Documentation
Those helped me
- https://www.unixmen.com/how-to-join-an-ubuntu-desktop-into-an-active-directory-domain/
- https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto
Gather some information
Since I was just a gun for hire doing some Shadow IT, I missed some intel. First, I had to find a Windows Domain Controler
Using dig
~ dig enterprise.local soa
; <<>> DiG 9.10.3-P4-Ubuntu <<>> enterprise.local soa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31699
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;enterprise.local. IN SOA
;; ANSWER SECTION:
enterprise.local. 3600 IN SOA serv255.enterprise.local. hostmaster.enterprise.local. 4155451 180 60 86400 3600
;; ADDITIONAL SECTION:
serv255.enterprise.local. 3600 IN A 10.123.123.10
;; Query time: 0 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Mon Dec 04 16:53:25 CET 2017
;; MSG SIZE rcvd: 115
Here's a confirmation from a Windows laptop already in the domain
echo %LOGONSERVER%
\\serv255
Kerberos & Samba
Input the domain when prompted, in my case it was enterprise.local
sudo apt-get -y install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli
Kerberos configuration in/etc/krb5.local
[libdefaults]
default_realm = ENTERPRISE.LOCAL
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
ENTERPRISE.LOCAL = {
kdc = serv255.enterprise.local:88
admin_server = serv255.enterprise.local
default_domain = enterprise.local
}
[domain_realm]
.enterprise.local ENTERPRISE.LOCAL
enterprise.local = ENTERPRISE.LOCAL
[login]
krb4_convert = true
krb4_get_tickets = false
Create a new file /etc/realmd.conf
, update your information in there
[users]
default-home = /home/%D/%U
default-shell = /bin/bash
[active-directory]
default-client = sssd
os-name = Ubuntu Desktop Linux
os-version = 16.04
[service]
automatic-install = no
[enterprise.local]
fully-qualified-names = no
automatic-id-mapping = yes
user-principal = yes
manage-system = no
Kerberos ticket initialization
➜ ~ sudo kinit -V mylogin
Using default cache: /tmp/krb5cc_0
Using principal: mylogin@ENTERPRISE.LOCAL
Password for mylogin@ENTERPRISE.LOCAL:
Authenticated to Kerberos v5
Check you've AD access. Without Kerberos ticket, ANSWER section is empty
➜ ~ dig -t SRV _ldap._tcp.enterprise.local
; <<>> DiG 9.10.3-P4-Ubuntu <<>> -t SRV _ldap._tcp.enterprise.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12839
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 20, AUTHORITY: 0, ADDITIONAL: 21
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_ldap._tcp.enterprise.local. IN SRV
;; ANSWER SECTION:
_ldap._tcp.enterprise.local. 600 IN SRV 0 100 389 serv027.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN SRV 0 100 389 serv059.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN SRV 0 100 389 serv025.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN SRV 0 100 389 serv029.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN SRV 0 100 389 serv028.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN SRV 0 100 389 serv001.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN SRV 0 100 389 serv061.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN SRV 0 100 389 serv030.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN SRV 0 100 389 serv196.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN SRV 0 100 389 serv023.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN SRV 0 100 389 serv057.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN SRV 0 100 389 serv164.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN SRV 0 100 389 serv255.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN SRV 0 100 389 serv024.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN SRV 0 100 389 serv026.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN SRV 0 100 389 serv002.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN SRV 0 100 389 serv022.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN SRV 0 100 389 serv035.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN SRV 0 100 389 serv168.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN SRV 0 100 389 serv031.enterprise.local.
;; ADDITIONAL SECTION:
serv027.enterprise.local. 3600 IN A 10.2.123.10
serv059.enterprise.local. 3600 IN A 10.11.123.10
serv025.enterprise.local. 3600 IN A 10.9.123.10
serv029.enterprise.local. 3600 IN A 10.8.123.10
serv028.enterprise.local. 3600 IN A 10.6.123.2
serv001.enterprise.local. 3600 IN A 172.26.0.11
serv061.enterprise.local. 3600 IN A 10.14.123.10
serv030.enterprise.local. 1200 IN A 172.27.20.22
serv196.enterprise.local. 3600 IN A 10.21.123.10
serv023.enterprise.local. 3600 IN A 10.127.123.2
serv057.enterprise.local. 3600 IN A 10.13.123.2
serv164.enterprise.local. 3600 IN A 10.125.123.10
serv255.enterprise.local. 3600 IN A 10.123.123.10
serv024.enterprise.local. 3600 IN A 10.4.123.10
serv026.enterprise.local. 3600 IN A 10.5.123.2
serv002.enterprise.local. 3600 IN A 172.26.0.12
serv022.enterprise.local. 3600 IN A 10.10.123.2
serv035.enterprise.local. 3600 IN A 10.200.57.12
serv168.enterprise.local. 3600 IN A 172.27.3.26
serv031.enterprise.local. 3600 IN A 10.1.123.10
;; Query time: 0 msec
;; SERVER: 10.123.123.10#53(10.123.123.10)
;; WHEN: Mon Dec 04 18:10:45 CET 2017
;; MSG SIZE rcvd: 1236
Add your workstation to the domain. This is when it failed for me, my account can't do the job to join the domain...
➜ ~ sudo realm --verbose join enterprise.local --user-principal=enterprise/mylogin --unattended
* Resolving: _ldap._tcp.enterprise.local
* Performing LDAP DSE lookup on: 10.123.123.10
* Successfully discovered: enterprise.local
* Unconditionally checking packages
* Resolving required packages
* LANG=C /usr/sbin/adcli join --verbose --domain enterprise.local --domain-realm ENTERPRISE.LOCAL --domain-controller 10.123.123.10 --login-type user --login-ccache=/var/cache/realmd/realm-ad-kerberos-SM1UAZ --user-principal=enterprise/mylogin
* Using domain name: enterprise.local
* Calculated computer account name from fqdn: MYLAPTOP
* Using domain realm: enterprise.local
* Sending netlogon pings to domain controller: cldap://10.123.123.10
* Received NetLogon info from: serv255.enterprise.local
* Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-D9hA9J/krb5.d/adcli-krb5-conf-navA5X
* Looked up short domain name: ENTERPRISE
* Using fully qualified name: orion
* Using domain name: enterprise.local
* Using computer account name: MYLAPTOP
* Using domain realm: enterprise.local
* Calculated computer account name from fqdn: MYLAPTOP
* With user principal: enterprise/mylogin
* Generated 120 character computer password
* Using keytab: FILE:/etc/krb5.keytab
* Computer account for MYLAPTOP$ does not exist
* Found well known computer container at: CN=Computers,DC=enterprise,DC=local
* Calculated computer account: CN=MYLAPTOP,CN=Computers,DC=enterprise,DC=local
! Insufficient permissions to modify computer account: CN=MYLAPTOP,CN=Computers,DC=enterprise,DC=local: 000020E7: AtrErr: DSID-031530D8, #1:
0: 000020E7: DSID-031530D8, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90008 (userAccountControl):len 4
adcli: joining domain enterprise.local failed: Insufficient permissions to modify computer account: CN=MYLAPTOP,CN=Computers,DC=enterprise,DC=local: 000020E7: AtrErr: DSID-031530D8, #1:
0: 000020E7: DSID-031530D8, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90008 (userAccountControl):len 4
! Insufficient permissions to join the domain
realm: Cannot prompt for a password when running in unattended mode