Ubuntu Authenticate linux box against Active directory

From Luniwiki
Jump to: navigation, search


Be sure the DNS used is a windows DNS ( on 1and1 cloud, on Azure cloud, on Miami network).

root@vpnazure:~# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
search luniel.com

NTP has to be running and synchronized with time.luniel.com (and the DC as well)

root@support:~# ntpq -p
    remote           refid      st t when poll reach   delay   offset  jitter
*time.no-such-ag    2 u   99 1024  377    0.161    0.435   0.742

Check that you can ping the DCs

ping dc01.luniel.com -c 3

Software installation

For Ubuntu 14, you have to execute these following steps. You can skip them in ubuntu 16.

apt install software-properties-common
add-apt-repository ppa:mdiers/sssd

With version 1.11.8 it works, and version of the PPD fails. For all releases:

apt update
apt upgrade
apt-get autoremove 
apt install krb5-user samba sssd sssd-tools

Installation will ask:

Default Kerberos version 5 realm:                                                                                                                                                                                                      
Kerberos servers for your realm:
Administrative server for your Kerberos realm:

Software configuration

  • Samba
/etc/init.d/samba stop
/etc/init.d/nmbd stop
/etc/init.d/smbd stop
/etc/init.d/samba-ad-dc stop
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
root@aaaremove:/etc/ssmtp# cat /etc/samba/smb.conf
workgroup = LUNIEL
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = LUNIEL.COM
security = ads
  • Sssd

The explicit specification of server is not required, but if one server is not available, the service will not be provided.

root@support:~# cat /etc/sssd/sssd.conf
services = nss, pam
config_file_version = 2
domains = LUNIEL.COM
ad_server = dc01.luniel.com
ad_backup_server = empclddc02.luniel.com
id_provider = ad
access_provider = ad
override_homedir = /home/%d/%u
ad_access_filter = (&(memberOf=cn=grp.sec.access.linux,ou=security groups,ou=groups,dc=luniel,dc=com))

If folder does not exit we can be in trouble, so we create them

mkdir /var/lib/sss/gpo_cache
chown sssd:sssd gpo_cache/

The config file of sssd should be accessible only by root

chmod 600 /etc/sssd/sssd.conf
  • Kerberos

Replace the domain controller with the correct one (in the example the value is the DC of 1and1)

mv /etc/krb5.conf /etc/krb5.conf.bak
cat /etc/krb5.conf
       default_realm = LUNIEL.COM
       ticket_lifetime = 24h
       renew_lifetime = 7d
       LUNIEL.COM = {
               kdc = dc01.luniel.com
               admin_server = dc01.luniel.com
  • nsswitch.conf

Check that sss is used in these 4 lines.

root@support:~# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd:         compat sss
group:          compat sss
shadow:         compat sss
hosts:          files dns
networks:       files
protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files
netgroup:       nis sss
sudoers:        files
  • /etc/pam.d/common-session

We add pam_mkhomedir to create the home directory

echo "session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/common-session

And check it.

root@support:~# tail /etc/pam.d/common-session
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional                        pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required        pam_unix.so
session optional                        pam_sss.so
session optional                        pam_ldap.so
session optional        pam_systemd.so
# end of pam-auth-update config
session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0022
  • Sudoers

We want only some groups to access to sudo. In this example, we want the group grp.sec.access.linux.sudo.infra to be abbe to realize the sudo command

# This file MUST be edited with the 'visudo' command as root.
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
# See the man page for details on how to write a sudoers file.
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification 
# Cmnd alias specification
# User privilege specification
root    ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
%grp.sec.access.linux.sudo.infra ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
  • pam.d

On Ubuntu 14 add this line to the end of the file /etc/pam.d/login

# also removes the user's mail spool file.
# See comments in /etc/login.defs
session    optional   pam_mail.so standard
# EMPOWER Modification
session    required     pam_loginuid.so
# Standard Un*x account and session
@include common-account
@include common-session
@include common-password

Start samba services

root@support:~# /etc/init.d/samba start
nmbd start/running, process 52946
smbd start/running, process 52956
samba-ad-dc start/running, process 52970

Join server to domain

Kerberos login with admin rights user

kinit adm_dany
Password for adm_dany@LUNIEL.COM:

Check if connected

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: adm_dany@LUNIEL.COM
Valid starting       Expires              Service principal
03/16/2018 11:28:12  03/16/2018 21:28:12  krbtgt/LUNIEL.COM@LUNIEL.COM
       renew until 03/23/2018 11:28:07

Join the server to the domain

net ads join -k
Using short domain name -- LUNIEL
Joined 'UBUNTU01' to dns domain 'luniel.com'

Start sssd services

On Ubuntu 14

root@support:~# service sssd start
sssd start/running, process 3925

On Ubuntu 16

systemctl start sssd


Daniel Simao (talk) 13:06, 20 July 2018 (EDT)