Ubuntu Linux login with Active Directory

Ubuntu Linux login with Active Directory

Larger organizations often use Microsoft Active Directory for user login. Login accounts are used also for Administrators of the IT department. In this blog I want to explain how I added an Ubuntu Linux server to the domain. I used the AD user accounts to login through SSH for administrative tasks.

During the building of an new Ubuntu server I want to use the AD for authentication on my Ubuntu Linux host. This means the login process needs to be attached to AD to retrieve the username and check the password. Next to that an home directory should be created for new users.

Installing required packages

First we start to install the required packages on our Ubuntu Linux installation, run the following command with the root permissions:

sudo apt install krb5-user samba sssd ntp

This will install the basic program to authenticate with Kerberos, SAMBA for adding the host to the domain, System Security Services Deamon (SSSD) and NTP to sync the time. Time synchronization with the domain is needed for the Kerberos tickets.

Pre host configuration

Before we can authenticate with AD we need to check some settings first. Make sure the FQDN (Full Qualified Domain Name) is set en configured in the hosts file that is located /etc/hosts :

127.0.0.1 LOCALHOST
10.0.1.1 HOSTNAME HOSTNAME.YOURDOMAIN.LOCAL

Replace the IP number and hostname with the configuration from your host. Next make sure you setup the DNS name server from the domain you want to use for AD authentication. Edit the file /etc/resolv.conf and set this up:

nameserver 10.0.1.10
search yourdomain.local

Check if the DNS is working with “nslookup” command. Next important is to have the right time set-up, use the command “date” command to verify the correct time. Add the following line on the /etc/ntp.conf file:

server domaincontroller.yourdomain.local

Setup domain authentication

We configured the host in the previous steps so now we can start with configuring the KRB5-user, Samba and SSSD packages.

Open (or create) the file “/etc/krb5.conf”, you can complete replace this with the config here:


[logging]
default = FILE:/var/log/krb5.log

[libdefaults]
default_realm = YOURDOMAIN.LOCAL
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

[realms]
YOURDOMAIN.LOCAL = {
kdc = YOURDOMAIN.LOCAL
admin_server = YOURDOMAIN.LOCAL
default_domain = YOURDOMAIN.LOCAL
}

[domain_realm]
.yourdomain.lccal = YOURDOMAIN.LOCAL
yourdomain.local = YOURDOMAIN.LOCAL

Make sure you replace the domain names with your own. Next we configure the Samba server to use the domain, this is needed to add the host to the domain. Edit the file “/etc/samba/smb.config” and add the following lines:


[global]

workgroup = YOURDOMAIN
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = YOURDOMAIN.LOCAL
security = ads

Configure the SSS Daemon

Now the SSSD config needs to be edited to also contain the correct domain name. Create or replace the file with the following config;


[sssd]
services = nss, pam
config_file_version = 2
domains = YOURDOMAIN.LOCAL

[domain/YOURDOMAIN.LOCAL]
id_provider = ad
access_provider = ad
debug_level = 9

# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
override_homedir = /home/%d/%u

# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname = hostname.yourdomain.local

# Uncomment if DNS SRV resolution is not working
# ad_server = dc.yourdomain.local

# Uncomment if the AD domain is named differently than the Samba domain
ad_domain = YOURDOMAIN.LOCAL

# Enumeration is discouraged for performance reasons.
# enumerate = true

NOTE, the debug level is set to 9 to give us output in the log files. The 1 is the lowest output and the 9 the highest, log files will be stored on “/var/log/sssd/”;

Level Description
0 Fatal failures. Anything that would prevent SSSD from starting up or causes it to cease running.
1 Critical failures. An error that doesn’t kill the SSSD, but one that indicates that at least one major feature is not going to work properly.
2 Serious failures. An error announcing that a particular request or operation has failed.
3 Minor failures. These are the errors that would percolate down to cause the operation failure of 2.
4 Configuration settings.
5 Function data.
6 Trace messages for operation functions.
7 Trace messages for internal control functions.
8 Contents of function-internal variables that may be interesting.
9 Extremely low-level tracing information.

After saving the SSSD.conf file make sure you give it the right permissions:

sudo chown root:root /etc/sssd/sssd.conf
sudo chmod 600 /etc/sssd/sssd.conf

Modify the logon process

Now we have set-up the Kerberos domain we can use this in the logon process. First we check the “/etc/nsswitch.conf ” configuration file and see if the “sss” deamon is added:

passwd: compat sss
group: compat sss
shadow: compat sss
...
netgroup: nis sss
sudoers: files sss

Also on the PAM configuration files we need to verify the configuration is active.  Run the command:

sudo pam-auth-update

Make sure you select “SSS Authentication” and “Create home directory on login” and select OK. We can verify the settings by opening the file “/etc/pam.d/common-session” and verify if the following lines are in:

session optional pam_sss.so
session required pam_mkhomedir.so

Now we have configured the logon process we restart the services:

sudo systemctl restart ntp.service
sudo systemctl restart smbd.service nmbd.service 
sudo systemctl start sssd.service

Join the domain

Joining the AD will create an computer account and make sure we can use authentication with this host. Run the following command to add the host to the AD:

sudo net ads join -k

If this is not working well we can test if we can obtain an Kerberos ticket. Fill in a domain username after the ‘kinit’ to retrieve a Kerberos ticket:

kinit username
klist

If an error returned or nothing happened then check your configuration with the settings defined above.

Configure SSH daemon

When you also use SSH to remote login the Kerberos settings needs to be configured there as wel. Open the file “/etc/ssh/sshd_config” and make sure it contains the following settings;


# Kerberos options
KerberosAuthentication yes
KerberosGetAFSToken no
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes

# GSSAPI options
GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

Restart the SSH daemon after you changed the settings to make them active.

Logon

Now test the logon with your domain account. It should automatically create an new home directory in “/home/YOURDOMAIN/username”.

When something is not working yet you can check the logs “/var/log/auth.log” and in “/var/log/sssd/*.log”. Somehow in Ubuntu 16.04 I had the problem that the gpo directory didn’t exists (and was not created, this was fixed by running the command:

mkdir -p /var/lib/sss/gpo_cache/yourdomain.local
chown -R sssd:sssd /var/lib/sss/gpo_cache

Here you can find some usefull how-to reading as well:

https://help.ubuntu.com/lts/serverguide/sssd-ad.html
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html

Send me an comment on this if you still run into issues. Thanks for reading,

Comments are closed.