wiki

User Tools

Site Tools

Trace: cid_closed_directory
cid_closed_directory

This is an old revision of the document!

Closed In Directory CID

CID (Closed In Directory) is a set of bash scripts for inserting and managing Linux computers in Active Directory (AD) domains. Modifications made to the system allow Linux to behave like a Windows computer within AD. You can do things like:

  • Run logon scripts
  • Automatic mounting of network drives (shared folders)
  • Automatic configuration of the printers
  • Offline logon
  • Automatic granting of privileges to users (e.g. access to the sudo command)
  • GUI and CLI tools for managing the Samba server (File and Print Server)
  • Apply disk quota per shared directory (such as Windows Server)

CID consists of four main tools subdivided into two GUI tools (cid-gtk and cid-change-pass-gtk) and two CLI utilities (cid and cid-change-pass). Both pairs contain equivalent features and they all accept the following general options as a argument in the command line:

Option Description
-v, –version Show the version
-h, –help Show the help

Requirements

  • acl (= any)
  • attr (= any)
  • awk (= any)
  • bash (>= 4)
  • cifs-utils (>= 6.4)
  • CUPS (= any)
  • {diff,find,core}utils (= any)
  • grep (= any)
  • gzip (= any)
  • hostname (= any)
  • iproute[2] (= any)
  • Kerberos V5 (>= 1.13)
  • keyutils (= any)
  • mount (= any)
  • pam_mount (>= 2.14)
  • passwd (= any)
  • ping (= any)
  • pkexec (= any)
  • Samba (>= 4.3.11)
  • sed (= any)
  • sudo (= any)
  • systemd (= any)
  • xhost (= any)
  • zenity (>= 3.18.1)

Installation

Open Synaptic and search and install the following packages: cid, cid-base and cid-gtk or open a terminal and digit and install the packages below with this command: 

 sudo nala install cid cid-base cid-gtk

CID-GTK

The cid-gtk is the tool that contains the main features of the program. Through it you can insert your Linux computer in an AD domain and later manage a series of functions in the system.

The available features are described in the following sections.

Join the domain

This function allows you to join the Linux computer to an AD domain. For that, it is necessary to inform the domain data in the respective fields as shown in the table below:

Field Description
Domain Domain name (FQDN).
Hostname Name for computer account that will be created in AD. If not specified, the account will be created with the same hostname defined in the system.
Organizational Unit Optionally, you can specify an Organizational Unit where the computer account will must be created when join it the domain. If the OU is not entered or is not found, the computer account will be created in the default container (computers).
User Domain administrator user.
Password User password.
Mode Select one of two join modes: Default or Advanced. Default mode is adopted if no selection is made. Advanced mode opens a form that allows you to customize the settings that the CID will perform on the system during the process of joining the domain. All configuration options available in this mode are directly opposite to the settings adopted in the Default mode.

Note: Before modifying the system files, the CID makes a backup in the /var/lib/cid/backups/ori directory.

Advanced Mode

The options available in this mode are:

Option Description
Disable NetBIOS over TCP/IP Disables support for the NetBIOS API implemented by Samba.
Disable authentication via Kerberos This causes the pam_winbind module to not attempt to obtain the kerberos tickets known as Ticket Granting Tickets (TGTs) of the Authentication Server (AS) during user login.
Disable credential caching Disables support for off-line authentication, or authentication with local cached credentials. This requires real-time communication with the authentication server for the logins the domain users.
Disable logon scripts This disables logon scripts.
Do not use domain as default Configures winbind not to use the joined domain as the system default. This makes it necessary to specify the domain name before the user or group name (format: DOMAIN\user or DOMAIN\group), both in authentication and in system commands that receive user or group names as argument.
Enable authentication for sudo This requires that domain users who are given administrative privileges on the Linux computer need to authenticate when running the sudo command (see Manage AD accounts in local groups).
Use idmap_ad (RFC 2307)

- Initial ID: Initial value of the range of UIDs and GIDs that will be mapped by the backend. This field is required, and the value assigned must be greater than the IDs already used by local users and groups;

- Final ID: End value of the range of UIDs and GIDs that will be mapped by the backend. When not set, the CID will use a random value based on the value set in the Initial ID field;

- winbind nss info: This defines whether information about the home directory and the shell of domain users should also be obtained by the DC with the rfc2307 option, or whether through a predefined configuration with the template option. The template option is adopted by default. |

cid_closed_directory.1727512412.txt.gz · Last modified: 2024/09/28 10:33 by team

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution 4.0 International
CC Attribution 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki