Blah, Cloud.

Adventures in architectures

  • Twitter
  • GitHub
  • Home
  • Blog
  • Kubernetes on vSphere
  • Multi-tenant IaaS Networking
  • Me
    • About
    • CV
    • Contact
Home » Blog » Infrastructure » Utilising Kerberos/AD auth in Ubuntu 14.04 with realmd

Utilising Kerberos/AD auth in Ubuntu 14.04 with realmd

08/12/2014 by Myles Gray 30 Comments

It has, over the years always been quite a quandary to get SSO auth working from *nix->MS AD without a huge amount of fiddling and tinkering, but there is a new auth framework in town by the name of realmd. While tinkering with The Foreman recently it had dawned on me it would be cool to have it set up such that, after the VM had been automatically provisioned it would allow me to SSH into it using my AD credentials.

This has the double benefit of providing SSO for users through SASL/GSSAPI and auto registering the linux box in Windows DNS if that is what you use as your DNS server backend.

Obviously before you can script something like this with Puppet/Foreman it is a good idea to do a test install on a blank Ubuntu 14.04.1 box so you know what exactly needs configured, so I spun up a VM using my newly created PXE boot environment to start playing around with.

realmd encompasses a number of existing technologies into a rather easy to install and configure package to get SSO/LDAP integration to work, primarily it uses a package developed by RedHat called SSSD that takes care of LDAP and Kerberos communications for you.

RedHat docs on SSSD/Kerberos/LDAP setup, pros/cons (Section 6.3).

SSSD Architecture

The reason I chose this implementation is clearly outlined in the RedHat doc above:

  • Kerberos SSO capable
  • Supports SASL/GSSAPI binds for LDAP queries (optional)
  • Enforces encrypted authentication only
  • Client side caching of user information
  • Off-line caching of previously authenticated user credentials
  • Reduces number of client queries to server
  • Graceful ID collision management

realmd is really a wrapper for SSSD and to quote the site:

realmd configures sssd or winbind to do the actual network authentication and user account lookups.

To the configuration then, first we have to install realmd and sssd:

aptitude install realmd sssd samba-common samba-common-bin samba-libs sssd-tools krb5-user adcli packagekit -y

Enter your full domain name in all caps when prompted for Default Kerberos version 5 realm, e.g. EXAMPLE.DOMAIN.COM

Gain a kerberos ticket from AD:

kinit -V myles.gray

Add the short and long domain names to the /etc/hosts file (order is important) and save:

#edit the localhost entry to include the box's short and long names like below
127.0.0.1     test1.domain.example.com test1 localhost

N.B. If you don’t do the above you will see an error in the following output similar to the below:

DNS update failed: NT_STATUS_INVALID_PARAMETER
Using short domain name -- {your domain name here}
Joined 'TEST1' to dns domain 'domain.example.com'
No DNS domain configured for test1. Unable to perform DNS Update.

If you do come across this problem leave the domain and then edit the /etc/hosts file. You can leave the domain with the following command:

realm --verbose leave -U myles.gray domain.example.com

Now we can run our realm join command to join us to AD:

realm --verbose join -U myles.gray domain.example.com

You will be prompted for your admin user’s password, enter this and you should receive an output like below:

[email protected]:~# realm --verbose join -U myles.gray domain.example.com
 * Resolving: _ldap._tcp.domain.example.com
 * Performing LDAP DSE lookup on: 10.0.1.123
 * Performing LDAP DSE lookup on: 10.0.1.124
 * Successfully discovered: domain.example.com
Password for myles.gray: 
 * Unconditionally checking packages
 * Resolving required packages
 * Installing necessary packages: sssd-tools, libpam-sss, libnss-sss, sssd, samba-common-bin
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.X2OPQX -U myles.gray ads join domain.example.com
Enter myles.gray's password:
Using short domain name -- DOMAIN
Joined 'TEST1' to dns domain 'domain.example.com'
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.X2OPQX -U myles.gray ads keytab create
Enter myles.gray's password:
 * /usr/sbin/update-rc.d sssd enable
update-rc.d: /etc/init.d/sssd: file does not exist
 * /usr/sbin/service sssd restart
stop: Unknown instance: 
sssd start/running, process 9085
 * Successfully enrolled machine in realm 

We need to also comment out this line in our /etc/sssd/sssd.conf file because of a segfault bug known to RH:

