Ubuntu Authenticate linux box against Active directory
Contents
Prerequisites
Be sure the DNS used is a windows DNS (10.17.1.21 on 1and1 cloud, 10.27.1.21 on Azure cloud, 10.16.1.21 on Miami network).
root@vpnazure:~# cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 192.1.1.2 search luniel.com
NTP has to be running and synchronized with time.luniel.com (and the DC as well)
root@support:~# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*time.no-such-ag 128.227.205.3 2 u 99 1024 377 0.161 0.435 0.742
Check that you can ping the DCs
ping dc01.luniel.com -c 3
Software installation
For Ubuntu 14, you have to execute these following steps. You can skip them in ubuntu 16.
apt install software-properties-commonadd-apt-repository ppa:mdiers/sssd
With version 1.11.8 it works, and version of the PPD fails. For all releases:
apt update apt upgrade apt-get autoremove apt install krb5-user samba sssd sssd-tools
Installation will ask:
Default Kerberos version 5 realm: LUNIEL.COM
Kerberos servers for your realm: dc01.luniel.com
Administrative server for your Kerberos realm: dc01.luniel.com
Software configuration
- Samba
/etc/init.d/samba stop /etc/init.d/nmbd stop /etc/init.d/smbd stop /etc/init.d/samba-ad-dc stop mv /etc/samba/smb.conf /etc/samba/smb.conf.bak root@aaaremove:/etc/ssmtp# cat /etc/samba/smb.conf [global] workgroup = LUNIEL client signing = yes client use spnego = yes kerberos method = secrets and keytab realm = LUNIEL.COM security = ads
- Sssd
The explicit specification of server is not required, but if one server is not available, the service will not be provided.
root@support:~# cat /etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = LUNIEL.COM [domain/LUNIEL.COM] ad_server = dc01.luniel.com ad_backup_server = empclddc02.luniel.com id_provider = ad access_provider = ad override_homedir = /home/%d/%u ad_access_filter = (&(memberOf=cn=grp.sec.access.linux,ou=security groups,ou=groups,dc=luniel,dc=com))
If folder does not exit we can be in trouble, so we create them
mkdir /var/lib/sss/gpo_cache chown sssd:sssd gpo_cache/
The config file of sssd should be accessible only by root
chmod 600 /etc/sssd/sssd.conf
- Kerberos
Replace the domain controller with the correct one (in the example the value is the DC of 1and1)
mv /etc/krb5.conf /etc/krb5.conf.bak
cat /etc/krb5.conf
[libdefaults]
default_realm = LUNIEL.COM
ticket_lifetime = 24h
renew_lifetime = 7d
[realms]
LUNIEL.COM = {
kdc = dc01.luniel.com
admin_server = dc01.luniel.com
}
- nsswitch.conf
Check that sss is used in these 4 lines.
root@support:~# cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat sss group: compat sss shadow: compat sss hosts: files dns networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss sudoers: files
- /etc/pam.d/common-session
We add pam_mkhomedir to create the home directory
echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/common-session
And check it.
root@support:~# tail /etc/pam.d/common-session # umask settings with different shells, display managers, remote sessions etc. # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so session optional pam_sss.so session optional pam_ldap.so session optional pam_systemd.so # end of pam-auth-update config session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
- Sudoers
We want only some groups to access to sudo. In this example, we want the group grp.sec.access.linux.sudo.infra to be abbe to realize the sudo command
visudo # # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL %grp.sec.access.linux.sudo.infra ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d
- pam.d
On Ubuntu 14 add this line to the end of the file /etc/pam.d/login
# also removes the user's mail spool file. # See comments in /etc/login.defs session optional pam_mail.so standard # EMPOWER Modification session required pam_loginuid.so # Standard Un*x account and session @include common-account @include common-session @include common-password
Start samba services
root@support:~# /etc/init.d/samba start nmbd start/running, process 52946 smbd start/running, process 52956 samba-ad-dc start/running, process 52970
Join server to domain
Kerberos login with admin rights user
kinit adm_dany Password for adm_dany@LUNIEL.COM:
Check if connected
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: adm_dany@LUNIEL.COM
Valid starting Expires Service principal
03/16/2018 11:28:12 03/16/2018 21:28:12 krbtgt/LUNIEL.COM@LUNIEL.COM
renew until 03/23/2018 11:28:07
Join the server to the domain
net ads join -k Using short domain name -- LUNIEL Joined 'UBUNTU01' to dns domain 'luniel.com'
Start sssd services
On Ubuntu 14
root@support:~# service sssd start sssd start/running, process 3925
On Ubuntu 16
systemctl start sssd
References
- SSSD and Active Directory
- Adding the ad_access_filter option
- SSSD
- sudo sending annoying alerts: issue with defaults entries
Daniel Simao (talk) 13:06, 20 July 2018 (EDT)
