{"id":298,"date":"2026-04-08T07:43:04","date_gmt":"2026-04-08T05:43:04","guid":{"rendered":"https:\/\/pandack.fr\/?p=298"},"modified":"2026-04-08T07:43:04","modified_gmt":"2026-04-08T05:43:04","slug":"integrer-linux-a-active-directory","status":"publish","type":"post","link":"https:\/\/pandack.fr\/?p=298","title":{"rendered":"Integrer-Linux-a-Active-Directory"},"content":{"rendered":"<h2>\ud83d\udccb Rejoindre un AD<\/h2>\n<hr>\n<div class=\"callout callout--info\">\n<div class=\"callout__title\">&gt; Tips pour faire rejoindre un ordinateur \/ vm sous linux \u00e0 un contr\u00f4leur de domaine<\/div>\n<div class=\"callout__content\"><\/div>\n<\/div>\n<div class=\"callout callout--tip\">\n<div class=\"callout__title\">&gt; Contents<\/div>\n<div class=\"callout__content\"><\/div>\n<\/div>\n<hr>\n<h2>Int\u00e9gration \u00e0 l&rsquo;AD<\/h2>\n<p>DNS sur la machine linux : IP du controleur de domaine<\/p>\n<p>Modifier le HOSTNAME si n\u00e9cessaires :<\/p>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">bash<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-bash\">sudo hostnamectl set-hostname INSERERNOM<\/code><\/pre>\n<\/div>\n<ul>\n<li>V\u00e9rifier si l&rsquo;ordinateur arrive bien \u00e0 contacter le contr\u00f4leur de domaine avec un ping<\/li>\n<\/ul>\n<ul>\n<li>Mettre \u00e0 jours les paquets de la machine avec <code>apt update<\/code><\/li>\n<\/ul>\n<ul>\n<li>Installer les paquets pour l&rsquo;AD:<\/li>\n<\/ul>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">code<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code>sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit<\/code><\/pre>\n<\/div>\n<ul>\n<li>V\u00e9rifier si la machine arrive bien \u00e0 contact\u00e9 le domaine :<\/li>\n<\/ul>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">code<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code>sudo realm discover FSEC.LAN<\/code><\/pre>\n<\/div>\n<ul>\n<li>Cr\u00e9er un fichier dans <code>\/etc\/krb5.conf<\/code> et inclure :<\/li>\n<\/ul>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">code<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code>[libdefaults]\n    default_realm = FSEC.LAN\n    dns_lookup_realm = true\n    dns_lookup_kdc = true\n\n    permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96\n    default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96\n    default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96<\/code><\/pre>\n<\/div>\n<ul>\n<li>Si n\u00e9cessaire nettoyer :<\/li>\n<\/ul>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">code<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code>sudo rm -f \/etc\/krb5.keytab\nsudo systemctl stop sssd 2&gt;\/dev\/null\nsudo rm -rf \/var\/lib\/sss\/db\/*<\/code><\/pre>\n<\/div>\n<ul>\n<li>Rejoindre le domaine et mettre le mot de passe administrateur du domaine :<\/li>\n<\/ul>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">code<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code>sudo realm join -U Administrateur fsec.lan<\/code><\/pre>\n<\/div>\n<ul>\n<li>Pour tester si l&rsquo;int\u00e9gration \u00e0 bien \u00e9t\u00e9 effectuer :<\/li>\n<\/ul>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">code<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code># Identifier un user un valide\nid usersAD@domain.lan<\/code><\/pre>\n<\/div>\n<h2>Cr\u00e9ation de r\u00e9pertoire automatique<\/h2>\n<ul>\n<li>Cr\u00e9ation automatique<\/li>\n<\/ul>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">code<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code>sudo bash -c &quot;cat &gt; \/usr\/share\/pam-configs\/mkhomedir&quot; &lt;&lt;EOF\nName: activate mkhomedir\nDefault: yes\nPriority: 900\nSession-Type: Additional\nSession:\n        required                        pam_mkhomedir.so umask=0022 skel=\/etc\/skel\nEOF<\/code><\/pre>\n<\/div>\n<ul>\n<li>pam Configuration : tout valider  (sauf sss