In this tutorial, we will configure a Linux box to authenticate against Active Directory. There are a few different methods to go about this, we will use `sssd` because it is recommended by [[https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Introduction.html|Red Hat]]
# Remove pam_ldap if it is installed
{{{
# Red Hat/CentOS/Fedora
yum remove pam_ldap
# Debian/Ubuntu
apt-get remove pam_ldap
}}}
# Install `sssd`
{{{
# Red Hat/CentOS/Fedora
yum install sssd
# Debian/Ubuntu
apt-get install sssd
}}}
# Configure `/etc/sssd/sssd.conf`, make it look similar to the below (Note `ldap_default_bind_dn` and `ldap_default_authtok` should match your bind user credentials)
{{{
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = DOMAIN.DLASLEY.NET
[nss]
reconnection_retries = 3
[pam]
reconnection_retries = 3
# Local LAN AD
[domain/DOMAIN.DLASLEY.NET]
description = AD DC
enumerate = true
min_id = 1000
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://192.168.69.100
# Uncomment below if you are using TLS
#ldap_id_use_start_tls = true
#ldap_tls_cacert = /etc/ssl/certs/addc.pem
ldap_schema = rfc2307bis
ldap_default_bind_dn = CN=Bind User,CN=Users,DC=domain,DC=dlasley,DC=net
ldap_default_authtok_type = password
ldap_default_authtok = SuperSecretPassword
ldap_user_search_base = CN=Users,DC=domain,DC=dlasley,DC=net
ldap_group_search_base = CN=Users,DC=domain,DC=dlasley,DC=net
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_gid_number = gidNumber
ldap_force_upper_case_realm = True
krb5_server = DOMAIN.DLASLEY.NET
krb5_realm = DOMAIN.DLASLEY.NET
}}}
# Set the permissions for `sssd.conf`
{{{
sudo chmod 0600 /etc/sssd/sssd.conf
sudo chown root.root /etc/sssd/sssd.conf
}}}
# Now we need to modify `/etc/nsswitch.conf` to tell it to search `sss` for passwd, shadow, and group info. Find the appropriate lines and modify them to include `sss`
{{{
passwd: files sss
shadow: files sss
group: files sss
}}}
# Next, we will configure PAM to use `sssd` (RedHat/CentOS only)
{{{
authconfig –enablesssd –enablesssdauth –enablemkhomedir –update
}}}
# On Ubuntu/Debian systems, manually edit the following PAM config files and drop in the respective line:
`/etc/pam.d/common-auth`
{{{
[success=1 default=ignore] pam_sss.so use_first_pass
}}}
`/etc/pam.d/common-account`
{{{
[default=bad success=ok user_unknown=ignore] pam_sss.so
}}}
`/etc/pam.d/common-session`
{{{
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
session optional pam_sss.so
}}}
`/etc/pam.d/common-password`
{{{
password sufficient pam_sss.so use_authtok
}}}
# Add the AD DC as the primary nameserver into `/etc/resolv.conf`. You can leave other nameservers, just make sure that the following is the first line (changing `192.168.69.100` to the IP address of your internal DNS server. If you have multiple servers, duplicate the lines:
{{{
nameserver 192.168.69.100
}}}
# Finally, we need to disable passwd and group caching in `/etc/nscd.conf` (otherwise we will have caching conflicts with `sssd` – some systems may not have `ncsd` and can ignore this step)
{{{
enable-cache passwd no
….
enable-cache group no
}}}
# Start `sssd`
{{{
service sssd start
}}}
# Verify that the machine can see AD accounts
{{{
getent passwd $ACTIVE_DIRECTORY_USER
# Should see something similar to
dlasley:*:2000:3000::/home/dlasley:/bin/bash
}}}
{{{
id $ACTIVE_DIRECTORY_USER
# Should output something similar to
uid=2000(dlasley) gid=3000(LinuxAdmins) groups=3000(LinuxAdmins)
}}}
Leave a Reply to Dave Lasley Cancel reply