/ Linux

Joining Linux workstation to a Windows Domain

Documentation

Those helped me

Gather some information

Since I was just a gun for hire doing some Shadow IT, I missed some intel. First, I had to find a Windows Domain Controler
Using dig

~ dig enterprise.local soa

; <<>> DiG 9.10.3-P4-Ubuntu <<>> enterprise.local soa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31699
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;enterprise.local.		IN	SOA

;; ANSWER SECTION:
enterprise.local.	3600	IN	SOA	serv255.enterprise.local. hostmaster.enterprise.local. 4155451 180 60 86400 3600

;; ADDITIONAL SECTION:
serv255.enterprise.local. 3600	IN	A	10.123.123.10

;; Query time: 0 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Mon Dec 04 16:53:25 CET 2017
;; MSG SIZE  rcvd: 115

Here's a confirmation from a Windows laptop already in the domain

echo %LOGONSERVER%
\\serv255

Kerberos & Samba

Input the domain when prompted, in my case it was enterprise.local

sudo apt-get -y install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli

Kerberos configuration in/etc/krb5.local

[libdefaults]
        default_realm = ENTERPRISE.LOCAL

        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true

[realms]
        ENTERPRISE.LOCAL = {
                kdc = serv255.enterprise.local:88
                admin_server = serv255.enterprise.local
                default_domain = enterprise.local
        }

[domain_realm]
        .enterprise.local ENTERPRISE.LOCAL
        enterprise.local = ENTERPRISE.LOCAL

[login]
        krb4_convert = true
        krb4_get_tickets = false

Create a new file /etc/realmd.conf, update your information in there

[users]
default-home = /home/%D/%U
default-shell = /bin/bash
[active-directory]
default-client = sssd
os-name = Ubuntu Desktop Linux
os-version = 16.04
[service]
automatic-install = no
[enterprise.local]
fully-qualified-names = no
automatic-id-mapping = yes
user-principal = yes
manage-system = no

Kerberos ticket initialization

➜  ~ sudo kinit -V mylogin
Using default cache: /tmp/krb5cc_0
Using principal: mylogin@ENTERPRISE.LOCAL
Password for mylogin@ENTERPRISE.LOCAL:
Authenticated to Kerberos v5

Check you've AD access. Without Kerberos ticket, ANSWER section is empty

➜  ~ dig -t SRV _ldap._tcp.enterprise.local      

; <<>> DiG 9.10.3-P4-Ubuntu <<>> -t SRV _ldap._tcp.enterprise.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12839
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 20, AUTHORITY: 0, ADDITIONAL: 21

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_ldap._tcp.enterprise.local.	IN	SRV

;; ANSWER SECTION:
_ldap._tcp.enterprise.local. 600 IN	SRV	0 100 389 serv027.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN	SRV	0 100 389 serv059.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN	SRV	0 100 389 serv025.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN	SRV	0 100 389 serv029.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN	SRV	0 100 389 serv028.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN	SRV	0 100 389 serv001.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN	SRV	0 100 389 serv061.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN	SRV	0 100 389 serv030.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN	SRV	0 100 389 serv196.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN	SRV	0 100 389 serv023.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN	SRV	0 100 389 serv057.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN	SRV	0 100 389 serv164.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN	SRV	0 100 389 serv255.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN	SRV	0 100 389 serv024.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN	SRV	0 100 389 serv026.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN	SRV	0 100 389 serv002.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN	SRV	0 100 389 serv022.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN	SRV	0 100 389 serv035.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN	SRV	0 100 389 serv168.enterprise.local.
_ldap._tcp.enterprise.local. 600 IN	SRV	0 100 389 serv031.enterprise.local.

;; ADDITIONAL SECTION:
serv027.enterprise.local. 3600	IN	A	10.2.123.10
serv059.enterprise.local. 3600	IN	A	10.11.123.10
serv025.enterprise.local. 3600	IN	A	10.9.123.10
serv029.enterprise.local. 3600	IN	A	10.8.123.10
serv028.enterprise.local. 3600	IN	A	10.6.123.2
serv001.enterprise.local. 3600	IN	A	172.26.0.11
serv061.enterprise.local. 3600	IN	A	10.14.123.10
serv030.enterprise.local. 1200	IN	A	172.27.20.22
serv196.enterprise.local. 3600	IN	A	10.21.123.10
serv023.enterprise.local. 3600	IN	A	10.127.123.2
serv057.enterprise.local. 3600	IN	A	10.13.123.2
serv164.enterprise.local. 3600	IN	A	10.125.123.10
serv255.enterprise.local. 3600	IN	A	10.123.123.10
serv024.enterprise.local. 3600	IN	A	10.4.123.10
serv026.enterprise.local. 3600	IN	A	10.5.123.2
serv002.enterprise.local. 3600	IN	A	172.26.0.12
serv022.enterprise.local. 3600	IN	A	10.10.123.2
serv035.enterprise.local. 3600	IN	A	10.200.57.12
serv168.enterprise.local. 3600	IN	A	172.27.3.26
serv031.enterprise.local. 3600	IN	A	10.1.123.10

;; Query time: 0 msec
;; SERVER: 10.123.123.10#53(10.123.123.10)
;; WHEN: Mon Dec 04 18:10:45 CET 2017
;; MSG SIZE  rcvd: 1236

Add your workstation to the domain. This is when it failed for me, my account can't do the job to join the domain...

➜  ~ sudo realm --verbose join enterprise.local --user-principal=enterprise/mylogin --unattended
 * Resolving: _ldap._tcp.enterprise.local
 * Performing LDAP DSE lookup on: 10.123.123.10
 * Successfully discovered: enterprise.local
 * Unconditionally checking packages
 * Resolving required packages
 * LANG=C /usr/sbin/adcli join --verbose --domain enterprise.local --domain-realm ENTERPRISE.LOCAL --domain-controller 10.123.123.10 --login-type user --login-ccache=/var/cache/realmd/realm-ad-kerberos-SM1UAZ --user-principal=enterprise/mylogin
 * Using domain name: enterprise.local
 * Calculated computer account name from fqdn: MYLAPTOP
 * Using domain realm: enterprise.local
 * Sending netlogon pings to domain controller: cldap://10.123.123.10
 * Received NetLogon info from: serv255.enterprise.local
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-D9hA9J/krb5.d/adcli-krb5-conf-navA5X
 * Looked up short domain name: ENTERPRISE
 * Using fully qualified name: orion
 * Using domain name: enterprise.local
 * Using computer account name: MYLAPTOP
 * Using domain realm: enterprise.local
 * Calculated computer account name from fqdn: MYLAPTOP
 * With user principal: enterprise/mylogin
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Computer account for MYLAPTOP$ does not exist
 * Found well known computer container at: CN=Computers,DC=enterprise,DC=local
 * Calculated computer account: CN=MYLAPTOP,CN=Computers,DC=enterprise,DC=local
 ! Insufficient permissions to modify computer account: CN=MYLAPTOP,CN=Computers,DC=enterprise,DC=local: 000020E7: AtrErr: DSID-031530D8, #1:
	0: 000020E7: DSID-031530D8, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90008 (userAccountControl):len 4

adcli: joining domain enterprise.local failed: Insufficient permissions to modify computer account: CN=MYLAPTOP,CN=Computers,DC=enterprise,DC=local: 000020E7: AtrErr: DSID-031530D8, #1:
	0: 000020E7: DSID-031530D8, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90008 (userAccountControl):len 4

 ! Insufficient permissions to join the domain
realm: Cannot prompt for a password when running in unattended mode