Integrate Ubuntu & Active Directory using Kerberos, Realmd, SSSD

Integrate Ubuntu & Active Directory using Kerberos, Realmd, SSSD

We can integrate Ubuntu & Active Directory using Kerberos, Realmd, SSSD. Prerequisites to join an Ubuntu Server to Windows Active Directory,

  1. Your Ubuntu server should be able to reach AD server.
  2. Active Directory Domain administrator account or an account in Active Directory’s ‘Domain Admins’ group or an account, that has sufficient privilege to join your Ubuntu server to Active Directory domain.

Configure Hosts

The first step of Active Directory join is to edit the /etc/hosts file. Set your machine’s IP address and hostname in /etc/hosts file.

vi /etc/hosts

In the hosts file, please enter the below values,

xx.xx.xx.xx mymachine.domain.com

Example :-

vi /etc/hosts

In the hosts file, please enter the below values,

10.0.0.50 mymachine.domain.com

Configure Local Resolver

Next you need to setup the /etc/resolv.conf with your name server entries and search domain entry. Usually, the AD server IP itself will be the name server IPs, since DNS role may be installed in the same server.

vi /etc/resolv.conf

In the resolv.conf file, please enter the below values

nameserver xx.xx.xx.xx
nameserver xx.xx.xx.xx
search domain.com

Example :-

vi /etc/resolv.conf

Edit the resolv.conf file and please enter the below values

nameserver 10.0.0.2
nameserver 10.0.0.3
search domain.com

Install the Utilities

Install the required packages,

apt-get -y install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli ntp

During the Kerberos installation, you will see a pink screen. Just enter your full domain name in CAPITAL LETTERS,

Eg : DOMAIN.COM

select OK by pressing TAB

You may keep it as BLANK and press OK, if you wish to configure Kerberos later.

Configure NTP Settings

The date and time of your Ubuntu server\host must synchronize with Active Directory  server. Add your active directory’s ntp hostname in the /etc/ntp.conf file,

vi /etc/ntp.conf
server ntphost1.domain.com 
server ntphost2.domain.com

You can also keep it as Ubuntu’s NTP servers, provided your active directory server’s time and Ubuntu NTP server time are in sync.


vi /etc/ntp.conf

In that case, add the below values, instead of above values,

server 0.ubuntu.pool.ntp.org
server 1.ubuntu.pool.ntp.org
server 2.ubuntu.pool.ntp.org
server 3.ubuntu.pool.ntp.org

Now sync the Ubuntu host machine’s date and time with NTP server and then start the NTP service,

If you are using your Active Directory’s NTP service, then execute the below commands,

ntpdate ntphost1.domain.com
ntpdate ntphost2.domain.com
systemctl enable ntp
systemctl start ntp

Configure RealMD Settings

Create a file named realmd.conf,

vi /etc/realmd.conf

Enter the below values in the realmd config file,

[users]
default-home = /home/DOMAIN/%U
default-shell = /bin/bash
[active-directory]
default-client = sssd
os-name = Ubuntu Server
os-version = 16.04
[service]
automatic-install = no
[domain.com]
fully-qualified-names = no
automatic-id-mapping = yes
user-principal = yes
manage-system = no

Now, try to get a valid Kerberos ticket for your active directory administrator account,

kinit administrator@DOMAIN.COM

Password for administrator@DOMAIN.COM: <enter password>

klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@DOMAIN.COM
Valid starting Expires Service principal
02/11/2017 21:22:27 03/11/2017 07:22:27 krbtgt/DOMAIN.COM@DOMAIN.COM
renew until 02/11/2017 21:22:27

Join the Ubuntu Host to Active Directory Domain

To join the Ubuntu Host to Active Directory Domain, please execute the below command,

realm --verbose join domain.com --user-principal=mymachine/administrator@DOMAIN.COM
--unattended

* /usr/sbin/update-rc.d sssd enable
update-rc.d: error: cannot find a LSB script for sssd
* /usr/sbin/service sssd restart
* Successfully enrolled machine in realm

Access Control using REALM

To deny all Active Directory user or group access to your Ubuntu host, please execute the below command,

realm deny --all

Once all the access is denied, now we can permit selected active directory user groups or users. To permit selected user groups, please execute the below command,

realm permit -g 'Domain Admins' 'IT DEPT'

To permit selected users, please execute the below command,

realm permit administrator george

This will permit two users administrator and george.

Configure SSSD Service

Edit the file sssd.conf. If the file is not existing, you may need to create it,

vi /etc/sssd/sssd.conf

Enter the below configuration values in the sssd config file. Replace domain.com & domain with your domain name

[sssd]
domains = domain.com
config_file_version = 2
services = nss, pam
[domain/domain.com]
ad_domain = domain.com
krb5_realm = DOMAIN.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
#fallback_homedir = /home/%d/%u
fallback_homedir = /home/DOMAIN/%u
enumerate = True
access_provider = ad

Now restart the SSSD service by executing the below command,

service restart sssd

Edit PAM.D Configuration

To enable the users to auto create home directory upon a successful login to your ubuntu box, you need to edit the /etc/pam.d/common-session file.

Add the line,

session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

below the line\entry

session optional pam_sss.so

So that, the session config file should look like,

session optional pam_systemd.so 
session required pam_unix.so 
session optional pam_sss.so 
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

Configure SAMBA Service

To configure the SAMBA service in your Ubuntu box, edit the samba configuration file. /etc/samba/smb.conf

To edit the file, execute the command,

vi  /etc/samba/smb.conf

Replace the DOMAIN with your domain name(without .com) and DOMAIN.COM with your complete domain name.

[global]
workgroup = DOMAIN
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = DOMAIN.COM
security = ads

Verify krb5.keytab

To list the content of /etc/krb5.keytab file, please execute the below command,

klist -kt

To show the available kerberos tickets, please execute the command,

klist -c /var/lib/sss/db/ccache_DOMAIN.COM

SUDOER Configuration

To enable a particular AD group to have admin privilege in the Ubuntu box, you need to edit the sudoer configuration. The sudo file is located at /etc/sudoers. The members of AD groups added in sudoers can perform sudo.

To edit the sudoers, please execute,

vi /etc/sudoers
# Members of the admin group may gain root privileges
#%admin ALL=(ALL) ALL
%admin ALL=(ALL) NOPASSWD:ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) NOPASSWD:ALL
## AD Domain Groups and Users
#Adding Domain Admins and it_support as admins
%domain\ admins ALL=(ALL) NOPASSWD:ALL
%it_support ALL=(ALL) NOPASSWD:ALL
#Adding user george as admin
george ALL=(ALL) NOPASSWD:ALL

Configure LightDM

To configure the lightDM, create the lightDM configuration file”./etc/lightdm/lightdm.conf“.

vi /etc/lightdm/lightdm.conf
[SeatDefaults]
allow-guest=false
greeter-hide-users=true
greeter-show-manual-login=true

Once the file is saved, restart the lightDM service by executing the below command,

service lightdm restart

Verify the AD connectivity

To verify the active directory connectivity, please execute the below commands. You will see the AD user and group information.

getent passwd
getent group
id <AD user name>

Now try a server reboot. Also try to access using the server via SSH from an another host and perform sudo.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.