SSSD and Active Directory (Example 1)

This section describes the use of sssd to authenticate user logins against an Active Directory via using sssd's "ad" provider. In previous versions of sssd, it was possible to authenticate using the "ldap" provider. However, when authenticating against a Microsoft Windows AD Domain Controller, it was generally necessary to install the POSIX AD extensions on the Domain Controller. The "ad" provider simplifies the configuration and requires no modifications to the AD structure.

Prerequisites, Assumptions, and Requirements

This guide does not explain Active Directory, how it works, how to set one up, or how to maintain it. It may not provide “best practices” for your environment.
This guide assumes that a working Active Directory domain is already configured.
The domain controller is acting as an authoritative DNS server for the domain.
The domain controller is the primary DNS resolver as specified in /etc/resolv.conf.
The appropriate _kerberos, _ldap, _kpasswd, etc. entries are configured in the DNS zone (see Resources section for external links).
System time is synchronized on the domain controller (necessary for Kerberos).
The domain used in this example is myubuntu.example.com .

Software Installation

The following packages are needed: krb5-user, samba, sssd, and ntp. Samba needs to be installed, even if the system is not exporting shares. The Kerberos realm and FQDN or IP of the domain controllers are needed for this step.

Install these packages now.

sudo apt install krb5-user samba sssd chrony

See the next section for the answers to the questions asked by the krb5-user postinstall script.

Kerberos Configuration

The installation of krb5-user will prompt for the realm name (in ALL UPPERCASE), the kdc server (i.e. domain controller) and admin server (also the domain controller in this example.) This will write the [realm] and [domain_realm] sections in /etc/krb5.conf. These sections may not be necessary if domain autodiscovery is working. If not, then both are needed.

If the domain is myubuntu.example.com, enter the realm as MYUBUNTU.EXAMPLE.COM

Optionally, edit /etc/krb5.conf with a few additional settings to specify Kerberos ticket lifetime (these values are safe to use as defaults):

[libdefaults]

default_realm = MYUBUNTU.EXAMPLE.COM
ticket_lifetime = 24h #
renew_lifetime = 7d

If default_realm is not specified, it may be necessary to log in with “username@domain” instead of “username”.

The system time on the Active Directory member needs to be consistent with that of the domain controller, or Kerberos authentication may fail. Ideally, the domain controller server itself will provide the NTP service. Edit /etc/chrony/chrony.conf:

server dc.myubuntu.example.com

Samba Configuration

Samba will be used to perform netbios/nmbd services related to Active Directory authentication, even if no file shares are exported. Edit the file /etc/samba/smb.conf and add the following to the [global] section:

[global]

workgroup = MYUBUNTU
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = MYUBUNTU.EXAMPLE.COM
security = ads

Some guides specify that "password server" should be specified and pointed to the domain controller. This is only necessary if DNS is not properly set up to find the DC. By default, Samba will display a warning if "password server" is specified with "security = ads".

SSSD Configuration

There is no default/example config file for /etc/sssd/sssd.conf included in the sssd package. It is necessary to create one. This is a minimal working config file:

[sssd]
services = nss, pam
config_file_version = 2
domains = MYUBUNTU.EXAMPLE.COM

[domain/MYUBUNTU.EXAMPLE.COM]
id_provider = ad
access_provider = ad

# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME.  Use with pam_mkhomedir.so
override_homedir = /home/%d/%u

# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname = mymachine.myubuntu.example.com

# Uncomment if DNS SRV resolution is not working
# ad_server = dc.mydomain.example.com

# Uncomment if the AD domain is named differently than the Samba domain
# ad_domain = MYUBUNTU.EXAMPLE.COM

# Enumeration is discouraged for performance reasons.
# enumerate = true

After saving this file, set the ownership to root and the file permissions to 600:

sudo chown root:root /etc/sssd/sssd.conf

sudo chmod 600 /etc/sssd/sssd.conf

If the ownership or permissions are not correct, sssd will refuse to start.

Verify nsswitch.conf Configuration

The post-install script for the sssd package makes some modifications to /etc/nsswitch.conf automatically. It should look something like this:

passwd:         compat sss
group:          compat sss
...
netgroup:       nis sss
sudoers:        files sss

Modify /etc/hosts

Add an alias to the localhost entry in /etc/hosts specifying the FQDN. For example:

192.168.1.10 myserver myserver.myubuntu.example.com

This is useful in conjunction with dynamic DNS updates.