#use_fully_qualified_names = True

Restart sssd service:

service sssd restart

Now if we run a realm list we should see some info about our newly joined domain:

# realm list
domain.example.com
  type: kerberos
  realm-name: domain.example.com
  domain-name: domain.example.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %U
  login-policy: allow-realm-logins

Check the group membership of our AD user and that the AD integration is working correctly:

[email protected]:~# id myles.gray
uid=952601104(myles.gray) gid=952600513(domain users) groups=952600513(domain users),952601139(virtualisation admins),952600519(enterprise admins),952601127(inet_filter_none),952603106(foreman_admins),952600512(domain admins),952600518(schema admins),952603117(linux_admins),952603116(linux_users),952601103(net-users),952601152(vpn users),952600572(denied rodc password replication group)

Now choose the groups we want to allow login from by denying all (default is allow all) then allowing explicit AD groups (in my case, Linux_Users):

realm deny -R domain.example.com -a
realm permit -R domain.example.com -g Linux_Users

Now we can add our Active Directory Domain Admins and Linux_Admins groups to the /etc/sudoers file to give root access for users in those security groups:

visudo

Add the following lines (it is important to escape spaces in group names with a \):

%domain\ admins ALL=(ALL:ALL) ALL
%Linux_Admins ALL=(ALL:ALL) ALL

One thing I like to do is have each user get their own automatically generated home directory in the format /home/domain.example.com/myles.gray, PAM can do this for us if we edit the /etc/pam.d/common-session file:

nano /etc/pam.d/common-session

Add this line at the end of the file:

session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022

User directories will be automatically created in the format /home/domain.example.com/myles.gray upon login.

You should now be able to SSH into the guest with your AD credentials and sudo bash if you are a member of Linux_Admins or Domain Admins AD groups:

Myless-MacBook-Pro:~ myles.gray$ ssh [email protected]
[email protected]'s password: 
Creating directory '/home/home.kharms.co.uk/myles.gray'.
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-40-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Mon Dec  8 00:31:25 2014 from 10.0.3.2
[email protected]:~$

Run a pwd to make sure our home directory was created and we were placed there:

[email protected]:~$ pwd
/home/home.kharms.co.uk/myles.gray

Check out if we can sudo bash as a member of one of the two AD groups we configured as sudoers:

[email protected]:~$ sudo bash
[sudo] password for myles.gray: 
[email protected]:~# 

You now have full AD auth for users and groups in your linux environment. I will likely revisit this or make another post about SSO/password-less ssh login using Kerberos in the near future. For the moment, good luck!

Sources:

  • http://stephenfritz.blogspot.it/2014/04/linux-microsoft-active-directory_28.html
  • http://funwithlinux.net/2014/04/join-ubuntu-14-04-to-active-directory-domain-using-realmd/
  • http://serverfault.com/questions/436037/sudoers-file-allow-sudo-on-specific-file-for-active-directory-group
  • http://derflounder.wordpress.com/2012/12/14/adding-ad-domain-groups-to-etcsudoers/
  • http://www.chriscowley.me.uk/blog/2014/06/17/new-linux-active-directory-integration/

Why not follow @mylesagray on Twitter for more like this!

Show some love:

  • Reddit
  • Twitter
  • Pocket
  • LinkedIn
  • Email
  • Telegram

Similar things I've written

Filed Under: Infrastructure, Software Tagged With: active directory, authentication, linux, ubuntu

About Myles Gray

Hi! I'm Myles, and I'm a Dev Advocate at VMware. Focused primarily on content generation, product enablement and feedback from customers and field to engineering.

Comments

  1. Stefan Midjich says

    08/12/2014 at 13:54

    How does ID mapping work with realmd? I ask because the optimal solution is to use UID and GID from the AD server like with SFU or rfc2307.

    Reply
    • Myles Gray says

      08/12/2014 at 19:25

      @Stefan – realmd is technically a front-end for SSSD/Winbind (whichever you choose, SSSD is the default though) as such any ID mapping is done through SSSD in this case.

      It uses UID and GID by default unless you use the ldap_id_mapping and ldap_schema in the sssd.conf as I understand it:

      https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/sssd-ad-integration.html

      Reply
      • Mico says

        28/06/2015 at 05:26

        Myles, is it possible to obtain uid,gid and homedir mapping from a seperate OpenLDAP database? I want to use your kerberos authentication and sssd’s auth provider. However, I really need to map custom attributes.

