Configure Linux for Active Directory Authentication With SSSD
In this tutorial, we will configure a Linux box to authenticate against Active Directory. There are a few different methods to go about this, we will use sssd because it is recommended by Red Hat
- Remove pam_ldap if it is installed
# Red Hat/CentOS/Fedora yum remove pam_ldap # Debian/Ubuntu apt-get remove pam_ldap
- Install
sssd
# Red Hat/CentOS/Fedora yum install sssd # Debian/Ubuntu apt-get install sssd
- Configure
/etc/sssd/sssd.conf, make it look similar to the below (Noteldap_default_bind_dnandldap_default_authtokshould match your bind user credentials)
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = DOMAIN.DLASLEY.NET [nss] reconnection_retries = 3 [pam] reconnection_retries = 3 # Local LAN AD [domain/DOMAIN.DLASLEY.NET] description = AD DC enumerate = true min_id = 1000 id_provider = ldap auth_provider = krb5 chpass_provider = krb5 ldap_uri = ldap://192.168.69.100 # Uncomment below if you are using TLS #ldap_id_use_start_tls = true #ldap_tls_cacert = /etc/ssl/certs/addc.pem ldap_schema = rfc2307bis ldap_default_bind_dn = CN=Bind User,CN=Users,DC=domain,DC=dlasley,DC=net ldap_default_authtok_type = password ldap_default_authtok = SuperSecretPassword ldap_user_search_base = CN=Users,DC=domain,DC=dlasley,DC=net ldap_group_search_base = CN=Users,DC=domain,DC=dlasley,DC=net ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_group_gid_number = gidNumber ldap_force_upper_case_realm = True krb5_server = DOMAIN.DLASLEY.NET krb5_realm = DOMAIN.DLASLEY.NET
- Set the permissions for
sssd.conf
sudo chmod 0600 /etc/sssd/sssd.conf sudo chown root.root /etc/sssd/sssd.conf
- Now we need to modify
/etc/nsswitch.confto tell it to searchsssfor passwd, shadow, and group info. Find the appropriate lines and modify them to includesss
passwd: files sss shadow: files sss group: files sss
- Next, we will configure PAM to use
sssd(RedHat/CentOS only)
authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
- On Ubuntu/Debian systems, manually edit the following PAM config files and drop in the respective line:
/etc/pam.d/common-auth
[success=1 default=ignore] pam_sss.so use_first_pass
/etc/pam.d/common-account
[default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/common-session
session required pam_mkhomedir.so umask=0022 skel=/etc/skel session optional pam_sss.so
/etc/pam.d/common-password
password sufficient pam_sss.so use_authtok
- Add the AD DC as the primary nameserver into
/etc/resolv.conf. You can leave other nameservers, just make sure that the following is the first line (changing192.168.69.100to the IP address of your internal DNS server. If you have multiple servers, duplicate the lines:
nameserver 192.168.69.100
- Finally, we need to disable passwd and group caching in
/etc/nscd.conf(otherwise we will have caching conflicts withsssd– some systems may not havencsdand can ignore this step)
enable-cache passwd no .... enable-cache group no
- Start
sssd
service sssd start
- Verify that the machine can see AD accounts
getent passwd $ACTIVE_DIRECTORY_USER # Should see something similar to dlasley:*:2000:3000::/home/dlasley:/bin/bash
id $ACTIVE_DIRECTORY_USER # Should output something similar to uid=2000(dlasley) gid=3000(LinuxAdmins) groups=3000(LinuxAdmins)0
Which pam file is supposed to be edited?
Nevermind…. it is a command, not and entry. I can see that now
I was about to say that ;) Glad you figured it out!
Need help implementing sssd(LDAP) via bind method but no success?
Is there a way implement sssd without kerbos keytab file?
Hi Richard – There is! All you need to do is use a Bind DN and Password instead
http://serverfault.com/questions/586920/where-do-i-specify-the-bind-dn-and-password-for-sssldap
I’m able pull user id and groups but can’t authenticate any of the users from ldap? suggestions?
Done all the nsswitch.conf but no luck?
Is there any sort of error in the server auth logs? Typically you should see some sort of indication as to where to look by the error that is generated when trying to login.
Is there anything needed on AD side ?
Shouldn’t be
Hello Dave,
We are working on to configure our Linux servers to use LDAP for Authentication using PAM_LDAP + SSSD. Our LDAP Usernames are based on staff numbers (all numeric starting at 1). This will cause a conflicts with daemon, bin, sys… system accounts. What is the best option for us given our Username pattern?
Thanks,
Saqib
Saqib,
That would pose a problem! I think the quickest solution would be to map
ldap_user_nametouserPrincipalName; users would then login with username@fqdn i.e. 1@corp.example.com. The other solution would be to use theuidattribute in AD to store an alphanumeric version of the username – such as ‘op1’ instead of ‘1’ then map that attribute toldap_user_name.Thanks!
Hello Ted,
Changing UID is a a no-go for us. Can we add a new attribute to our LDAP (we use LDAP, instead of AD) which would be a numeric UID prefixed with U (for User) and use that pam_login_attribute?
Thanks,
Saqib
Saqib,
Yes – you can extend the LDAP schema and add a custom attribute to hold the value you want then map it to
pam_login_attribute. This page offers a good guide on extending the OpenLDAP schema.Thanks!
Ted,
Have you guys run into any challenges with using LDAP account on Linux servers with NFS/GlusterFS mounts? Just curious.
Saqib
Saqib,
I can’t say I’ve used this setup on a box with NFS/GlusterFS at all but I don’t see why there would be any problems. Do make sure your LDAP uid numbers are >= 1000. Are you using NFSv4?
Thanks!
-Ted Salmon
In the part where it says:
Next, we will configure PAM to use sssd (RedHat/CentOS only) (Authconfig),
What does one do with ubuntu?
This article seems to cover both sometimes in the instructions, and not other times.
Hello,
That’s a very good point! I’ve updated the article to include PAM configuration instructions for non-Fedora-based systems.
Thanks!
I am very new to this concept. I am about to implement a PoC on this. I work solely in a Linux environment. The Windows managing team is separate. What information do I need from them ? Do I need a service account ? Im not sure whether they have LDAP. Please let me know all the information that I might require from the Windows team that Ill use in my configuration.
You will need the following:
Everything else should work without changes.
Hello Dave!
I need to make authentication with ssh keys between Ubuntu Server 16.04 LTS and Windows Server 2016 (Active Directory).
– I do the setup (https://blog.laslabs.com/2016/08/storing-ssh-keys-in-active-directory/) and this… But, I don’t have way for this configuration:
User make login on Ubuntu with your private key and user of Active Directory…
Can you help me? I try to find this tutorial in other sites, but I’m not find :(
Thank you!
Daniel Vincenzi