Debian Server Til Active Directory via Sssd

Debian Server Til Active Directory via Sssd

πŸ› οΈ Step-by-Step: Join Debian to Active Directory with SSSD #

βœ… 0. Pre-checks # 

# Ensure DNS can resolve the domain
dig +short technova.local

# Sync time (important for Kerberos)
timedatectl status

βœ… 1. Install required packages # 

sudo apt update
sudo apt install -y realmd sssd sssd-tools adcli libnss-sss libpam-sss samba-common-bin

βœ… 2. Discover the domain # 

realm discover technova.local

βœ… 3. Join the domain # 

sudo realm join -U administrator technova.local

βœ… 4. Verify domain join # 

realm list

You should see output with details about technova.local.

βœ… 5. Configure SSSD (group filtering and homedir creation) #

Create or edit /etc/sssd/sssd.conf:

sudo nano /etc/sssd/sssd.conf

Paste:

[sssd]
domains = technova.local
config_file_version = 2
services = nss, pam

[domain/technova.local]
ad_domain = technova.local
krb5_realm = TECHNOVA.LOCAL
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
access_provider = simple

# Only allow members of this AD group to login
simple_allow_groups = G_IT

# Set shell and homedir path
default_shell = /bin/bash
fallback_homedir = /home/%u

ldap_id_mapping = True

βœ… 6. Secure config and restart SSSD # 

sudo chmod 600 /etc/sssd/sssd.conf
sudo systemctl restart sssd

βœ… 7. Enable auto-creation of home directories # 

sudo pam-auth-update

βœ… Check the box for: β€œCreate home directory on login”
Or manually edit /etc/pam.d/common-session:

session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

βœ… 8. Confirm SSH configuration #

Check /etc/ssh/sshd_config:

UsePAM yes
PasswordAuthentication yes

Restart SSH:

sudo systemctl restart ssh

βœ… 9. Test AD login # 

ssh maso@your-debian-host

βœ… If maso is in the G_IT group β†’ login succeeds.

βœ… 10. (Optional) Allow sudo for AD group # 

sudo visudo -f /etc/sudoers.d/domain-admins

Add:

%G_IT ALL=(ALL) ALL

πŸ§ͺ Useful Com mands # 

realm list                   # Check domain join
id [email protected]        # Verify user mapping
getent passwd maso            # Pull AD user info
journalctl -u sssd -f         # Live SSSD logs
kinit [email protected]     # Kerberos ticket test

πŸ”₯ Notes #

  • Workstation join is fine β€” no difference for SSSD authentication.
  • Use --computer-ou="OU=Servers,DC=technova,DC=local" during realm join to place server objects correctly in AD if needed.

βœ… Final Outcome #

  • Debian servers joined to Active Directory
  • Filtered to allow only users in group G_IT
  • SSH logins work with AD credentials
  • Home directories auto-created