It has, over the years always been quite a quandary to get SSO auth working from *nix->MS AD without a huge amount of fiddling and tinkering, but there is a new auth framework in town by the name of realmd. While tinkering with The Foreman recently it had dawned on me it would be cool to have it set up such that, after the VM had been automatically provisioned it would allow me to SSH into it using my AD credentials.
This has the double benefit of providing SSO for users through SASL/GSSAPI and auto registering the linux box in Windows DNS if that is what you use as your DNS server backend.
Obviously before you can script something like this with Puppet/Foreman it is a good idea to do a test install on a blank Ubuntu 14.04.1 box so you know what exactly needs configured, so I spun up a VM using my newly created PXE boot environment to start playing around with.
realmd encompasses a number of existing technologies into a rather easy to install and configure package to get SSO/LDAP integration to work, primarily it uses a package developed by RedHat called SSSD that takes care of LDAP and Kerberos communications for you.
RedHat docs on SSSD/Kerberos/LDAP setup, pros/cons (Section 6.3).
The reason I chose this implementation is clearly outlined in the RedHat doc above:
- Kerberos SSO capable
- Supports SASL/GSSAPI binds for LDAP queries (optional)
- Enforces encrypted authentication only
- Client side caching of user information
- Off-line caching of previously authenticated user credentials
- Reduces number of client queries to server
- Graceful ID collision management
realmd is really a wrapper for SSSD and to quote the site:
realmd configures sssd or winbind to do the actual network authentication and user account lookups.
To the configuration then, first we have to install realmd and sssd:
aptitude install realmd sssd samba-common samba-common-bin samba-libs sssd-tools krb5-user adcli packagekit -y
Enter your full domain name in all caps when prompted for Default Kerberos version 5 realm, e.g. EXAMPLE.DOMAIN.COM
Gain a kerberos ticket from AD:
kinit -V myles.gray
Add the short and long domain names to the /etc/hosts file (order is important) and save:
#edit the localhost entry to include the box's short and long names like below
127.0.0.1 test1.domain.example.com test1 localhost
N.B. If you don’t do the above you will see an error in the following output similar to the below:
DNS update failed: NT_STATUS_INVALID_PARAMETER
Using short domain name -- {your domain name here}
Joined 'TEST1' to dns domain 'domain.example.com'
No DNS domain configured for test1. Unable to perform DNS Update.
If you do come across this problem leave the domain and then edit the /etc/hosts file. You can leave the domain with the following command:
realm --verbose leave -U myles.gray domain.example.com
Now we can run our realm join command to join us to AD:
realm --verbose join -U myles.gray domain.example.com
You will be prompted for your admin user’s password, enter this and you should receive an output like below:
[email protected]:~# realm --verbose join -U myles.gray domain.example.com
* Resolving: _ldap._tcp.domain.example.com
* Performing LDAP DSE lookup on: 10.0.1.123
* Performing LDAP DSE lookup on: 10.0.1.124
* Successfully discovered: domain.example.com
Password for myles.gray:
* Unconditionally checking packages
* Resolving required packages
* Installing necessary packages: sssd-tools, libpam-sss, libnss-sss, sssd, samba-common-bin
* LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.X2OPQX -U myles.gray ads join domain.example.com
Enter myles.gray's password:
Using short domain name -- DOMAIN
Joined 'TEST1' to dns domain 'domain.example.com'
* LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.X2OPQX -U myles.gray ads keytab create
Enter myles.gray's password:
* /usr/sbin/update-rc.d sssd enable
update-rc.d: /etc/init.d/sssd: file does not exist
* /usr/sbin/service sssd restart
stop: Unknown instance:
sssd start/running, process 9085
* Successfully enrolled machine in realm
We need to also comment out this line in our /etc/sssd/sssd.conf file because of a segfault bug known to RH:
#use_fully_qualified_names = True
Restart sssd service:
service sssd restart
Now if we run a realm list we should see some info about our newly joined domain:
# realm list
domain.example.com
type: kerberos
realm-name: domain.example.com
domain-name: domain.example.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U
login-policy: allow-realm-logins
Check the group membership of our AD user and that the AD integration is working correctly:
[email protected]:~# id myles.gray
uid=952601104(myles.gray) gid=952600513(domain users) groups=952600513(domain users),952601139(virtualisation admins),952600519(enterprise admins),952601127(inet_filter_none),952603106(foreman_admins),952600512(domain admins),952600518(schema admins),952603117(linux_admins),952603116(linux_users),952601103(net-users),952601152(vpn users),952600572(denied rodc password replication group)
Now choose the groups we want to allow login from by denying all (default is allow all) then allowing explicit AD groups (in my case, Linux_Users):
realm deny -R domain.example.com -a
realm permit -R domain.example.com -g Linux_Users
Now we can add our Active Directory Domain Admins and Linux_Admins groups to the /etc/sudoers file to give root access for users in those security groups:
visudo
Add the following lines (it is important to escape spaces in group names with a \):
%domain\ admins ALL=(ALL:ALL) ALL
%Linux_Admins ALL=(ALL:ALL) ALL
One thing I like to do is have each user get their own automatically generated home directory in the format /home/domain.example.com/myles.gray, PAM can do this for us if we edit the /etc/pam.d/common-session file:
nano /etc/pam.d/common-session
Add this line at the end of the file:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
User directories will be automatically created in the format /home/domain.example.com/myles.gray upon login.
