Linux authentication Windows AD without join domain

Linux認證Windows AD，但不加入Domain，並且可以使用private key去認證

Pre-requisities

Pre-requisities
1. Enable LDAP over SSL in AD collector
2. Create a readonly domain user account
For authentication and listing users and groups SSSD needs to bind to the LDAP directory. It’s enough to have a read-only user with just enough privileges to read the directory.
3. Create user account and password into AD collector
4. Add user’s ssh public key into AD user’s attribute

Pre-requisities — Install the required software:

$ yum install -y sssd sssd-tools sssd-ldap openldap-clients

$ apt-get update
$ apt-get install sssd sssd-tools sssd-ldap curl

Adjust /etc/sssd/sssd.conf with a content like the following:

Obviously update the ldap_uri, ldap_search_base, ldap_default_bind_dn and ldap_tls_cacertto match your setup.

[domain/default]
id_provider = ldap
cache_credentials = True
ldap_uri = ldaps://xxxx
ldap_search_base = DC=sdi,DC=xxxx,DC=org
ldap_schema = AD
ldap_default_bind_dn = CN=ReadOnlyUser,CN=Users,DC=sdi,DC=xxxx,DC=org
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = xxxxx
ldap_tls_cacert = /etc/pki/tls/cert.pem
ldap_tls_reqcert = allow
ldap_id_mapping = True
ldap_referrals = false

ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
ldap_use_tokengroups = True

enumerate = False
fallback_homedir = /home/%u
default_shell = /bin/bash

[sssd]
config_file_version = 2
services = nss, pam, ssh
domains = default
full_name_format = %1$s

[nss]
filter_users =nobody,root,mdaops,rabbitmq,postfix,apache,redis,nagios,tcpdump
filter_groups =nobody,root,mdaops,rabbitmq,postfix,apache,redis,nagios,tcpdump

[pam]
offline_credentials_expiration = 7

Lock down the permissions or sssd will refuse to start:

$ chmod 600 /etc/sssd/sssd.conf

Finally create an obfuscated password for the Bind DN account:

Will use readonly domain user account and encryption password into ldap_default_authtok

$ sss_obfuscate — domain default
Enter password:
Re-enter password:

Enable use of SSS for authentication

$ authconfig — enablesssd — enablesssdauth — enablemkhomedir — updateall

Enable password authentication for SSH

$ grep PasswordAuthentication /etc/ssh/sshd_config

Adjust /etc/ssh/sshd.conf with a content like the following:

$ cat /etc/ssh/sshd_config
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandRunAs root

Restart service in client

$ systemctl restart sssd
$ systemctl restart sshd

Testing and verfication

$ /usr/bin/sss_ssh_authorizedkeys a-jerry_kung
ssh-rsa AAAxxxz jerry_kung@TW-JERRYKUNG

/Users/jerry_kung# ssh a-jerry_kung@dcs-xxxx.sjc1
Warning: Permanently added the RSA host key for IP address ‘10.x.x.x’ to the list of known hosts.
Enter passphrase for key ‘/Users/jerry_kung/.ssh/id_rsa’:
Last login: Thu Feb 14 02:41:04 2019 from dcs-xxx.sjc1
[a-jerry_kung@dcs-tps1-test1

]$ id
uid=1284823213(a-jerry_kung) gid=1284800513(Domain Users) groups=1284800513(Domain Users)

]$ ssh a-jerry_kung@dcs-tps1-test1.sjc1
a-jerry_kung@dcs-tps1-test1.sjc1’s password:

Need to change default domain/user for logon prompt in Win 7 and Vista.

I need to be able to change the default domain\user logon prompt. IT team members where I work need to be able to log in to a users PC perform a matenance routine, repair, or security audit etc and then reset the «last loggon» to the user. This enables IT to be able to mask our having been in their computer, a very important tool when doing security checks and looking for signs of inapropriate computer use etc.

In Windows XP we could use the following Reg hack to reset the default log on prompt to the user and domain we need.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
«DefaultUserName»=»username»
«DefaultDomainName»=»DomainName»
«CachePrimaryDomain»=»DomainName»

These settings are in the Win 7 reg, but they don’t seem to do anything.

What do I need to do to make these settings rule and gain control over the log on prompt?

PS. IMHO News groups were better.

And now several years latter is the answer to my question. Where it should be in the group I asked it in.

I have found the following .bat file will let you set the user name for the next log in in Windows 7. (Copy the next lines of text in to a text file and give it .bat extension, then run it as a local administrator.)

***** Start of .bat code for changing the default log in name for the next log in in Win 7 *******

call reg add «HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI» /v LastLoggedOnSAMUser /t REG_SZ /d «Domain\Username» /f

call reg add «HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI» /v LastLoggedOnUser /t REG_SZ /d «Domain\Username» /f

***** End of code for Win 7 log in name *******

For Windows XP the following .reg file can do the trick. Do same as above but use .reg extension.