        Reply
        • Myles Gray says

          08/07/2015 at 18:46

          Mico, I can’t answer with any great degree of technicality, I think this isn’t a “thing” i’m sure it can be done with some hacking however, what about using OpenLDAP against AD as auth provider and pulling the needed attributes through OpenLDAP which having AD as backend auth for OpenLDAP?

          Myles

          Reply
  2. Patrick Nomblot says

    22/01/2015 at 16:22

    congratulation , Great and very usefull doc !

    I’m highly interested in SSO/password-less ssh login and in fact do not understand why it does not work straight on. SSH/krb5 conf for that is still a mistery for me.

    Would appreciate your help to make sso working too :-)

    Reply
  3. KUL says

    11/02/2015 at 16:02

    I followed the instructions without any error. But when running the command ‘id’ the systems says : ‘no such user’

    Reply
    • Mark Snelling says

      05/03/2015 at 14:48

      I also have this problem, did you solve it?

      Reply
      • Myles Gray says

        05/03/2015 at 15:08

        Working in it Mark, seems 14.10 broke this!

        Reply
        • Mark Snelling says

          05/03/2015 at 15:12

          Ok, but I’m using 14.04.2

          Reply
          • Bob Henderson says

            21/10/2015 at 18:48

            It’s still happening as of 10/21/2015

            Reply
  4. Dimarc67 says

    26/02/2015 at 19:01

    Getting the same result as KUL.

    Entering “id ” returns “id: : no such user”. Tried entering the domain username as “domain/username”, “domain\username”, and [email protected] Also tried with “//”, “\\”, “/\”, and “\/”.

    Is this an indication of an issue? Ok to proceed past this without addressing?

    Thanks.

    Reply
    • Myles Gray says

      02/03/2015 at 18:50

      @Dimarc67 – No that means lookups aren’t working, you will need to fix that before proceeding, I am investigating this on 14.10 at the moment (they seem to have STILL not fixed the realmd dependency problem).

      Reply
  5. alex says

    05/03/2015 at 05:24

    does anyone have any updates on this issue
    Entering “id ” returns “id: : no such user”. i’m stuck at this point unable to authenticate to ssh

    Reply
    • alex says

      06/03/2015 at 00:45

      I found a solution that worked to resolved the id:: no such user error.
      1 – use the realm –verbose leave -U user your-domain to leave the domain
      2 – to the /etc/sssd/sssd.conf file add
      [your.domain.fqdn]
      fully-qualified-names=no
      save the file, then service sssd restart
      4 – get atoken again . kinit -V username
      5 join again realm –verbose join -U user yourdomain.

      test the id command id domain_user, this worked for me. hope it helps.

      Reply
      • Mark Snelling says

        06/03/2015 at 13:55

        @alex, this didn’t work for me sorry.

        Reply
        • Alex says

          10/03/2015 at 03:04

          Hi Mark,
          Sorry to hear it didn’t work, after many installs and some minimal changes, to the steps above, this process seems to be working for me. I’ve tested over and over now and it seems to work. give it a try.

          apt-get update

          apt-get install realmd sssd samba-common-bin samba-libs sssd-tools krb5-user adcli

          when Prompted by krb5-user enter y our Domain FQDN in upper case

          Add the following to the realm.dconf file.
          vi /etc/realmd.conf
          [service]
          automatic-install = no

          [your.FQDN.Here]
          fully-qualified-names=no

          create the sssd.conf file and add the following
          vi /etc/sssd/sssd.conf
          [nss]
          filter_groups = root
          filter_users = root
          reconnection_retries = 3

          [pam]
          reconnection_retries = 3

          [sssd]
          domains =
          config_file_version = 2
          services = nss, pam

          set permissions on file
          chmod 0600 /etc/sssd/sssd.conf

          this will prompt for your password and get a token at the same time.
          realm –verbose join -U domainAccount my.domain.com

          now test the id command

          hope it works for you.

          Reply
          • Alex says

            10/03/2015 at 03:24

            for got to add this, at the end

            if unable to join or id test is not working.

            unjoin the domain
            realm –verbose leave -U domainAccount my.domain.com

            reboot system

            join domain again.

            realm –verbose join -U domainAccount my.domain.com
            service sssd restart
            test id

            Reply
          • Mark Snelling says

            10/03/2015 at 11:04

            This worked thanks, I think it was the missing realmd.conf file.