You should now be able to SSH into the guest with your AD credentials and sudo bash if you are a member of Linux_Admins or Domain Admins AD groups:
Myless-MacBook-Pro:~ myles.gray$ ssh [email protected]
[email protected]'s password:
Creating directory '/home/home.kharms.co.uk/myles.gray'.
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-40-generic x86_64)
* Documentation: https://help.ubuntu.com/
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Mon Dec 8 00:31:25 2014 from 10.0.3.2
[email protected]:~$
Run a pwd to make sure our home directory was created and we were placed there:
[email protected]:~$ pwd
/home/home.kharms.co.uk/myles.gray
Check out if we can sudo bash as a member of one of the two AD groups we configured as sudoers:
[email protected]:~$ sudo bash
[sudo] password for myles.gray:
[email protected]:~#
You now have full AD auth for users and groups in your linux environment. I will likely revisit this or make another post about SSO/password-less ssh login using Kerberos in the near future. For the moment, good luck!
Sources:
- http://stephenfritz.blogspot.it/2014/04/linux-microsoft-active-directory_28.html
- http://funwithlinux.net/2014/04/join-ubuntu-14-04-to-active-directory-domain-using-realmd/
- http://serverfault.com/questions/436037/sudoers-file-allow-sudo-on-specific-file-for-active-directory-group
- http://derflounder.wordpress.com/2012/12/14/adding-ad-domain-groups-to-etcsudoers/
- http://www.chriscowley.me.uk/blog/2014/06/17/new-linux-active-directory-integration/
How does ID mapping work with realmd? I ask because the optimal solution is to use UID and GID from the AD server like with SFU or rfc2307.
@Stefan – realmd is technically a front-end for SSSD/Winbind (whichever you choose, SSSD is the default though) as such any ID mapping is done through SSSD in this case.
It uses UID and GID by default unless you use the ldap_id_mapping and ldap_schema in the sssd.conf as I understand it:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/sssd-ad-integration.html
Myles, is it possible to obtain uid,gid and homedir mapping from a seperate OpenLDAP database? I want to use your kerberos authentication and sssd’s auth provider. However, I really need to map custom attributes.
Mico, I can’t answer with any great degree of technicality, I think this isn’t a “thing” i’m sure it can be done with some hacking however, what about using OpenLDAP against AD as auth provider and pulling the needed attributes through OpenLDAP which having AD as backend auth for OpenLDAP?
Myles
congratulation , Great and very usefull doc !
I’m highly interested in SSO/password-less ssh login and in fact do not understand why it does not work straight on. SSH/krb5 conf for that is still a mistery for me.
Would appreciate your help to make sso working too :-)
I followed the instructions without any error. But when running the command ‘id’ the systems says : ‘no such user’
I also have this problem, did you solve it?
Working in it Mark, seems 14.10 broke this!
Ok, but I’m using 14.04.2
It’s still happening as of 10/21/2015
Getting the same result as KUL.
Entering “id ” returns “id: : no such user”. Tried entering the domain username as “domain/username”, “domain\username”, and [email protected] Also tried with “//”, “\\”, “/\”, and “\/”.
