Linux machine in a Windows AD domain using sssd and krb5
- From the sandbox
- Tutorial
There was a need to introduce a Ubuntu machine into the Windows domain. For these purposes, Samba and Winbind are commonly used. But an alternative is possible with sssd, a brief guide to it below.
For example, we will use:
Domain = contoso.com
Domain Controller = dc.contoso.com
Start the Ubuntu terminal:
1. Switch to root
2. Install the necessary packages
3. Edit /etc/krb5.conf, use tabs as indents.
4. Edit the / etc / hosts file, specify the FQDN for this host:
5. We try to get the Kerberos ticket on behalf of the domain administrator:
Checking:
If the ticket is received successfully, then now Kerberos principals can be generated for this host, the register is important:
Now our host should appear in the list of computers in the directory. If everything is so, we delete the received Kerberos ticket:
6. Create the file /etc/sssd/sssd.conf with the following contents:
The description of the sssd configuration parameters can be found here.
Set permissions for the sssd.conf file:
Restart the SSSD service
7. Edit the PAM settings.
Bad solution:
edit the /etc/pam.d/common-session file, after the line
add row
A good solution:
redefine the parameters through the PAM system settings, call
and mark sss auth and makehomdir . This will automatically add the
line above in common-session and it will not be overloaded when the system is updated.
Now we can log in to the machine by domain users who are allowed to login.
PS: You can give the right to use sudo domain groups. Using visudo, edit the file / etc / sudoers, or better, as recommended by maxzhurkin and iluvar , create a new file in /etc/sudoers.d/ and edit it
Add the required group - for example, Domain Admins (if there are spaces in the group name, they must be escaped):
PSS: Thanks gotch for the info about realmd. Very convenient - if you do not need specific settings, then entering the machine into the domain takes, in fact, three commands:
1. Install the necessary packages:
2. Check that our domain is visible on the network:
3. Enter the machine in the domain:
4. Edit PAM settings
An additional advantage of this option is pass-through authorization on domain file resources.
For example, we will use:
Domain = contoso.com
Domain Controller = dc.contoso.com
Start the Ubuntu terminal:
1. Switch to root
sudo -i
2. Install the necessary packages
apt install sssd heimdal-clients msktutil
3. Edit /etc/krb5.conf, use tabs as indents.
[libdefaults]
default_realm = CONTOSO.COM
[realms]
CONTOSO.COM = {
kdc = DC
admin_server = dc.contoso.com
default_domain = contoso.com
}
[login]
krb4_convert = true
krb4_get_tickets = false
[domain_realm]
.contoso.com = CONTOSO.COM
contoso.com = CONTOSO.COM
4. Edit the / etc / hosts file, specify the FQDN for this host:
127.0.0.1 localhost
127.0.1.1 <hostname>.contoso.com <hostname>
5. We try to get the Kerberos ticket on behalf of the domain administrator:
root@ubuntu:~# kinit YourDomainAdmin
YourDomainAdmin@CONTOSO.COM's Password:
Checking:
root@ubuntu:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: YourDomainAdmin@CONTOSO.COM
Issued Expires Principal
Dec 1 15:08:27 2018 Dec 2 01:08:22 2018 krbtgt/CONTOSO.COM@CONTOSO.COM
If the ticket is received successfully, then now Kerberos principals can be generated for this host, the register is important:
msktutil -c -b 'CN=YourComputersOU' -s HOST/HOSTNAME.contoso.com -k /etc/sssd/HOSTNAME.keytab --computer-name HOSTNAME --upn HOSTNAME$ --server dc.contoso.com —user-creds-only
msktutil -c -b 'CN=YourComputersOU' -s HOST/HOSTNAME -k /etc/sssd/HOSTNAME.keytab --computer-name HOSTNAME --upn HOSTNAME$ --server dc.contoso.com --user-creds-only
Now our host should appear in the list of computers in the directory. If everything is so, we delete the received Kerberos ticket:
kdestroy
6. Create the file /etc/sssd/sssd.conf with the following contents:
[sssd]
services = nss, pam
config_file_version = 2
domains = contoso.com
[nss]
entry_negative_timeout = 0
debug_level = 3
[pam]
debug_level = 3
[domain/contoso.com]
debug_level = 3
ad_domain = contoso.com
ad_server = dc.contoso.com
enumerate = false
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = simple
simple_allow_groups = users #каким группам разрешено логиниться, через запятую. Есть ограничение — названия групп должны быть с маленькой буквы.
ldap_schema = ad
ldap_id_mapping = true
fallback_homedir = /home/%u
default_shell = /bin/bash
ldap_sasl_mech = gssapi
ldap_sasl_authid = <HOSTNAME>$
ldap_krb5_init_creds = true
krb5_keytab = /etc/sssd/<HOSTNAME>.keytab
The description of the sssd configuration parameters can be found here.
Set permissions for the sssd.conf file:
chmod 600 /etc/sssd/sssd.conf
Restart the SSSD service
service sssd restart
7. Edit the PAM settings.
Bad solution:
edit the /etc/pam.d/common-session file, after the line
session required pam_unix.so
add row
session required pam_mkhomedir.so skel=/etc/skel umask=0022
A good solution:
redefine the parameters through the PAM system settings, call
pam-auth-update
and mark sss auth and makehomdir . This will automatically add the
line above in common-session and it will not be overloaded when the system is updated.
Now we can log in to the machine by domain users who are allowed to login.
PS: You can give the right to use sudo domain groups. Using visudo, edit the file / etc / sudoers, or better, as recommended by maxzhurkin and iluvar , create a new file in /etc/sudoers.d/ and edit it
visudo -f /etc/sudoers.d/ваш_файл
Add the required group - for example, Domain Admins (if there are spaces in the group name, they must be escaped):
%Domain\ Admins ALL=(ALL) ALL
PSS: Thanks gotch for the info about realmd. Very convenient - if you do not need specific settings, then entering the machine into the domain takes, in fact, three commands:
1. Install the necessary packages:
sudo apt install realmd samba-common-bin samba-libs sssd-tools krb5-user adcli
2. Check that our domain is visible on the network:
realm discover contoso.com
3. Enter the machine in the domain:
sudo realm --verbose join contoso.com -U YourDomainAdmin
4. Edit PAM settings
sudo pam-auth-update
An additional advantage of this option is pass-through authorization on domain file resources.