Join the Active Directory

Now, restart chrony and samba and start sssd.

sudo systemctl restart chrony.service
sudo systemctl restart smbd.service nmbd.service 
sudo systemctl start sssd.service

Test the configuration by obtaining a Kerberos ticket:

sudo kinit Administrator

Verify the ticket with:

sudo klist

If there is a ticket with an expiration date listed, then it is time to join the domain:

sudo net ads join -k

A warning about "No DNS domain configured. Unable to perform DNS Update." probably means that there is no (correct) alias in /etc/hosts, and the system could not provide its own FQDN as part of the Active Directory update. This is needed for dynamic DNS updates. Verify the alias in /etc/hosts described in "Modify /etc/hosts" above.

(The message "NT_STATUS_UNSUCCESSFUL" indicates the domain join failed and something is incorrect. Review the prior steps before proceeding).

Here are a couple of (optional) checks to verify that the domain join was successful. Note that if the domain was successfully joined but one or both of these steps fail, it may be necessary to wait 1-2 minutes and try again. Some of the changes appear to be asynchronous.

Verification option #1:

Check the default Organizational Unit for computer accounts in the Active Directory to verify that the computer account was created. (Organizational Units in Active Directory is a topic outside the scope of this guide).

Verification option #2

Execute this command for a specific AD user (e.g. administrator)

getent passwd username

If enumerate = true is set in sssd.conf, getent passwd with no username argument will list all domain users. This may be useful for testing, but is slow and not recommended for production.

Test Authentication

It should now be possible to authenticate using an Active Directory User's credentials:

su - username

If this works, then other login methods (getty, ssh) should also work.

If the computer account was created, indicating that the system was "joined" to the domain, but authentication is unsuccessful, it may be helpful to review /etc/pam.d and nssswitch.conf as well as the file changes described earlier in this guide.

Home directories with pam_mkhomedir (optional)

When logging in using an Active Directory user account, it is likely that user has no home directory. This can be fixed with pam_mkdhomedir.so, which will create the user's home directory on login. Edit /etc/pam.d/common-session, and add this line directly after session required pam_unix.so:

session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0022

This may also need override_homedir in sssd.conf to function correctly, so make sure that's set.

Desktop Ubuntu Authentication

It is possible to also authenticate logins to Ubuntu Desktop using Active Directory accounts. The AD accounts will not show up in the pick list with local users, so lightdm will need to be modified. Edit the file /etc/lightdm/lightdm.conf.d/50-unity-greeter.conf and append the following two lines:

greeter-show-manual-login=true
greeter-hide-users=true

Reboot to restart lightdm. It should now be possible to log in using a domain account using either username or username/username@domain format.

Resources

Previous Next

Joining Ubuntu to an Active Directory Domain (Example 2)

Posted on April 11, 2016 by

Chrissy LeMaire — 17 Comments ↓

Back in 2009, I did a whole lot of messing around with Linux and Active Directory integration, primarily for Apache. Now that Linux is coming to Windows, I figured I’d brush up on my Linux and Windows Integrated Authentication skills to work with Ubuntu, too.

Clients and Servers

Since 2009, it seems that a couple things have changed in the client realm. In particular, winbind fell out of favor to Likewise Open (which I used to <3) which was bought by BeyondTrust and turned into PowerBroker Open. But that’s since fallen out of favor to the SSSD or “System Security Services Daemon“. SSSD seems pretty cool but everyone hates its name and assumes that its name is keeping it from greater adoption.

Sometimes when researching SSSD, you’ll come across a few mentions of FreeIPA which is similar to Active Directory, OpenLDAP, and ApacheDS. Oh, and I recently found out that Samba4 allows Linux servers to join Active Directory as Domain Controllers (!!) but I can’t tell if it can be a forest of its own (reddit review here).

There are other players I’m leaving out but after a bit of casual research, no others seem to stand out. Ultimately, while there are a number of ways to setup AD/Linux authentication with Ubuntu, it appears that SSSD is the current way to go. Let’s go ahead and set that up.

Before We Begin

There’s an official Ubuntu guide for SSSD and Active Directory, but this one is slimmed down. If you have any issues, you can comment here or reference some of the solutions they offer. First, some assumptions.

Fresh install of Ubuntu 15.10 Server
DNS is set to AD’s DNS servers
The Active Directory domain is base.local
The test user is base\adadmin, which has domain admin privs on AD

If you’re behind a proxy, apt-get and curl/wget/etc won’t work out of the box. Here’s how to add some proxy variables (kinda like Internet Properties -> Connections -> LAN settings -> Proxy Server) so that you can use these tools.

Also, you’re going to need to make sure that your time is set properly. Kerberos is heavily dependent on time, and will break if your computer is more than 5 minutes skewed from the AD domain.

