In this tutorial, we will configure a Linux box to authenticate against Active Directory. There are a few different methods to go about this, we will use sssd because it is recommended by Red Hat

  1. Remove pam_ldap if it is installed
# Red Hat/CentOS/Fedora
yum remove pam_ldap
# Debian/Ubuntu
apt-get remove pam_ldap
  1. Install sssd
# Red Hat/CentOS/Fedora
yum install sssd
# Debian/Ubuntu
apt-get install sssd
  1. Configure /etc/sssd/sssd.conf, make it look similar to the below (Note ldap_default_bind_dn and ldap_default_authtok should match your bind user credentials)
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = DOMAIN.DLASLEY.NET

[nss]
reconnection_retries = 3

[pam]
reconnection_retries = 3

# Local LAN AD
[domain/DOMAIN.DLASLEY.NET]
description = AD DC
enumerate = true
min_id = 1000
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5

ldap_uri = ldap://192.168.69.100

# Uncomment below if you are using TLS
#ldap_id_use_start_tls = true
#ldap_tls_cacert = /etc/ssl/certs/addc.pem

ldap_schema = rfc2307bis
ldap_default_bind_dn = CN=Bind User,CN=Users,DC=domain,DC=dlasley,DC=net
ldap_default_authtok_type = password
ldap_default_authtok = SuperSecretPassword
ldap_user_search_base = CN=Users,DC=domain,DC=dlasley,DC=net
ldap_group_search_base = CN=Users,DC=domain,DC=dlasley,DC=net
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_gid_number = gidNumber
ldap_force_upper_case_realm = True

krb5_server = DOMAIN.DLASLEY.NET
krb5_realm = DOMAIN.DLASLEY.NET
  1. Set the permissions for sssd.conf
sudo chmod 0600 /etc/sssd/sssd.conf
sudo chown root.root /etc/sssd/sssd.conf
  1. Now we need to modify /etc/nsswitch.conf to tell it to search sss for passwd, shadow, and group info. Find the appropriate lines and modify them to include sss
passwd: files sss
shadow: files sss
group: files sss
  1. Next, we will configure PAM to use sssd (RedHat/CentOS only)
authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
  1. On Ubuntu/Debian systems, manually edit the following PAM config files and drop in the respective line:

/etc/pam.d/common-auth

[success=1 default=ignore]	pam_sss.so use_first_pass

/etc/pam.d/common-account

[default=bad success=ok user_unknown=ignore]	pam_sss.so

/etc/pam.d/common-session

session	required        pam_mkhomedir.so umask=0022 skel=/etc/skel
session	optional	pam_sss.so

/etc/pam.d/common-password

password	sufficient			pam_sss.so use_authtok
  1. Add the AD DC as the primary nameserver into /etc/resolv.conf. You can leave other nameservers, just make sure that the following is the first line (changing 192.168.69.100 to the IP address of your internal DNS server. If you have multiple servers, duplicate the lines:
nameserver 192.168.69.100
  1. Finally, we need to disable passwd and group caching in /etc/nscd.conf (otherwise we will have caching conflicts with sssd – some systems may not have ncsd and can ignore this step)
enable-cache passwd no
....
enable-cache group no
  1. Start sssd
service sssd start
  1. Verify that the machine can see AD accounts
getent passwd $ACTIVE_DIRECTORY_USER
# Should see something similar to
dlasley:*:2000:3000::/home/dlasley:/bin/bash
id $ACTIVE_DIRECTORY_USER
# Should output something similar to
uid=2000(dlasley) gid=3000(LinuxAdmins) groups=3000(LinuxAdmins)
0