****** Start of .REG code for changing the default user name for next log in in Win XP *****

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
«DefaultUserName»=»username»
«DefaultDomainName»=»Domain Name»
«CachePrimaryDomain»=»Domain Name»

******** End of .reg code for Win XP log in name ******

question

Access share on non-domain Windows 10 PC using domain user

I’ve spent several hours reading questions & answers for a variety of related problems, but I couldn’t find one that matched my configuration, which doesn’t seem that complicated:

I’m a remote worker and I have two Windows 10 laptops. Both laptops are connected wirelessly to the same router at home. I log into my personal laptop with a Microsoft account. I log into my work laptop with my company email address. I can also log in to the same account using DOMAIN\USERNAME. Windows Settings shows my work laptop is connected to my company’s Azure AD, but it is not joined to the domain. (It is a member of WORKGROUP.) Local Users and Groups does not show my user account, but it is listed as a member of the local Administrators group as DOMAIN\USERNAME. I am able to VPN to my company network as needed, but most of the time I do not use the VPN.

How do I access network shares on my work laptop from my personal laptop? When I try to connect using \\COMPUTERNAME I am prompted for credentials. No matter what I use, I get the error «The user name or password is incorrect.» I’ve tried all of the following:

I’ve verified that I can log on locally to my work laptop with username@domain.com or DOMAIN\USERNAME, so I know I have the correct credentials and password.

I’m wondering if the problem has something to do with trying to log on with a domain account when I can’t reach a company domain controller. Of course, both laptops could reach Azure AD. Do they use Azure AD when connecting to a network share?

Domain authentication without joining the domain

I am DBA in an Active Directory environment. I often work from home using my private PC (I connect via VPN). My private PC is not joined to the Active Directory domain.

Is it possible to use domain authentication on some applications (eg. SQL Server Management Studio, RSAT) without joining the whole computer to the domain?

Have you got any ideas on the topic?

2 Answers 2

In order to use domain features, you need to have a user present in the active directory.

Your computer does not have to be in the domain. You put your computer in the domain when you want to make login easier, and manage your computer from within the domain.

For example, when a computer is part of a domain, you can access the administrative shares, make someone local admin remotely, check the event log, etc.

When a user logs in on the computer, they login to the domain. Whenever a network connection is made, these credentials can be passed directly to that service if that service uses NTLM login meganism.

So long story short, your computer does not have to be in the domain, you just need to have a username in the active directory.

Sidenote: If your username and password on the local computer account are the same as the one in the Active Directory, it will use that login as valid for the active directory.

Remote Desktop to Windows 7 without domain

I am trying to remote desktop into a Windows 7 machine. However, it always showing me the domain and the domain name is my machine. The machine that I try to connect to does not have a domain. How can I connect to the computer with the proper domain or no domain?

7 Answers 7

I made this work by using

\username So, use remote desktop as usual and connect to the machine you wish, but type

\USERNAME instead of just typing in USERNAME

The domain portion refers to the local machine name as this is what you’re authenticating against.

You can see this by running whoami in a CMD window, your complete user name is of the form computer name\user name

To specify a local account on another computer you’d use the other compauters name and the relevent user name

e.g. If the other computer’s name were other-pc and you were using the user name bob you could use the user name other-pc\bob to refer to the user account bob on `other-pc

Run mstsc command. Remote desktop screen will open. Click on options. The screen in the link below will open. Under username, you can put user without domain.

In this screen, you can put username without domain/no domain. In the image in the link provided, I have put username without domain and when you click on connect, then it will take you to login screen without domain.

After some testing I found that if you’re trying to connect as a user and you don’t specify a domain, the built-in Windows RDP client will default to using your hostname as the domain name when a user with the same name as the one that you’re trying to connect as exists on your local machine. This applies to all users (including built-in users) on your local machine (To get the full list, run compmgmt.msc, open «Local Users and Groups», then «Users»)

In my case I was trying to RDP to a Windows server from a Windows 10 machine with the username Administrator (which is a built-in user on any windows 10 machine). The dialog box would show an invalid credentials error for username $HOSTNAME\Administrator . Same result when trying to connect as \Administrator , .\Administrator ,

\Administrator . The only solution I found was to specify the remote machine’s hostname as the domain which is kind of annoying since it was a brand new machine I spun up on AWS and I didn’t know the randomly generated hostname. Using the Remmina client on my Ubuntu machine, I was able to RDP to the instance without any issues using the same credentials, by leaving the domain field empty.

So if you want to use the built-in RDP client in Windows 10 to connect to a remote with username Administrator (which is the default username for any windows server spun up on AWS), it seems you will have to specify the hostname when connecting the first time.

To test the above out, try to connect with a random username/password that doesn’t exist on your local machine and you’ll notice that the failure dialog box shows the random username without your hostname.