Voir :

• Notes windows - Active Directory AD - Kerberos - WinRM
• Notes sssd
• realmd (config possible depuis Cockpit)

Voir aussi :

• Harden AD
• Windows - Active Directory - Vérifier si un compte AD est verrouillé

/etc/security/limits.d/samba.conf

#root soft nofile 16384
#root hard nofile 16384
root - nofile 16384

wbinfo --ping-dc

net join ads -U useradmin -S cd1-plop.mydomain.local -d 3

# wbinfo  --own-domain
MYDOMAIN

Source : https://gist.github.com/gladiatx0r/c52d529ea268f7e74295c2c492cf9774

[domain/example.com]
krb5_store_password_if_offline = true

for who ever this interest, if you enable krb5_store_password_if_offline   in the SSSD configuration, the AD password for accounts is stored in plaintext in the kernel keyring
to dump the clear text password you can do :

```
gdb -p <PID_OF_SSSD>
call system("keyctl show > /tmp/output")
```

From the /tmp/output locate the key_id for the user you want
Example of an output is : 
Session Keyring
 204928979 --alswrv      0     0  keyring: _ses
 471547288 --alswrv      0     0   \_ user: user@evilcorp.local
now again in GDB do the following : 

```
call system("keyctl print 471547288 > /tmp/output") # or whatever key_id from the past output
```

enjoy the cleartext password in /tmp/output :)

Diagnostic

• stop smbd, nmbd and winbindd (make sure they are really dead using ps. winbindd still lingered after I stopped the service)
• delete the samba from the PDC (using the Management Console)
• delete the secrets database (/var/lib/samba/secrets.tdb)
• join the domain again
• start the daemons again (smbd, nmbd and winbindd)

Source : https://ubuntuforums.org/showthread.php?t=1857135

sudo sssctl analyze request list --pam

Active Directory

Problème de connexion AD :

/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/winbind start
/etc/init.d/samba start

Un compte particulier

getent passwd DOMAIN/compteAD
id compteAD

Lister tous les comptes, les groupes

wbinfo -u
wbinfo -g