camscape - for excellent IT solutions itkb.ro - IT knowledge base
knowledge base | Contact rss feeds noutati itkb.ro
BASH Configurare email Configurare software Hardware Linux Linux Mint Pentru tonti Securitate VMWARE Windows
Instaleaza itkb.ro search

linux :: join ubuntu computer to active directory

David
David G. 		TitleJoin Ubuntu computer to Active Directory
Tagsubuntu,active directory,join,sso
Desc.Join Ubuntu computer to Active Directory
CodeKBLN0046 v1.0
Date 3 iunie 2020

Join Ubuntu computer to Active Directory

 

We will use SSSD to connect to AD and retrieve informations about users and computers.

 

 


Make sure Ubuntu is up to date:

 

sudo apt -y update

 


Set a hostname, according to your domain (myworkstation is the name of the computer, AD domain is camscape.local):

 

sudo hostnamectl set-hostname myworkstation.camscape.local

 


Check if your DNS is resolving AD zones:

 

nslookup -type=srv _ldap._tcp.camscape.local
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
_ldap._tcp.camscape.local       service = 0 100 389 robuhsrv002.camscape.local.

 

 

Install needed packages:

 

sudo apt update
sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

 


Check domain visibility:

 

sudo realm discover camscape.local

 

You should get:

 

camscape.local
  type: kerberos
  realm-name: CAMSCAPE.LOCAL
  domain-name: camscape.local
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %U@camscape.local
  login-policy: allow-realm-logins

 

 

 

Join the domain:

 

sudo realm join -U Administrator camscape.local
Password for Administrator:


If successful, check again realm, run:

 

sudo realm list

 

you should get:

 

camscape.local
  type: kerberos
  realm-name: CAMSCAPE.LOCAL
  domain-name: camscape.local
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %U@camscape.local
  login-policy: allow-realm-logins

 

 

 

Activate auto-creation of home directories:

 

sudo bash -c "cat > /usr/share/pam-configs/mkhomedir" < Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
        required                        pam_mkhomedir.so umask=0022 skel=/etc/skel
EOF

 

and activate it:

 

sudo pam-auth-update

 

Ensure that "activate mkhomedir" is selected with a [*]

 

 

This should be the setup of SSSD. The configuration is in /etc/sssd/sssd.conf . Restart service with:

 

sudo systemctl restart sssd

 

 

At this point, you should be able to read info about users, running:

 

id Administrator@camscape.local

 

you should get:

 

uid=66600500(administrator@camscape.local) gid=66600513(domain users@camscape.local) groups=.....

 

 

 

Allow users to SSH to the workstation:

 

sudo realm permit user1@camscape.local

 

or by group:

 

sudo realm permit "Domain Users"

 

or allow all users access:

 

sudo realm permit --all

 

or deny all:

 

sudo realm deny --all

 

All these will modify sssd.conf file.

 

 

 

Domain Users will not have permission to escalate privilege to root (sudo right).

 

Let first create sudo permissions grants file:

 

sudo vi /etc/sudoers.d/domain_admins

 

Add user:

 

user1@camscape.local        ALL=(ALL)       ALL

 

Add group

 

%group1@camscape.local         ALL=(ALL)   ALL
%Domain\ Users@camscape.local  ALL=(ALL)   ALL

 

 

 

Setup SSO (Single Sign On)

 

Install package:

 

sudo apt install krb5-user

 

Test running:

 

kinit user1@camscape.local

 

This should prompt for user password. After that, verify running:

 

klist

 

You should see created ticket.

 

 

Create keytab

 

sudo apt install msktutil

 

After install:

 

sudo msktutil -c

 

Verify running:

 

kinit -k myworkstation$

 

and then

 

klist

 

should show the ticket created on workstation name.

 

 

Modify PAM

 

Install package:

 

sudo apt install libpam-krb5

 

Now, edit some files:

 

Add to the beginning of /etc/pam.d/common-account:

 

account required        pam_krb5.so minimum_uid=500

 

Add to the beginning of /etc/pam.d/common-auth:

 

auth    sufficient      pam_krb5.so try_first_pass minimum_uid=500 expose_account

 

Add to the beginning of /etc/pam.d/common-password:

 

password   sufficient pam_krb5.so minimum_uid=500

 

Add to the beginning of /etc/pam.d/common-password:

 

session optional        pam_krb5.so minimum_uid=500

 

Then, login (via SSH or GUI) verifies the password via kerberos, and furthermore, will automatically give you tickets you can use to authenticate to other services (e.g. sshd on another machine).

 

 

Now, in Dolphin you can add network place without password, just SSO.

 

 

 

Change SSSD configuration

 

At this point, your /etc/sssd/sssd.conf should look like:

 

[sssd]
domains = camscape.local
config_file_version = 2
services = nss, pam

[domain/camscape.local]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = CAMSCAPE.LOCAL
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = camscape.local
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad

 

Modify it by adding some new tweaks:

 

[sssd]
domains = camscape.local
config_file_version = 2
services = nss, pam

[pam]
# This option specifies whether the responder should query all caches
# before querying the Data Providers.
# Default: false
cache_first = False

# If the authentication provider is offline, how long should we allow cached
# logins (in days since the last successful online login).
# Default: 0 (No limit)
offline_credentials_expiration = 30

# If the authentication provider is offline, how many failed login attempts
# are allowed.
# Default: 0 (No limit)
offline_failed_login_attempts = 10

[domain/camscape.local]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = CAMSCAPE.LOCAL
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = camscape.local
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad

chpass_provider = ad

# How many seconds should nss_sss consider entries valid before asking the
# backend again
# The cache expiration timestamps are stored as attributes of individual
# objects in the cache. Therefore, changing the cache timeout only has effect
# for newly added or expired entries. You should run the sss_cache(8) tool in
# order to force refresh of entries that have already been cached.
# Default: 5400
entry_cache_timeout = 2592000

# Number of days entries are left in cache after last successful login before
# being removed during a cleanup of the cache. 0 means keep forever. The value
# of this parameter must be greater than or equal to
# offline_credentials_expiration.
# Default: 0 (unlimited)
account_cache_expiration = 30

# Display a warning N days before the password expires.
#
# If zero is set, then this filter is not applied, i.e. if the expiration
# warning was received from backend server, it will automatically be displayed.
#
# Please note that the backend server has to provide information about the
# expiration time of the password. If this information is missing, sssd cannot
# display a warning. Also an auth provider has to be configured for the backend.
#
# Default: 7 (Kerberos), 0 (LDAP)
pwd_expiration_warning = 15

 

This will ensure the caching of successfull logon for 30 days so that even with no network you should still be able to login with AD user.

Also, will ask the AD first and if not available, will lookup cache.