# Install required packages (ntp service keeps your clock on time)
sudo apt-get -y install ntp ntpdate 

# To add your DC to the time server list, edit /etc/ntp.conf, otherwise this should work
sudo service ntp stop
sudo ntpdate -s ntp.ubuntu.org
sudo service ntp start

# Install required packages (ntp service keeps your clock on time)

sudo apt-get -y install ntp ntpdate

# To add your DC to the time server list, edit /etc/ntp.conf, otherwise this should work

sudo service ntp stop

sudo ntpdate -s ntp.ubuntu.org

sudo service ntp start

Joining the domain

Joining an Active Directory in Ubuntu isn’t quite as easy as SUSE, but it’s still decently straight-forward.

Install required packages
Create and modify sssd.conf
Modify smb.conf
Restart services
Join domain

First, installed the required package using apt-get. I also recommend command-not-found and mlocate, which help you with finding files.

Note, in this tutorial, I use vi. I used to use pico, which became nano, but found that vi could be found across all distributions by default. vi or “vim” can be intimidating, but honestly, I only know about 5 commands and it gets me by. Here’s a nice tutorial on Learning vi progressively.

sudo apt-get install krb5-user samba sssd

1	sudo apt-get install krb5-user samba sssd

Next, setup SSSD by creating the file, setting the owner, and changing its permissions

# sssd.conf doesn't exist by default
sudo touch /etc/sssd/sssd.conf
sudo chown root:root /etc/sssd/sssd.conf
sudo chmod 600 /etc/sssd/sssd.conf

sudo vi /etc/sssd/sssd.conf

[sssd]
services = nss, pam
config_file_version = 2
domains = BASE.LOCAL

[domain/BASE.LOCAL]
id_provider = ad
override_homedir = /home/%d/%u
access_provider = simple
simple_allow_users = ctrlb@base.local,chrissy@base.local
simple_allow_groups = linux-admin,linux-users

# sssd.conf doesn't exist by default

sudo touch /etc/sssd/sssd.conf

sudo chown root:root /etc/sssd/sssd.conf

sudo chmod 600 /etc/sssd/sssd.conf

sudo vi /etc/sssd/sssd.conf

[sssd]

services = nss, pam

config_file_version = 2

domains = BASE.LOCAL

[domain/BASE.LOCAL]

id_provider = ad

override_homedir = /home/%d/%u

access_provider = simple

simple_allow_users = ctrlb@base.local,chrissy@base.local

simple_allow_groups = linux-admin,linux-users

Note that this config only allows 2 users and 2 groups to gain access. If you remove the last 2 lines, anyone can login. There are a few ways to restrict access but it looks like this is the simplest way.

Next, sudo vi /etc/samba/smb.conf and replace the line workgroup = WORKGROUP with the following:

workgroup = BASE
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = BASE.LOCAL
security = ads

workgroup = BASE

client signing = yes

client use spnego = yes

kerberos method = secrets and keytab

realm = BASE.LOCAL

security = ads

Time to restart services and join the domain! Here’s a screenshot of my Ubuntu server “ubuntunew” joining my domain, base.local:

join-domain-sudo

It’s just these commands, nothing scary:

# restart services
sudo service smbd restart
sudo service nmbd restart
# get Kerberos ticket-granting ticket
kinit adadmin
# Next one joins the domain and requires samba
sudo net ads join -k

# restart services

sudo service smbd restart

sudo service nmbd restart

# get Kerberos ticket-granting ticket

kinit adadmin

# Next one joins the domain and requires samba

sudo net ads join -k

If you have permissions to add computers to the domain and everything went well, then you should now be able to see your Ubuntu server in Active Directory!

ad-computer-list

Now that everything is setup all nice, start SSSD to do some caching and interception that makes things much smoother somehow.

sudo service sssd start

1	sudo service sssd start

Troubleshooting

If you’re having an issue joining the domain with the error message “Failed to join domain: failed to lookup DC info for domain ‘BASE.LOCAL’ over rpc: An internal error occurred” you can specify the exact domain controller you want to contact (h/t Florent Appointaire).

sudo net ads join -S dc.base.local

1	sudo net ads join -S dc.base.local

If you’re getting the error “failed to lookup dc info for domain base rpc undetermined error”, you may have a stale DC. Consider following applicable portions of this tutorial by Microsoft (h/t Rob Sewell)

Login as Windows user

If you’d like to login to the machine as a windows user, as opposed to just grabbing a ticket using kinit, you can either login via SSH or by using su or “substitute user”.

