| Questa guida spiega come configurare un client linux (nel mio caso mint) e aggiungerlo ad un dominio microsoft windows utilizzando sssd in quanto winbind è deprecato. # Prima di tutto... :) sudo passwd # Si parte su - # Aggiorniamo i repository apt-get update # Installazione SSH per accedere da remoto apt-get install openssh-server # /etc/hosts # il file hosts deve contenere sia il nostro computer che i server di dominio 127.0.0.1 miocomputer.miodominio.local miocomputer 127.0.1.1 MIOCOMPUTER 10.10.14.3 mioserverdidominio.miodominio.local mioserverdidominio # ad - dns1 10.10.14.4 mioserverdidominiosecondario.miodominio.local mioserverdidominiosecondario # ad - dns2 192.168.0.250 mioserverdidominioterziario.miodominio.local mioserverdidominioterziario # ad - dns3 # Installazione software necessari apt-get install oddjob oddjob-mkhomedir sssd samba-common-bin adcli libpam-sss libnss-sss sssd-tools apt-get install krb5-user apt-get install realmd # Ricerca dominio realm discover -v miodominio.local # Join dominio realm join -v MIODOMINIO.LOCAL -U administrator # -U con qualsiasi utenza Admin # Configurazione samba # /etc/samba/smb.conf [global] netbios name = MIOCOMPUTER workgroup = MIODOMINIO realm = MIODOMINIO.LOCAL client signing = yes client use spnego = yes kerberos method = secrets and keytab #realm = MIOCOMPUTER.MIODOMINIO.LOCAL security = ads dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* . pam password change = yes map to guest = bad user template shell = /bin/bash template homedir = /home/%D/%U [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no # Verifica permessi SSSD chown root:root /etc/sssd/sssd.conf chmod 600 /etc/sssd/sssd.conf # /etc/sssd/sssd.conf [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [sssd] domains = miodominio.local config_file_version = 2 services = nss, pam [domain/miodominio.local] ad_domain = miodominio.local krb5_realm = MIODOMINIO.LOCAL realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u access_provider = ad # common-auth # here are the per-package modules (the "Primary" block) auth [success=2 default=ignore] pam_unix.so nullok_secure auth sufficient pam_sss.so use_first_pass #auth [success=1 default=ignore] pam_sss.so use_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) auth optional pam_ecryptfs.so unwrap auth optional pam_cap.so # end of pam-auth-update config # common-account # here are the per-package modules (the "Primary" block) account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so account [default=bad success=ok user_unknown=ignore] pam_sss.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) account sufficient pam_localuser.so #account [default=bad success=ok user_unknown=ignore] pam_sss.so # end of pam-auth-update config # common-password # here are the per-package modules (the "Primary" block) password requisite pam_pwquality.so retry=3 password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password sufficient pam_sss.so use_authtok # here's the fallback if no module succeeds password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around password required pam_permit.so # and here are more per-package modules (the "Additional" block) password optional pam_gnome_keyring.so password optional pam_ecryptfs.so # end of pam-auth-update config # common-session # here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # The pam_umask module will set the umask according to the system default in # /etc/login.defs and user settings, solving the problem of different # umask settings with different shells, display managers, remote sessions etc. # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so session optional pam_sss.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 session optional pam_systemd.so session optional pam_ecryptfs.so unwrap # end of pam-auth-update config # Abilitare nel common-session la possibilità di creare la propria home alla login # /etc/pam.d/common-session #session optional pam_mkhomedir.so skel = /etc/skel/ umask=0077 # Abilitare login remoto grafico # /usr/share/lightdm/lightdm.conf.d/50-greeter-wrapper.conf [Seat:*] greeter-wrapper=/usr/lib/lightdm/lightdm-greeter-session greeter-hide-users=false greeter-show-manual-login=true allow-guest=false # Visudo membro che può avere previlegi root - visudo administrator@miodominio.local ALL=(ALL) ALL # Autenticazione Kerberos kinit -V administrator # LOGIN MIODOMINIO@marco.ratti |