Integrate a Debian 9 computer to Active Directory and get an access to shared resources (using sssd & pam-mount)

What you need is :

Notice that this manipulation may make your computer inaccessible for local users so DO NOT skip steps or you will have to reinstall Debian !

PART 1 : Integrate the Debian 9 computer to Active Directory

1. Install the required packages thanks to the following command :

sudo apt-get install realmd sssd sssd-tools adcli krb5-user packagekit samba-common samba-common-bin samba-libs resolvconf

2. Configure Kerberos

Kerberos is the network authentication protocol that will allow your computer to communicate with your Windows Server.

Firstly, Kerberos configuration will ask for the realm name. In fact this is your domain name in uppercase.

If your domain name is then answer EXAMPLE.DOMAIN.COM Secondly, Kerberos will ask for the hostnames of Kerberos servers in your REALM. Just answer by your domain name.

Finally, it will ask for the hostname of the administrative server.

If you don't know what it is just answer again by your domain name.

3. Create and edit a ''sssd.conf'' file in ''/etc/sssd/conf.d/'' thanks to the following command

sudo nano /etc/sssd/conf.d/sssd.conf

Make sure that you replace ect... by your own information !

    domains =
    config_file_version = 2
    services = nss, pam
    sbus_timeout = 30
    filter_users = root
    filter_groups = root
    reconnection_retries = 5
    reconnection_retries = 5
    offline_credentials_expiration = 0
    ad_domain =
    krb5_realm = EXAMPLE.DOMAIN.COM
    realmd_tags = manages-system joined-with-adcli 
    cache_credentials = True
    id_provider = ad
    krb5_store_password_if_offline = True
    default_shell = /bin/bash
    ldap_id_mapping = True
    fallback_homedir = /home/%u
    access_provider = simple
    use_fully_qualified_names = False
    ad_gpo_access_control = permissive

4. Restart sssd (''System Security Services Daemon'') to apply modifications :

sudo systemctl restart sssd

5. Secure your computer

The manipulation below can block local users if it gone wrong so BEFORE disconnecting from your session,

Press Ctrl+Alt+F1 and then log in as a root user to keep an access to your computer and cancel modifications.

To get back to the graphic environment, press Ctrl+Alt+F7

6. Join the Active Directory thanks to the following command :

sudo realm join --user=an_user

where "'an_user'" is the id of an user of the AD.

Then enter the password of that user.

Your computer now belongs to the domain !

7. Check that it works:

DO NOT do this step before doing STEP 5 and DO NOT REBOOT YOUR COMPUTER !!!

Disconnect from your session and try to log in with the id/password of an AD user. If it works go to Part 2.

If it doesn't work, get back to the root session you opened thanks to Ctrl+Alt+F1 and cancel the modifications you have just done.

PART 2 : Get an access to the shared resources

1. Install the required packages thanks to the following command :

sudo apt-get install keyutils libpam-mount cifs-utils

2. Edit the ''/etc/security/pam_mount.conf.xm'' file

The /etc/security/pam_mount.conf.xml file will allow you to mount automatically the shared resources you want !

<?xml version="1.0" encoding="utf-8" ?>
    <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
        See pam_mount.conf(5) for a description.
            <!-- debug should come before everything else,
            since this file is still processed in a single pass
            from top-to-bottom -->
    <debug enable="0" />
            <!-- Volume definitions -->
            <!-- pam_mount parameters: General tunables -->
    <luserconf name=".pam_mount.conf.xml" />
    <!-- Note that commenting out mntoptions will give you the defaults.
         You will need to explicitly initialize it with the empty string
         to reset the defaults to nothing. -->
    <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
    <mntoptions deny="suid,dev" />
    <mntoptions allow="*" />
    <mntoptions deny="*" />
    <mntoptions require="nosuid,nodev" />
    <logout wait="0" hup="no" term="no" kill="no" />
            <volume fstype="cifs" 
                  path="//" mountpoint="/Path/NameOfTheShortcut1"
                  options="username=%(DOMAIN_USER),iocharset=utf8" />
            <volume fstype="cifs"
                  path="//" mountpoint="/Path/NameOfTheShortcut2"
                  options="username=%(DOMAIN_USER),iocharset=utf8" />
    <mkmountpoint enable="1" remove="true" />

In the volume XML tag, make sure to replace path and mountpoint arguments by your own information.

You can add as many volume tags as you want.

BE CAREFUL : Make sure that there is no directory with the same name of the shortcut.

For example, in your personal repertory, if you create a shared resource shortcut named Documents (~/Documents) the content of the original ~/Documents repertory will not be available until you unmount the shared resources which shortcut is named *Documents*

3. Check that it works

Disconnect from your session and try to log in with the id/password of an AD user.

Check if you have an access to the resources you mounted.

Sources :