Here’s an example of me using su. First, I logged in to the Linux server as a regular user, then I login as my own Active Directory account “base\ctrlb” by issuing the command su ctrlb. An alternative way is su base\\ctrlb. That extra backslash is intentional, it escapes the second backslash.

E su-ctrlb

Alternatively, you can ssh in directly with ssh or PuTTY.
full-login

And that’s it! Want to see this all in one shot? Check out the gist.

About Chrissy LeMaire

Chrissy is a Cloud and Datacenter Management & Data Platform MVP who has worked in IT for over 20 years. She is the creator of the popular SQL PowerShell module dbatools, and holds a number of certifications, including those relating to SQL Server, Linux, SharePoint and network security. You can follow her on Twitter at @cl.

https://blog.netnerds.net/2016/04/joining-ubuntu-to-an-active-directory-domain/

Join to Domain - Easier - (Example 3)

# Join to domain

# Prereqs

apt -y install realmd sssd sssd-tools adcli krb5-user packagekit samba-common samba-common-bin samba-libs resolvconf

sudo nano /etc/network/interfaces

dns-nameservers 10.32.1.194

sudo systemctl restart ifup@ens160 resolvconf

sudo nano /etc/pam.d/common-session

session optional pam_mkhomedir.so skel=/etc/skel umask=077

realm discover snet.crouse.org

sudo realm join snet.crouse.org

sudo realm join -U "admin" snet.crouse.org

Password for admin: ...............

id domain\\username

sudo nano /etc/sssd/sssd.conf

# line 16: change
use_fully_qualified_names = False
ad_gpo_access_control = permissive
# Remove the other %d to just have names without domain
fallback_homedir = /home/%u

sudo systemctl restart sssd

Work - CentOS Server Build (CNN project)

