How to join a Linux-Desktop to NS7 Active Directory with realmd?

Hi Thomas, no problems at all, atm

I tried to join debian 9 Client and it has been working too. I use this little quick and dirty script for it:

#! /bin/sh

DOMAIN=$(realm discover | grep domain-name: | awk '{print $2}')

apt-get install sudo
sudo apt-get -y install realmd
sudo apt-get -y install ntp adcli sssd
sudo mkdir -p /var/lib/samba/private
sudo systemctl enable sssd
clear
echo ""
sudo realm discover $DOMAIN
echo ""
sudo realm join --user=administrator $DOMAIN
sudo systemctl start sssd
echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" | sudo tee -a /etc/pam.d/common-session
sudo apt-get install libsss-sudo
echo "administrator@$DOMAIN ALL=(ALL) ALL" | sudo tee -a /etc/sudoers.d/DomainAdmins
echo "admin@$DOMAIN ALL=(ALL) ALL" | sudo tee -a /etc/sudoers.d/DomainAdmins
clear
echo ""
echo "     Please reboot your Machine !!! - Logon with administrator@$DOMAIN after reboot"

exit 0

grafik.jpg1226×887 75.9 KB

Yes, I hit the same on my Fedora, so I added the following lines under the id_provider one:

override_homedir = /home/%u@%d
override_shell = /bin/bash

Furthermore the authentication recently stopped working (I do not use domain accounts every day…). In sssd journal found

 [sssd[krb5_child[3013]]][3013]: Encryption type not permitted

To workaround kerberos issues with encryption algorithms, I set the LEGACY policy in /etc/crypto-policies/config as follow:

# This file should contain a single keyword, the crypto policy to
# be applied by default to applications. The available policies are 
# restricted to the following profiles.
#
# * LEGACY: ensures maximum compatibility with legacy systems (64-bit
#   security)
#
# * DEFAULT: A reasonable default for today's standards (80-bit security).
#
# * FUTURE: A level that will provide security on a conservative level that is
#   believed to withstand any near-term future attacks (128-bit security).
#
# After modifying this file, you need to run update-crypto-policies
# for the changes to propagate.
#
LEGACY

OK, thank you davide ! I will test it next time…

Yep, looks good… I am able to logon with admin@example.org too

Last thing (I hope), I don’t get a shell for user admin@example.org:

grafik.jpg1119×841 102 KB

Do you know how to get a shell for the “normal” users ?

Updated my previous post: override_shell

grafik.jpg1229×927 178 KB

Excellent !!! - Thank you very much…

±±±±±±±±±±±±±±±±±±±±±±±±±±+
±±+ join fedora Client to NethServer 7 AD v01 ±±+
±±±±±±±±±±±±±±±±±±±±±±±±±±+

On fedora 27 Desktop !

get root:

sudo su

install some packages:

yum install nano openssh-server realmd oddjob oddjob-mkhomedir sssd adcli samba-common

start and enable ssh-server:

systemctl start sshd
systemctl enable sshd.service

change from DEFAULT to LEGACY:

nano /etc/crypto-policies/config
±±±±±±±±±±±±±±±±±±±±±±±±±±+
LEGACY
±±±±±±±±±±±±±±±±±±±±±±±±±±+

join domain:

realm join --user=administrator example.org

check domain-join with:

id administrator@example.org

add override_homedir and override_shell, on the end:

nano /etc/sssd/sssd.conf
±±±±±±±±±±±±±±±±±±±±±±±±±±+
override_homedir = /home/%u@%d
override_shell = /bin/bash
±±±±±±±±±±±±±±±±±±±±±±±±±±+

set sudoers permission

echo “administrator@example.org ALL=(ALL) ALL” | sudo tee -a /etc/sudoers
echo “admin@example.org ALL=(ALL) ALL” | sudo tee -a /etc/sudoers

reboot fedora:

reboot

after reboot, logon with:

user: administrator@example.org
pass: your-administrator-password

Please share the solution in a new topic with #howto category

OK…