requiered)<\/li>\n<\/ul>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">code<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code>sudo pam-auth-update<\/code><\/pre>\n<\/div>\n<ul>\n<li>Inserer la commande suivant pour ajouter un contenu dans le fichier : <code>\/etc\/pam.d\/common-session<\/code><\/li>\n<\/ul>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">bash<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-bash\">session optional pam_mkhomedir.so skel=\/etc\/skel umask=077<\/code><\/pre>\n<\/div>\n<ul>\n<li>Connexion au CLI avec un users de l&rsquo;AD<\/li>\n<\/ul>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">code<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code>su - usersAD@domain.lan<\/code><\/pre>\n<\/div>\n<p>Un nouveau r\u00e9pertoire \u00e0 \u00e9t\u00e9 cr\u00e9er dans <code>HOME<\/code> avec une connexion d&rsquo;un utilisateur du domaine. Pour ce d\u00e9connecter, faire <strong>exit<\/strong><\/p>\n<p><img  alt=\"\" loading=\"lazy\" class=\"lws-optimize-lazyload\" data-src=\"http:\/\/..\/..\/00%20Divers\/00-1%20Images\/image-1%202.png\"><\/p>\n<ul>\n<li>Red\u00e9marrer la machine afin d\u2019activer une int\u00e9gration plus compl\u00e8te au domaine. (REBOOT)<\/li>\n<\/ul>\n<h2>Connection via GUI<\/h2>\n<p>En fonction des interfaces graphiques sous linux, pour ce connecter \u00e0 un USERS de l&rsquo;AD via l&rsquo;interface graphique pour changer. <\/p>\n<p>Ubuntu est la solution la plus adapt\u00e9 aujourd&rsquo;hui pour une int\u00e9grations \u00e0 l&rsquo;active directory. Pour se connect\u00e9 \u00e0 un users du domaine cliquer sur : <strong>Absent de la liste<\/strong> sur l&rsquo;\u00e9cran de connexion. <\/p>\n<div class=\"callout callout--warning\">\n<div class=\"callout__title\">&gt; &#8211; **L\u2019\u00e9cran graphique LightDM** n\u2019affiche que les comptes locaux par d\u00e9faut.<\/div>\n<div class=\"callout__content\">\n<ul>\n<li><strong>GDM3<\/strong> : le plus robuste pour AD (Ubuntu, Debian, RHEL l\u2019utilisent pour \u00e7a)<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<ul>\n<li><strong>Solution 1 : Changer d&rsquo;interface<\/strong> :<\/li>\n<\/ul>\n<div class=\"callout callout--warning\">\n<div class=\"callout__title\">&gt;  Pour une meilleure compatibilit\u00e9 avec Active Directory, il est recommand\u00e9 d\u2019utiliser une distribution qui int\u00e8gre nativement GDM3. Pour les distributions reposant sur LightDM, il convient d\u2019appliquer la solution\u202f2 afin d\u2019activer la connexion manuelle et permettre l\u2019authentification d\u2019utilisateurs suppl\u00e9mentaires.<\/div>\n<div class=\"callout__content\"><\/div>\n<\/div>\n<table>\n<thead>\n<tr>\n<th>Display Manager<\/th>\n<th>AD Friendly<\/th>\n<th>Stabilit\u00e9<\/th>\n<th>Configuration<\/th>\n<th>Recommand\u00e9<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>GDM3<\/strong><\/td>\n<td>\u2b50\u2b50\u2b50\u2b50\u2b50<\/td>\n<td>\u2b50\u2b50\u2b50\u2b50\u2b50<\/td>\n<td>Simple<\/td>\n<td>Oui<\/td>\n<\/tr>\n<tr>\n<td><strong>LightDM<\/strong><\/td>\n<td>\u2b50\u2b50\u2606\u2606\u2606<\/td>\n<td>\u2b50\u2b50\u2b50\u2606\u2606<\/td>\n<td>Moyenne<\/td>\n<td>Seulement si tu veux rester l\u00e9ger<\/td>\n<\/tr>\n<tr>\n<td><strong>SDDM<\/strong><\/td>\n<td>\u2b50\u2b50\u2606\u2606\u2606<\/td>\n<td>\u2b50\u2b50\u2606\u2606\u2606<\/td>\n<td>Moyenne<\/td>\n<td>Non pour AD<\/td>\n<\/tr>\n<tr>\n<td><strong>LXDM<\/strong><\/td>\n<td>\u2b50\u2606\u2606\u2606\u2606<\/td>\n<td>\u2b50\u2b50\u2606\u2606\u2606<\/td>\n<td>Faible<\/td>\n<td>Non<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">code<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code>sudo apt install gdm3\nsudo dpkg-reconfigure gdm3\nsudo systemctl reboot<\/code><\/pre>\n<\/div>\n<ul>\n<li><strong>Solution 2 : Rester sur LightDM et activer l&rsquo;option : \u00ab\u00a0Others Users\u00a0\u00bb<\/strong><\/li>\n<\/ul>\n<p>Modifier le fichier suivant : <code>\/etc\/lightdm\/lightdm.conf<\/code> et ajouter ou modifier les lignes suivantes : <\/p>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">code<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code>[Seat:*]\ngreeter-show-manual-login=true<\/code><\/pre>\n<\/div>\n<div class=\"callout callout--info\">\n<div class=\"callout__title\">&gt; &#8211; **greeter-show-manual-login=true** :<\/div>\n<div class=\"callout__content\">\n<p>Force l\u2019affichage d\u2019un champ de login manuel \u2192 indispensable pour les comptes AD.