Configure Linux for Active Directory Authentication With SSSD

In this tutorial, we will configure a Linux box to authenticate against Active Directory. There are a few different methods to go about this, we will use `sssd` because it is recommended by [[https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Introduction.html|Red Hat]]
# Remove pam_ldap if it is installed
{{{
# Red Hat/CentOS/Fedora
yum remove pam_ldap
# Debian/Ubuntu
apt-get remove pam_ldap
}}}
# Install `sssd`
{{{
# Red Hat/CentOS/Fedora
yum install sssd
# Debian/Ubuntu
apt-get install sssd
}}}
# Configure `/etc/sssd/sssd.conf`, make it look similar to the below (Note `ldap_default_bind_dn` and `ldap_default_authtok` should match your bind user credentials)
{{{
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = DOMAIN.DLASLEY.NET

[nss]
reconnection_retries = 3

[pam]
reconnection_retries = 3

# Local LAN AD
[domain/DOMAIN.DLASLEY.NET]
description = AD DC
enumerate = true
min_id = 1000
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5

ldap_uri = ldap://192.168.69.100

# Uncomment below if you are using TLS
#ldap_id_use_start_tls = true
#ldap_tls_cacert = /etc/ssl/certs/addc.pem

ldap_schema = rfc2307bis
ldap_default_bind_dn = CN=Bind User,CN=Users,DC=domain,DC=dlasley,DC=net
ldap_default_authtok_type = password
ldap_default_authtok = SuperSecretPassword
ldap_user_search_base = CN=Users,DC=domain,DC=dlasley,DC=net
ldap_group_search_base = CN=Users,DC=domain,DC=dlasley,DC=net
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_gid_number = gidNumber
ldap_force_upper_case_realm = True

krb5_server = DOMAIN.DLASLEY.NET
krb5_realm = DOMAIN.DLASLEY.NET
}}}
# Set the permissions for `sssd.conf`
{{{
sudo chmod 0600 /etc/sssd/sssd.conf
sudo chown root.root /etc/sssd/sssd.conf
}}}
# Now we need to modify `/etc/nsswitch.conf` to tell it to search `sss` for passwd, shadow, and group info. Find the appropriate lines and modify them to include `sss`
{{{
passwd: files sss
shadow: files sss
group: files sss
}}}
# Next, we will configure PAM to use `sssd` (RedHat/CentOS only)
{{{
authconfig –enablesssd –enablesssdauth –enablemkhomedir –update
}}}
# On Ubuntu/Debian systems, manually edit the following PAM config files and drop in the respective line:
`/etc/pam.d/common-auth`
{{{
[success=1 default=ignore] pam_sss.so use_first_pass
}}}
`/etc/pam.d/common-account`
{{{
[default=bad success=ok user_unknown=ignore] pam_sss.so
}}}
`/etc/pam.d/common-session`
{{{
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
session optional pam_sss.so
}}}
`/etc/pam.d/common-password`
{{{
password sufficient pam_sss.so use_authtok
}}}
# Add the AD DC as the primary nameserver into `/etc/resolv.conf`. You can leave other nameservers, just make sure that the following is the first line (changing `192.168.69.100` to the IP address of your internal DNS server. If you have multiple servers, duplicate the lines:
{{{
nameserver 192.168.69.100
}}}
# Finally, we need to disable passwd and group caching in `/etc/nscd.conf` (otherwise we will have caching conflicts with `sssd` – some systems may not have `ncsd` and can ignore this step)
{{{
enable-cache passwd no
….
enable-cache group no
}}}
# Start `sssd`
{{{
service sssd start
}}}
# Verify that the machine can see AD accounts
{{{
getent passwd $ACTIVE_DIRECTORY_USER
# Should see something similar to
dlasley:*:2000:3000::/home/dlasley:/bin/bash
}}}
{{{
id $ACTIVE_DIRECTORY_USER
# Should output something similar to
uid=2000(dlasley) gid=3000(LinuxAdmins) groups=3000(LinuxAdmins)
}}}


Posted

in

by

Comments

22 responses to “Configure Linux for Active Directory Authentication With SSSD”

  1. John Avatar
    John

    Which pam file is supposed to be edited?

    1. John Avatar
      John

      Nevermind…. it is a command, not and entry. I can see that now

      1. Dave Lasley Avatar

        I was about to say that ;) Glad you figured it out!

  2. Richard Avatar

    Need help implementing sssd(LDAP) via bind method but no success?

