{"id":1220,"date":"2022-02-17T15:52:54","date_gmt":"2022-02-17T14:52:54","guid":{"rendered":"https:\/\/ndk.sytes.net\/wordpress\/?p=1220"},"modified":"2024-02-09T09:55:45","modified_gmt":"2024-02-09T08:55:45","slug":"freebsd-as-active-directory-member-with-limited-ssh-access-2","status":"publish","type":"post","link":"https:\/\/ndk.sytes.net\/wordpress\/?p=1220","title":{"rendered":"AlmaLinux 8 as Active Directory member with limited SSH access"},"content":{"rendered":"\n<p>In order to join AlmaLinux (or any RHEL clone) to an AD, you need to install Samba and change the default authentication. Please make sure that the network configuration is set up correctly and you are using the AD DNS servers.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step-1-install-prerequisities\">Step 1: Install prerequisities<\/h2>\n\n\n\n<pre class=\"wp-block-preformatted\">$ dnf install samba samba-client samba-winbind oddjobd oddjobd-mkhomedir<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step-2-create-samba-config-usr-local-etc-smb4-conf\">Step 2: Create samba config<\/h2>\n\n\n\n<p id=\"step-2-create-samba-config-usr-local-etc-smb4-conf\">Create a new file <em>\/etc\/smb.conf<\/em>  or change the given one with your favourite editor. (VI, NeoVIM, VIM, Nano&#8230;) and add following content. If you want the explanation for the config parameter, please visit the <a rel=\"noreferrer noopener\" href=\"https:\/\/www.samba.org\/samba\/docs\/current\/man-html\/smb.conf.5.html\" target=\"_blank\">Samba Documentation<\/a>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">[global]\n    netbios name = &lt;my host name here>\n    realm = &lt;my domain here, e.g. domain.local>\n    workgroup = &lt;my domain name without .local>\n    security = ADS\n    local master = no\n    domain master = no\n    allow trusted domains = no\n    winbind use default domain = yes\n    winbind enum groups = yes\n    winbind enum users = yes\n    winbind nss info = rfc2307\n    winbind cache time = 300\n    winbind offline logon = no\n    idmap config * : range = 2000-9999\n    idmap config * : backend = tdb\n    template shell = \/bin\/sh<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step-3-test-config-start-samba-and-join-almalinux-to-the-domain\">Step 3: Test config, start samba and join AlmaLinux to the domain<\/h2>\n\n\n\n<p>Now let us test the samba config and start the SAMBA server only once, starting at boot will come later. If asked for a password, please enter it for the specified user.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$ testparm\n$ systemctl start nmb\n$ systemctl start smb\n$ systemctl start winbind\n$ net ads join -U Administrator\n$ systemctl restart winbind<\/pre>\n\n\n\n<p>if successful, you can check the AD&#8217;s users and groups with wbinfo<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$ wbinfo -u<br>$ wbinfo -g<\/pre>\n\n\n\n<p>Basically you should see all users and groups. <em>Hurray, your box is now a domain member!<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step-4-make-the-system-use-ad-users-for-authentication\">Step 4: Make the system use AD users for authentication<\/h2>\n\n\n\n<p>Next up,  you need to change the authentication backend. Simply use following command:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$ authselect select winbind with-mkhomedir<\/pre>\n\n\n\n<p>Now check if PAM can read users and groups:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$ getent passwd<br>$ getent group<\/pre>\n\n\n\n<p>You should see all users and groups now. If you have domain trusts, users from other domains are going to be listed as well.<\/p>\n\n\n\n<p><strong>IMPORTANT: if using pam_mkhomedir.so samba home directories default to \/home\/&lt;MY_DOMAIN&gt;\/&lt;AD_USER&gt;. The &lt;MY_DOMAIN&gt; folder needs to be created manually first!<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step-5-configure-openssh-and-sudo\">Step 5: Configure OpenSSH and Sudo<\/h2>\n\n\n\n<p>Ok, all great so far. Now, let&#8217;s change OpenSSH to authenticate with AD and limit login only to domain admins in this case.<\/p>\n\n\n\n<p>edit <em>\/etc\/ssh\/sshd_config<\/em> and change or add the following lines:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">PasswordAuthentication yes<br>ChallengeResponseAuthentication no<br>AllowGroups \"domain admins\" wheel root<\/pre>\n\n\n\n<p>Next allow domain administrators to &#8220;sudo&#8221; commands (optional):<\/p>\n\n\n\n<p>edit <em>\/etc\/sudoers<\/em> and change or add following lines:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">%domain\\ admins ALL=(ALL) NOPASSWD: ALL<\/pre>\n\n\n\n<p>Please be aware that NOPASSWD is used to suppress password confirmation when executing commands with sudo. It could be that you see that as a security risk. If so, simply remove &#8220;PASSWD:&#8221; from the line.<\/p>\n\n\n\n<p>Step 6: Start samba and winbind at boot time<\/p>\n\n\n\n<p>Last but not least, we need to start SAMBA at boot time. Simply execute following line:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$ systemctl enable nmb\n$ systemctl enable smb\n$ systemctl enable winbind<\/pre>\n\n\n\n<p>That should be it. Now <strong><em>reboot<\/em><\/strong> and use your AlmaLinux box as an AD member.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In order to join AlmaLinux (or any RHEL clone) to an AD, you need to install Samba and change the default authentication. Please make sure that the network configuration is set up correctly and you are using the AD DNS servers. Step 1: Install prerequisities $ dnf install samba samba-client samba-winbind oddjobd oddjobd-mkhomedir Step 2: [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,7],"tags":[],"class_list":["post-1220","post","type-post","status-publish","format-standard","hentry","category-linuxunix","category-servers"],"_links":{"self":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1220","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1220"}],"version-history":[{"count":4,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1220\/revisions"}],"predecessor-version":[{"id":1312,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1220\/revisions\/1312"}],"wp:attachment":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1220"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1220"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1220"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}