October 30, 2015

Use adcli to join Linux computer to a Windows Domain Controller

Setup:

Domain: domain1.ncst.com
The computer that runs Windows Server 2008 R2 and is the domain controller: WIN-HPTI079TSF6, or WIN-HPTI079TSF6.domain1.ncst.com
IP address of the domain controller: 192.168.5.206

Linux computer name: git, full name with domain: git.domain1.ncst.com
Linux computer IP address: 192.168.5.204


1. Set up Linux /etc/resolv.conf to point it to the Domain Controller which should also be a DNS server

  nameserver 192.168.5.206
  nameserver 4.2.2.1

2. (Not needed anymore since Step 1's Name server would resolve this) 
Set up Linux /etc/hosts file so that the domain controller name resolves:

  192.168.5.206 win-hpti079tsf6.domain1.ncst.com

3.Set up your krb5.conf 

$ cat /etc/krb5.conf
[libdefaults]
        default_realm = DOMAIN1.NCST.COM
        kdc_timesync = 1
        ccache_type = 4
[realms]
        DOMAIN1.NCST.COM = {
                kdc = 192.168.5.206
                admin_server = 192.168.5.206
        }

4. (Not needed)
On the domain controller DNS server, add DNS A record for "git.domain1.ncst.com"

5. Finally, use the adcli command to join:
./adcli join -v --login-user=Administrator -H git.domain1.ncst.com -N GIT -D domain1.ncst.com  -R DOMAIN1.NCST.COM

 --show-details   --show-password

The result:
* Using fully qualified name: git.domain1.ncst.com
 * Using domain name: domain1.ncst.com
 * Using computer account name: GIT
 * Using domain realm: domain1.ncst.com
 * Discovering domain controllers: _ldap._tcp.domain1.ncst.com
 * Sending netlogon pings to domain controller: cldap://192.168.5.206
 * Received NetLogon info from: WIN-HPTI079TSF6.domain1.ncst.com
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-zKaph4/krb5.d/adcli-krb5-conf-FxUjvg                                                                             
 Password for Administrator@DOMAIN1.NCST.COM:
 * Authenticated as user: Administrator@DOMAIN1.NCST.COM
 * Looked up short domain name: DOMAIN1
 * Using fully qualified name: git.domain1.ncst.com
 * Using domain name: domain1.ncst.com
 * Using computer account name: GIT
 * Using domain realm: domain1.ncst.com
 * Enrolling computer name: GIT
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab                                             
 * Using fully qualified name: git.domain1.ncst.com
 * Using domain name: domain1.ncst.com
 * Using computer account name: GIT
 * Using domain realm: domain1.ncst.com
 * Looked up short domain name: DOMAIN1
 * Computer account for GIT$ does not exist
 * Found well known computer container at: CN=Computers,DC=domain1,DC=ncst,DC=com
 * Calculated computer account: CN=GIT,CN=Computers,DC=domain1,DC=ncst,DC=com
 * Created computer account: CN=GIT,CN=Computers,DC=domain1,DC=ncst,DC=com
 * Set computer password                                                           
 * Retrieved kvno '2' for computer account in directory: CN=GIT,CN=Computers,DC=domain1,DC=ncst,DC=com
 * Modifying computer account: dNSHostName
 * Modifying computer account: userAccountControl
 * Modifying computer account: operatingSystem, operatingSystemVersion, operatingSystemServicePack
 * Modifying computer account: userPrincipalName
 * Discovered which keytab salt to use
 * Added the entries to the keytab: GIT$@DOMAIN1.NCST.COM: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/GIT@DOMAIN1.NCST.COM: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/git.domain1.ncst.com@DOMAIN1.NCST.COM: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/GIT@DOMAIN1.NCST.COM: FILE:/etc/krb5.keytab                                                              

 * Added the entries to the keytab: RestrictedKrbHost/git.domain1.ncst.com@DOMAIN1.NCST.COM: FILE:/etc/krb5.keytab


** You can also add  --show-details   --show-password to the command to show the machine password

No comments:

Post a Comment