Enabling user authentication on linux against Active Directory, using ubuntu, sssd and AD 2008 (should work with 2003r2)
1. Install the software you need:
apt-get install realmd sssd samba-common samba-common-bin samba-libs sssd-tools krb5-user adcli
2. vi /etc/sssd/sssd.conf and put this in it:
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
3. chmod 0600 /etc/sssd/sssd.conf
4. vi /etc/realmd.conf and put this in it:
[service]
automatic-install = no
5. run kinit Administrator@YOURDOMAIN.ALLINCAPS.TLD
6. run realm –verbose join yourdomain.allincaps.tld \
–user-principal=ubuntuserverhostname/Administrator@YOURDOMAIN.ALLINCAPS.TLD –unattended
You should have more content inside sssd.conf now, in the [domain/YOURDOMAIN.ALLINCAPS.TLD] section.
7. vi /etc/sssd/sssd.conf and comment out the line use_fully_qualified_names = True
You should now be able to su – to a domain user.
That’s it, you’re done: you can login to your linux box by authenticating to your Active Directory domain.
Additional (and optional) stuff is below, like adding groups and restricting logins based on groups.
Additional settings inside /etc/sssd/sssd.conf [domain] section to enable groups:
[domain/yourdomain.allincaps.tld]
ad_domain = yourdomain.allincaps.tld
krb5_realm = YOURDOMAIN.ALLINCAPS.TLD
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
## comment out
#use_fully_qualified_names = True
## these will need to be created manually or you will need to modify pam to
## mkdir them with pam_mkhomedir.so or use oddjob-mkhomedir, see below
override_homedir = /home/%u
fallback_homedir = /home/%d/%u
##group settings##
ldap_group_uuid = objectGUID
ldap_user_uuid = objectGUID
ldap_group_member = member
ldap_user_member_of = memberOf
ldap_user_uid_number = uidNumber
ldap_group_nesting_level = 1
ldap_force_upper_case_realm = True
ldap_user_principal = userPrincipalName
ldap_user_object_class = user
ldap_user_gid_number = gidNumber
ldap_group_modify_timestamp = whenChanged
ldap_group_object_class = group
ldap_group_name = cn
ldap_user_name = sAMAccountName
ldap_ns_account_lock = userAccountControl
ldap_user_home_directory = unixHomeDirectory
ldap_user_modify_timestamp = whenChanged
ldap_group_gid_number = gidNumber
ldap_referrals = false
ldap_group_nesting_level = 0
Test that groups are working by su’ing to an AD user and typing in “groups”, which will show you what groups your user is a member of.
To make the homedirectory autocreate:
1. edit /etc/pam.d/common-session (/etc/pam.d/session-auth in RHEL)and add this line before any pam_ldap or pam_krb5 lines:
#autocreate user homedirs
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
To limit login by AD group:
- Create a file that will have the group names allowed to login:
vi /etc/login.allowed.per.ad.group
and populate it with group names, one per line (I created an AD group called linux-login, to limit which users were allowed to login), like so:
root
wheel
domain\ admins
linux-login
- edit /etc/pam.d/common-auth (in RHEL this is /etc/pam.d/system-auth) and add this line to it:
auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.allowed.per.ad.group
To allow an AD group to have access to sudo:
- visudo
- add the AD groups
%domain\ admins ALL=(ALL) ALL
%linux-sudo ALL=(ALL) ALL
Further reading:
Allow/Deny login per group:
http://www.cyberciti.biz/tips/howto-deny-allow-linux-user-group-login.html
Various bits, mostly to do with LDAP authentication, but can be translated for use with AD/sssd/pam (e.g. homedir creation)
https://help.ubuntu.com/community/LDAPClientAuthentication
http://www.chriscowley.me.uk/blog/2014/06/17/new-linux-active-directory-integration/
http://funwithlinux.net/2014/04/join-ubuntu-14-04-to-active-directory-domain-using-realmd/
http://linux.tvortex.net/2011/10/sssd-against-active-directory-2003.html
https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server