CentOS Build out for VSLAPP01 (CNN project) Downloaded the CentOS media Deployed server # This allowed me to install screen, mc and other packages sudo yum install -y epel-release #Linux Screen for console changing sudo yum install screen #Midnight Commander for easier file/folder manipulation sudo yum install mc # A few of these are already installed in the install, but ran anywya sudo yum install realmd sssd sssd-tools adcli krb5-user packagekit samba-common samba-common-bin samba-libs # Configure PAM to be able to create home folders for new SNET users sudo nano /etc/pam.d/common-session session optional pam_mkhomedir.so skel=/etc/skel umask=077 #join the domain realm discover snet.crouse.org sudo realm join -U "admin" domain.org # Check that the domain is available now id chnet\\richlemmermann # Don't remember what this is for, but needed sudo nano /etc/sssd/sssd.conf use_fully_qualified_names = False # Restart the daemon and log in sudo systemctl restart sssd # Configure the AD connection /etc/sssd/sssd.conf [sssd] domains = snet.crouse.org config_file_version = 2 services = nss, pam [domain/snet.crouse.org] ad_domain = domain.org krb5_realm = DOMAIN.ORG realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%u access_provider = ad #ad_gpo_map_remote_interactive = xrdp-sesman, -ssh ad_gpo_access_control = permissive # Restart for changes sudo service sssd restart # Add users to sudo ability by adding to the wheel group sudo nano /etc/sudoers richlemmermann ALL=(ALL) ALL chadchase ALL=(ALL) ALL mattmahoney ALL=(ALL) ALL aaronarmelino ALL=(ALL) ALL jeffbates ALL=(ALL) ALL keithmoleski ALL=(ALL) ALL zchriseastway ALL=(ALL) ALL # check if firewall is running sudo firewall-cmd --state # First, stop the FirewallD service with: sudo systemctl stop firewalld # Disable the FirewallD service to start automatically on system boot: sudo systemctl disable firewalld # Turn off SSL until John opens up the PA sudo nano /etc/yum.conf sslverify=false # Install xrdp that actually worked sudo dnf install xrdp #When the installation process is complete, start the Xrdp service and enable it at boot: sudo systemctl enable xrdp --now #You can verify that Xrdp is running by typing: sudo systemctl status xrdp # Install xrdp sudo yum -y install xrdp tigervnc-server # Run xrdp as a service sudo systemctl enable xrdp # Allow all users to xrdp in /etc/xrdp/sesman.ini # Comment out the requirements to be ina certain group ;TerminalServerUsers=tsusers ;TerminalServerAdmins=tsadmins Kill Disconnected sessions: true # Restart xrdp for changes to take effect sudo service xrdp restart # Hugh systemctl enable --now cockpit.socket #change IP address. Change BOOTPROTO from dhcp to static and add IPADDR, NETMASK, and GATEWAY sudo nano /etc/sysconfig/network-scripts/ifcfg-ens192 TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=static . . . IPADDR=10.102.2.167 NETMASK=255.255.252.0 GATEWAY=10.102.1.1 # Install this repositity (prepping for PHP 7.4) sudo yum -y install https://rpms.remirepo.net/enterprise/remi-release-8.rpm # Remi repsoitory - module stream sudo dnf -y install dnf-utils #module stream sudo dnf module reset php -y # php module 7.4 sudo dnf module install php:remi-7.4 #SUCCESS php -v PHP 7.4.22 (cli) (built: Jul 27 2021 18:08:31) ( NTS ) Copyright (c) The PHP Group Zend Engine v3.4.0, Copyright (c) Zend Technologies # DesktopCentral (Copied binary from it-lemmermannl) sudo sh ./DesktopCentral_LinuxAgent.bin #Sophos Install 1. a. On the Linux server, at a command prompt or in a script, use wget with the link address b. Link address = https://dzr-api-amzn-us-west-2-fa88.api-upe.p.hmr.sophos.com/api/download/7f2b28abd005317bb08a9c863bc71142/SophosSetup.sh wget Linux installer link c. Move the installer to the Downloads directory. 2. Run the installer as follows: a. Change to the Downloads directory. b. Change the file permissions to include “execute”: chmod +x SophosInstall.sh c. Run the installer: ./SophosInstall.sh If you are not signed in as root, run the installer with the sudo command: sudo ./SophosInstall.sh # MySql Install sudo dnf install mysql-server # phpMyAdmin wget --no-check-certificate https://files.phpmyadmin.net/phpMyAdmin/4.9.4/phpMyAdmin-4.9.4-all-languages.zip unzip phpMyAdmin-4.9.4-all-languages.zip sudo mv phpMyAdmin-4.9.4-all-languages.zip /usr/share/phpmyadmin cd /usr/share/phpmyadmin sudo mv config.sample.inc.php config.inc.php sudo nano config.inc.php <create the 32 chars key> mkdir /usr/share/phpmyadmin/tmp chown -R apache:apache /usr/share/phpmyadmin sudo chmod 777 /usr/share/phpmyadmin/tmp sudo nano /etc/httpd/conf.d/phpmyadmin.conf Alias /phpmyadmin /usr/share/phpmyadmin <Directory /usr/share/phpmyadmin/> AddDefaultCharset UTF-8 <IfModule mod_authz_core.c> # Apache 2.4 <RequireAny> Require all granted </RequireAny> </IfModule> <IfModule !mod_authz_core.c> # Apache 2.2 Order Deny,Allow Deny from All Allow from 127.0.0.1 Allow from ::1 </IfModule> </Directory> <Directory /usr/share/phpmyadmin/setup/> <IfModule mod_authz_core.c> # Apache 2.4 <RequireAny> Require all granted </RequireAny> </IfModule> <IfModule !mod_authz_core.c> # Apache 2.2 Order Deny,Allow Deny from All Allow from 127.0.0.1 Allow from ::1 </IfModule> </Directory> #restart apache sudo systemctl restart httpd # mysqli extension sudo yum install php-mysqli # mkdir and copy Crouse wildcard certs to sudo mkdir /etc/httpd/ssl sudo cp wildcard.key /etc/httpd/ssl sudo cp crouse.org.crt_Private.key /etc/httpd/ssl sudo cp intermdiate.crt /etc/httpd/ssl #make the future home of CNN's home mkdir /var/www/insider.crouse.org #copy the configuration to it sudo cp insider.crouse.org* /etc/httpd/conf sudo service httpd restart # download WordPress (latest version as of this) wget https://wordpress.org/latest.tar.gz # unzip from tarball tar -xvf latest.tar.gz # Move wordpress to location (i used midnight commander) # create headless ftp user for WP sudo adduser wp_ftp_user --shell=/bin/false --no-create-home sudo passwd wp_ftp_user Crouse8675309$$ #set the default mysql password ALTER USER 'root'@'%' IDENTIFIED BY 'NiceLongPassword'; ALTER USER 'root'@'localhost' IDENTIFIED BY 'NiceLongPassword'; flush privileges; exit; # Configure WordPress DB https://insider.crouse.org/phpmyadmin Database: wp_insider User: wp_insider_user Pass: NiceLongPassword # WordPress Admin: admin Pass: NiceLongPassword # Change permissions on the folder so that WP can edit sudo chown -R apache:root /var/www/domain.org/wp-content/* # Edit php.ini upload_max_filesize 100M reboot # make mysqld and httpd start on boot sudo systemctl enable mysqld --now sudo systemctl enable httpd --now

Ubuntu Documentation