<\/p>\n<ul>\n<li><strong>greeter-hide-users=true<\/strong>  :<\/li>\n<\/ul>\n<p>   Emp\u00eache LightDM de lister les comptes locaux \u2192 \u00e9vite les confusions et acc\u00e9l\u00e8re PAM.<\/p><\/div>\n<\/div>\n<ul>\n<li>Red\u00e9marrer les services :<\/li>\n<\/ul>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">code<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code>sudo systemctl restart sssd\nsudo systemctl restart lightdm<\/code><\/pre>\n<\/div>\n<p>A partir de maintenant, on peux se connecter avec les comptes de l&rsquo;AD dans linux. <\/p>\n<h2>Gestions des permissions<\/h2>\n<p>Autoriser l\u2019acc\u00e8s \u00e0 un groupe d\u2019utilisateurs du domaine<\/p>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">code<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code>sudo realm permit -g groupName<\/code><\/pre>\n<\/div>\n<p>Ajouter plusieurs groupes d\u2019utilisateurs<\/p>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">code<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code>sudo realm permit &#039;Domain Users&#039; &#039;admin users&#039;<\/code><\/pre>\n<\/div>\n<p>Autoriser la connexion de tous les utilisateurs du domaine (non recommand\u00e9) :<\/p>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">code<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code>sudo realm permit --all<\/code><\/pre>\n<\/div>\n<p>Desactiver la connexion de tous les utilisateurs :<\/p>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">code<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code>sudo realm  deny --all<\/code><\/pre>\n<\/div>\n<p>Pour changer les droits administration dans le syst\u00e8me linux :<\/p>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">code<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code>sudo nano \/etc\/sudoers.d\/domain_admins<\/code><\/pre>\n<\/div>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">bash<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-bash\"># exemple :\nnestor@coud.local        ALL=(ALL)       ALL\n%groupName@example.com     ALL=(ALL)   ALL<\/code><\/pre>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Rejoindre un AD Tips pour faire rejoindre un ordinateur \/ vm sous linux \u00e0 un contr\u00f4leur de domaine Contents Int\u00e9gration \u00e0 l&rsquo;AD DNS sur la machine linux : IP du controleur de domaine Modifier le HOSTNA<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[156,155],"tags":[14],"class_list":["post-298","post","type-post","status-publish","format-standard","hentry","category-linux-administration-systeme","category-linux","tag-rolead"],"_links":{"self":[{"href":"https:\/\/pandack.fr\/index.php?rest_route=\/wp\/v2\/posts\/298","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pandack.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pandack.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pandack.fr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pandack.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=298"}],"version-history":[{"count":0,"href":"https:\/\/pandack.fr\/index.php?rest_route=\/wp\/v2\/posts\/298\/revisions"}],"wp:attachment":[{"href":"https:\/\/pandack.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=298"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pandack.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=298"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pandack.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=298"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}