS servers.

Step 1: Install prerequisities

$ apt install samba winbind libnss-winbind libpam-winbind

Step 2: Create samba config

Create a new file /etc/samba/smb.conf or change the given one with your favourite editor. (VI, NeoVIM, VIM, Nano…) and add following content. If you want the explanation for the config parameter, please visit the Samba Documentation.

[global]
    netbios name = <my host name here>
    realm = <my domain here, e.g. domain.local>
    workgroup = <my domain name without .local>
    security = ADS
    local master = no
    domain master = no
    allow trusted domains = no
    winbind use default domain = yes
    winbind enum groups = yes
    winbind enum users = yes
    winbind nss info = rfc2307
    winbind cache time = 300
    winbind offline logon = no
    idmap config * : range = 2000-9999
    idmap config * : backend = tdb
    template shell = /bin/sh

Step 3: Test config, start samba and join Ubuntu to the domain

Now let us test the samba config and start the SAMBA server only once, starting at boot will come later. If asked for a password, please enter it for the specified user.

$ testparm
$ systemctl start nmbd; systemctl start smbd; systemctl start winbind
$ net ads join -U Administrator
$ systemctl restart winbind

if successful, you can check the AD’s users and groups with wbinfo

$ wbinfo -u
$ wbinfo -g

Basically you should see all users and groups. Hurray, your box is now a domain member!

Step 4: Make the system use AD users for authentication

Next up, you need to change the authentication backend. Simply use following command to enable homefolder creation and windows authentication:

$ pam-auth-update

Now check if PAM can read users and groups:

$ getent passwd
$ getent group

You should see all users and groups now. If you have domain trusts, users from other domains are going to be listed as well.

Step 5: Configure OpenSSH and Sudo

Ok, all great so far. Now, let’s change OpenSSH to authenticate with AD and limit login only to domain admins in this case.

edit /etc/ssh/sshd_config and change or add the following lines:

PasswordAuthentication yes
AllowGroups "domain admins" adm root

Next allow domain administrators to “sudo” commands (optional):

edit /etc/sudoers and change or add following lines:

%domain\ admins ALL=(ALL) NOPASSWD: ALL

Please be aware that NOPASSWD is used to suppress password confirmation when executing commands with sudo. It could be that you see that as a security risk. If so, simply remove “PASSWD:” from the line.

Step 6: Start samba and winbind at boot time

Last but not least, we need to start SAMBA at boot time. Simply execute following line:

$ systemctl enable nmbd; systemctl enable smbd; systemctl enable winbind

That should be it. Now reboot and use your Ubuntu box as an AD member.

Enable legacy provider and TLSv1 in OpenSSL3 on FreeBSD14

First you need to compile OpenSSL from ports and enable different options

# pkg install portsnap portmaster
# portsnap auto
# portmaster --packages-build security/openssl

then enable:

Provider Modules -> Legacy
Protocol Support -> TLS1 and TLS1_1

After compilation is finished, make sure the sections in /etc/ssl/openssl.conf look like this:

[openssl_init]
providers = provider_sect
ssl_conf = ssl_configuration

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1
[legacy_sect]
activate = 1

[ssl_configuration]
system_default = tls_system_default

[tls_system_default]
MinProtocol = TLSv1
CipherString = DEFAULT@SECLEVEL=0

Install uCARP on Debian 12

Download the ucarp package first:

apt install ucarp

Configure the interface in /etc/network/interfaces on your PRIMARY server:

iface eth0 inet static
    address 10.1.1.4/24
    gateway 10.1.1.1
    # dns-* options are implemented by the resolvconf package, if installed
    dns-nameservers 1.1.1.1 9.9.9.9
    dns-search domain

iface eth0:ucarp inet static
    address 10.1.1.30
    netmask 255.255.255.0

now do the same thing on your SECONDARY server:

iface eth0 inet static
     address 10.1.1.5/24
     gateway 10.1.1.1
     # dns-* options are implemented by the resolvconf package, if installed
     dns-nameservers 1.1.1.1 9.9.9.9
     dns-search domain

iface eth0:ucarp inet static
     address 10.1.1.30
     netmask 255.255.255.0

you can check on your primary if carp is working with

$ ifup eth0:ucarp

if this is fine we have to create a config file and the systemd startup unit as the package comes without such a unit file.

First create /etc/ucarp/vip-common.conf on both servers and paste the following. This is for the primary so you have to adapt it to fit the secondary, notably SOURCE_ADDRESS and ADVSKEW. Set the ADVSKEW higher on the secondary, e.g. ADVSKEW=”100″:

BIND_INTERFACE="eth0"
PASSWORD="mysimplepass"
VIP_ADDRESS="10.1.1.30"
SOURCE_ADDRESS="10.1.1.4"
VHID="1"
ADVBASE="1"
ADVSKEW="10"
OPTIONS="-P -z"
UPSCRIPT="/usr/share/ucarp/vip-up"
DOWNSCRIPT="/usr/share/ucarp/vip-down"

Then create the systemd unit file /etc/systemd/system/ucarp.service

[Unit]
Description=UCARP virtual interface %I
After=network.target

[Service]
EnvironmentFile=-/etc/ucarp/vip-common.conf
ExecStart=/usr/sbin/ucarp $OPTIONS -i $BIND_INTERFACE -p $PASSWORD -v $VHID -a $VIP_ADDRESS -s $SOURCE_ADDRESS -b $ADVBASE -k $ADVSKEW -u $UPSCRIPT -d $DOWNSCRIPT
KillMode=control-group

[Install]
WantedBy=multi-user.target

Last but not least start it

$ systemctl enable --now ucarp

https://ucarp.wordpress.com