Debian Linux Cheat Sheet III [Active Directory Integration]
🔥🔑Directory Services Join / Authentication:
Directory Services Join / Authentication:
----------------------------------------|
Directory Services: Active Directory
OS: Debian GNU/Linux 12 (bookworm) x86_64
Kernel: 6.1.0-14-amd64
Shell: bash 5.2.15
Domain: guler.com
Server Ip: 10.x.x.x
Prepare the Network
-------------------------------------------------|
UDP/TCP 135: Domain controller intercommunication
UDP 138; TCP 139: File Replication Service (FRS)
UDP/TCP 389: Lightweight Directory Access Protocol (LDAP)
UDP/TCP 636: Lightweight Directory Access Protocol (LDAP) TLS/SSL
UDP/TCP 445: FRS
UDP/TCP 464: Kerberos password change
TCP 3268,3269: Global catalog (GC)
UDP/TCP 53: Domain Name System (DNS)
#Setup Info:
hostnamectl
hostname
hostname --domain
sudo cat /etc/resolv.conf #DNS FILE
sudo cat /etc/hosts #HOST FILE
#Required Packages
#Required Packages
sudo apt update
sudo apt upgrade
sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
#Active Directory Explore, Participate, Complete:
sudo realm discover guler.com --verbose
sudo realm join guler.com
sudo realm join -U john guler.com
sudo realm join -v guler.com
sudo realm list
#Time Synchronization (NTP)
✅ Service: systemd-timesyncd services
-----------------------------------------|
sudo nano /etc/systemd/timesyncd.conf
sudo systemctl enable systemd-timesyncd
sudo systemctl start systemd-timesyncd
sudo systemctl status systemd-timesyncd
#sssd.conf Edit-View:
sudo cat /etc/sssd/sssd.conf
sudo nano /etc/sssd/sssd.conf
sudo systemctl restart sssd
systemctl status sssd
***From the "sssd" configurations file:
----------------------------------------------|
+ The cache_credentials setting is set to True. Thus, a user can still log in even if the Active Directory is unavailable.
+ The fallback_homedir is /home/%u@%d. For example, a user will have a home directory of /home/user@domain.
+ The use_fully_qualified_names is set to True. As a result, users must log in using the format user@domain.
----------------------------------------------|
#(PAM) Pluggable Authentication Modules "configurations file" düzenle:
sudo nano /etc/pam.d/common-session
✅🛡️ Sistemde her userin "/Home/username" oluştur ve "özel" yetkilerini ver.
session optional pam_mkhomedir.so skel=/etc/skel umask=0077
#PAM(Pluggable Authentication Modules) (Spesifik) tekrar güncelle:
sudo pam-auth-update
📝🔑SSD Consider using SSL/TLS to encrypt LDAP traffic.
-------------------------------------------------------|
#SSSD.conf path:
sudo nano /etc/sssd/sssd.conf
#SSSD.conf Edit:
[domain/guler.com]
ldap_uri = ldaps://anatolia.guler.com
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
##LDAP Encryption SSL/TLS Remote Test #Status: Verify return code: 0 (ok)
openssl s_client -connect anatolia.guler.com:636 -showcerts
#SSSD Restart-Status:
sudo systemctl restart sssd
sudo systemctl status sssd
#Login Verify:
getent passwd [email protected]
id [email protected]
#User Login:
sudo login
su [email protected]
#SSSD (System Security Services Daemon) yapılandır (Edit):
sudo nano /etc/sssd/sssd.conf
#SSSD nitelikli kullanıcı adları(fully qualified) kullan True - False:
use_fully_qualified_names = False
#SSSD servisini yeniden başlat:
sudo systemctl restart sssd
#SSSD'nin LDAP kullanıcı ve gruplarını UNIX kimlikleriyle eşleştir:
#sudo nano /etc/sssd/sssd.conf
#Add File:
ldap_id_mapping = False #LDAP serverin kullanılabilirliğine bağımlı olma
ldap_id_mapping = True #LDAP serverin kullanılabilirliğine bağımlı ol
#SSSD (System Security Services Daemon) Cache Clear % Restart
sudo rm -f /var/lib/sss/db/*
sudo systemctl restart sssd
✅🛡️ Access Control – User/group limitations:
🛡️Kullanıcının SSH ve konsol aracılığıyla erişimine izin ver:
sudo realm permit [email protected]
#Allow/Deny access to group:
sudo realm permit -g LinuxAdmins
sudo realm deny -g LinuxAdmins
sudo realm permit g 'Security Users'
sudo realm permit -g 'Domain Users' 'admin users'
sudo realm permit -g [email protected]
#Tüm kullanıcılar/gruplar erişimine İzin ver - Reddet:
sudo realm permit --all
sudo realm deny --all
#Sudo Erişimini Yapılandır:
🛡️Varsayılan olarak Etki Alanı kullanıcılarının "root'a yükselme izni" yoktur.
sudo nano /etc/sudoers.d/linux-admins
#sudoers file Edit:
sudo visudo
#Add File:
%[email protected] ALL=(ALL) ALL
[email protected] ALL=(ALL) ALL
This post is licensed under CC BY 4.0 by the author.