Configure system

If your domain does not support AES encryption for Kerberos, you have to enable support for RC4 encryption.

cat /etc/crypto-policies/state/current
update-crypto-policies --set DEFAULT:AD-SUPPORT-LEGACY
reboot

The policy is defined in /usr/share/crypto-policies/policies/modules/AD-SUPPORT-LEGACY.pmod.

Join Domain

With a one time password

• In AD, restore the password for the computer object. The password is the samAccountName in lowercase and without the dollar sign.
  • If the computer name is LinuxServer123.domain.tld the password is linuxserver123.
• Discover abailable domains with: realm discover domain.tld
• Join the domain with: sudo realm join --one-time-password=linuxserver123 domain.tld

With a domain admin account

• realm discover domain.tld
• sudo realm join -U BobTheAdmin domain.tld

Configure users in domain

Users need to have populated the fields uidNumber and gidNumber and the groups need to have the gidNumber. Otherwise this error is given

ago 20 12:30:07 hostname sshd[1441]: Invalid user username from 10.0.0.1 port 12345

To search for the currently used uid and gid numbers, use this commands:

Get-ADUser -Properties uidNumber,gidNumber -Filter "uidNumber -like '*' -or gidNumber -like '*'" | Select-Object name,uidNumber,gidNumber | Sort-Object -Property uidNumber
Get-ADGroup -Properties gidNumber -Filter "gidNumber -like '*'" | Select-Object name,gidNumber | Sort-Object -Property gidNumber

Debug from Linux

Get user

getent passwd username
getent passwd name.surname@domain.name

Get group

getent group groupname
getent group Name\ of\ Group

Clear local sss cache. Ex: when you remove a user from a group.

sudo sss_cache -u username
sudo sss_cache -g groupname
sudo sss_cache -E