            Reply
          • Mark Snelling says

            10/03/2015 at 12:43

            One thing that I have noticed is that when joining the domain, if in the file /etc/sssd/sssd.conf the access_provider is set to ‘ad’ instead of ‘simple’ it won’t work. Fixing this line seems to help my installations.

            Reply
            • Myles Gray says

              10/03/2015 at 13:42

              Thanks Mark and Alex, i’m testing these solutions with 14.04.2 and 14.10 and will update the article based on what works best across both versions.

              EDIT: Just tested with 14.04.2 and updated the article, working okay there now too.

              Reply
              • Alex says

                11/03/2015 at 14:21

                Hi Myles,
                Thanks for the update, I was wondering about the “Unable to perform DNS Update.” message, I’ll test it again with the host entry.

              • ⒢ⓐⓑⓡⓘⓔⓛⓔ ⓥⓘⓓⓐⓛⓘ (@gvidali) says

                30/03/2015 at 16:38

                I’m testing on a 14.04.2 too and everything works except for:
                – Delete the AD user from Ubuntu after I correctly logged in with it
                – If I change password in AD, the linux user continues accepting the older password only

            • Alex says

              11/03/2015 at 14:15

              Thanks for the update, I’ll have to test it just to see how it behaves.

              Reply
  6. Adam Ellis says

    08/03/2015 at 15:01

    http://funwithlinux.net/2014/04/join-ubuntu-14-04-to-active-directory-domain-using-realmd/

    this worked for me, adcli wasnt installed and my sssd.conf was missing

    [nss]
    filter_groups = root
    filter_users = root
    reconnection_retries = 3

    [pam]
    reconnection_retries = 3

    Reply
    • Myles Gray says

      10/03/2015 at 15:57

      Your sssd.conf is generated upon domain join.

      Reply
      • ⒢ⓐⓑⓡⓘⓔⓛⓔ ⓥⓘⓓⓐⓛⓘ (@gvidali) says

        30/03/2015 at 20:53

        I’m having two issues now:
        1) I’m not able to remove the user either via gnome or via sss_userdel
        2) Once I change the password via AD I can’t use the new password but I have to continue using the first password (the one I used the first time I logged in through gdm)

        Reply
  7. Tina says

    13/04/2015 at 21:37

    I am very new here. Trying to follow the instructions however first, it doesn’t prompt me to put in my domain name during the install. Then when editing the sssd file, does it save when you close the terminal.

    Reply
  8. putt1ck says

    22/04/2015 at 06:30

    Using 14.04.2 and following instructions in the article and fixes noted in comments I’m stuck at

    # id myuser
    id: myuser no such user

    Where kinit -V myuser correctly authenticates. Any ideas?

    Reply
    • putt1ck says

      26/04/2015 at 14:04

      A clean rebuild and careful ordering of steps did it. Maybe something conflicting in the configs from other work on the VM in question.

      Reply
  9. Thales says

    04/05/2015 at 13:45

    To solve the problem, “id: myuser no such user”. Tracking solution:

    $ sudo apt-get install libnss-winbind
    …
    $ sudo service winbind restart
    winbind stop / waiting
    winbind start / running, process 3399
    $ id My.User
    uid = 10006 (My.User) gid = 10002 (domain user) groups = …

    My Linux: Ubuntu 15.04

    Source:
    http://falstaff.agner.ch/2014/05/12/ubuntu-ad-authentication-after-system-upgrade/

    Reply

Leave a Reply Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Myles Gray

Hi! I'm Myles, and I'm a Dev Advocate at VMware. Focused primarily on content generation, product enablement and feedback from customers and field to engineering. Read More…

Categories

Tags

active directory authentication CBT cisco datastore dell design esxi fortigate iscsi jumbo frame kubernetes lab linux load-balancing lun md3000i mtu networking NginX nic nsx openSUSE osx pxe readynas san sdelete serial teaming ubuntu vcenter vcloud director vcsa vexpert video VIRL vmdk vmfs vmware vsan vsphere vsphere 6 vsphere beta windows

Subscribe to Blog via Email

Copyright © 2021 · News Pro Theme on Genesis Framework · WordPress · Log in

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.