Is this an indication of an issue? Ok to proceed past this without addressing?
Thanks.
@Dimarc67 – No that means lookups aren’t working, you will need to fix that before proceeding, I am investigating this on 14.10 at the moment (they seem to have STILL not fixed the realmd dependency problem).
does anyone have any updates on this issue
Entering “id ” returns “id: : no such user”. i’m stuck at this point unable to authenticate to ssh
I found a solution that worked to resolved the id:: no such user error.
1 – use the realm –verbose leave -U user your-domain to leave the domain
2 – to the /etc/sssd/sssd.conf file add
[your.domain.fqdn]
fully-qualified-names=no
save the file, then service sssd restart
4 – get atoken again . kinit -V username
5 join again realm –verbose join -U user yourdomain.
test the id command id domain_user, this worked for me. hope it helps.
@alex, this didn’t work for me sorry.
Hi Mark,
Sorry to hear it didn’t work, after many installs and some minimal changes, to the steps above, this process seems to be working for me. I’ve tested over and over now and it seems to work. give it a try.
apt-get update
apt-get install realmd sssd samba-common-bin samba-libs sssd-tools krb5-user adcli
when Prompted by krb5-user enter y our Domain FQDN in upper case
Add the following to the realm.dconf file.
vi /etc/realmd.conf
[service]
automatic-install = no
[your.FQDN.Here]
fully-qualified-names=no
create the sssd.conf file and add the following
vi /etc/sssd/sssd.conf
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[sssd]
domains =
config_file_version = 2
services = nss, pam
set permissions on file
chmod 0600 /etc/sssd/sssd.conf
this will prompt for your password and get a token at the same time.
realm –verbose join -U domainAccount my.domain.com
now test the id command
hope it works for you.
for got to add this, at the end
if unable to join or id test is not working.
unjoin the domain
realm –verbose leave -U domainAccount my.domain.com
reboot system
join domain again.
realm –verbose join -U domainAccount my.domain.com
service sssd restart
test id
This worked thanks, I think it was the missing realmd.conf file.
One thing that I have noticed is that when joining the domain, if in the file /etc/sssd/sssd.conf the access_provider is set to ‘ad’ instead of ‘simple’ it won’t work. Fixing this line seems to help my installations.
Thanks Mark and Alex, i’m testing these solutions with 14.04.2 and 14.10 and will update the article based on what works best across both versions.
EDIT: Just tested with 14.04.2 and updated the article, working okay there now too.
Hi Myles,
Thanks for the update, I was wondering about the “Unable to perform DNS Update.” message, I’ll test it again with the host entry.
I’m testing on a 14.04.2 too and everything works except for:
– Delete the AD user from Ubuntu after I correctly logged in with it
– If I change password in AD, the linux user continues accepting the older password only
Thanks for the update, I’ll have to test it just to see how it behaves.
http://funwithlinux.net/2014/04/join-ubuntu-14-04-to-active-directory-domain-using-realmd/
this worked for me, adcli wasnt installed and my sssd.conf was missing
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
Your sssd.conf is generated upon domain join.
I’m having two issues now:
1) I’m not able to remove the user either via gnome or via sss_userdel
2) Once I change the password via AD I can’t use the new password but I have to continue using the first password (the one I used the first time I logged in through gdm)
I am very new here. Trying to follow the instructions however first, it doesn’t prompt me to put in my domain name during the install. Then when editing the sssd file, does it save when you close the terminal.
Using 14.04.2 and following instructions in the article and fixes noted in comments I’m stuck at
# id myuser
id: myuser no such user
Where kinit -V myuser correctly authenticates. Any ideas?
A clean rebuild and careful ordering of steps did it. Maybe something conflicting in the configs from other work on the VM in question.
To solve the problem, “id: myuser no such user”. Tracking solution:
$ sudo apt-get install libnss-winbind
…
$ sudo service winbind restart
winbind stop / waiting
winbind start / running, process 3399
$ id My.User
uid = 10006 (My.User) gid = 10002 (domain user) groups = …
My Linux: Ubuntu 15.04
Source:
http://falstaff.agner.ch/2014/05/12/ubuntu-ad-authentication-after-system-upgrade/