    Is there a way implement sssd without kerbos keytab file?

    1. Dave Lasley Avatar

      Hi Richard – There is! All you need to do is use a Bind DN and Password instead

  3. Richard Avatar

    I’m able pull user id and groups but can’t authenticate any of the users from ldap? suggestions?

    Done all the nsswitch.conf but no luck?

    1. Dave Lasley Avatar

      Is there any sort of error in the server auth logs? Typically you should see some sort of indication as to where to look by the error that is generated when trying to login.

  4. Kk Avatar
    Kk

    Is there anything needed on AD side ?

    1. Dave Lasley Avatar

      Shouldn’t be

  5. Saqib Ali Avatar

    Hello Dave,

    We are working on to configure our Linux servers to use LDAP for Authentication using PAM_LDAP + SSSD. Our LDAP Usernames are based on staff numbers (all numeric starting at 1). This will cause a conflicts with daemon, bin, sys… system accounts. What is the best option for us given our Username pattern?

    Thanks,
    Saqib

    1. Ted Salmon Avatar

      Saqib,

      That would pose a problem! I think the quickest solution would be to map ldap_user_name to userPrincipalName; users would then login with username@fqdn i.e. 1@corp.example.com. The other solution would be to use the uid attribute in AD to store an alphanumeric version of the username – such as ‘op1’ instead of ‘1’ then map that attribute to ldap_user_name.

      Thanks!

      1. Saqib Ali Avatar

        Hello Ted,

        Changing UID is a a no-go for us. Can we add a new attribute to our LDAP (we use LDAP, instead of AD) which would be a numeric UID prefixed with U (for User) and use that pam_login_attribute?

        Thanks,
        Saqib

        1. Ted Salmon Avatar

          Saqib,

          Yes – you can extend the LDAP schema and add a custom attribute to hold the value you want then map it to pam_login_attribute. This page offers a good guide on extending the OpenLDAP schema.

          Thanks!

          1. Saqib Ali Avatar

            Ted,

            Have you guys run into any challenges with using LDAP account on Linux servers with NFS/GlusterFS mounts? Just curious.

            Saqib

          2. Ted Salmon Avatar

            Saqib,

            I can’t say I’ve used this setup on a box with NFS/GlusterFS at all but I don’t see why there would be any problems. Do make sure your LDAP uid numbers are >= 1000. Are you using NFSv4?

            Thanks!
            -Ted Salmon

  6. […] as our SSH public key store. For the purpose of this article, you should already have your Linux machines pulling user data from Active Directory, you should be running Windows Server 2012 R2 and you should have access to your domain […]

  7. DNK Avatar
    DNK

    In the part where it says:

    Next, we will configure PAM to use sssd (RedHat/CentOS only) (Authconfig),

    What does one do with ubuntu?

    This article seems to cover both sometimes in the instructions, and not other times.

    1. Ted Salmon Avatar

      Hello,

      That’s a very good point! I’ve updated the article to include PAM configuration instructions for non-Fedora-based systems.

      Thanks!

  8. Junaid Avatar
    Junaid

    I am very new to this concept. I am about to implement a PoC on this. I work solely in a Linux environment. The Windows managing team is separate. What information do I need from them ? Do I need a service account ? Im not sure whether they have LDAP. Please let me know all the information that I might require from the Windows team that Ill use in my configuration.

    1. Dave Lasley Avatar

      You will need the following:

      • A service account to use as the bind user (these go in ldap_default_bind_dn, ldap_default_authtok)
      • URI of LDAP (Active Directory) server (goes in ldap_uri)
      • TLS cert of server if connecting using encryption (ldap_tls_cacert, ldap_id_use_start_tls)
      • LDAP users and groups search DNs (ldap_user_search_base, ldap_group_search_base)
      • Fully qualified domain (replaces instances of DOMAIN.DLASLEY.NET)

      Everything else should work without changes.

  9. Daniel Vincenzi Avatar

    Hello Dave!

    I need to make authentication with ssh keys between Ubuntu Server 16.04 LTS and Windows Server 2016 (Active Directory).
    – I do the setup (https://blog.laslabs.com/2016/08/storing-ssh-keys-in-active-directory/) and this… But, I don’t have way for this configuration:
    User make login on Ubuntu with your private key and user of Active Directory…

    Can you help me? I try to find this tutorial in other sites, but I’m not find :(

    Thank you!

    Daniel Vincenzi

Leave a Reply to Richard Cancel reply

Your email address will not be published. Required fields are marked *