Linux machine in a Windows AD domain using sssd and krb5
There was a need to introduce a Ubuntu machine into the Windows domain. For these purposes, Samba and Winbind are commonly used. But an alternative is possible with sssd, a brief guide to it below.
For example, we will use:
Domain = contoso.com
Domain Controller = dc.contoso.com
Launch Ubuntu terminal:
1. Switch to root
2. Install the necessary packages
3. Edit /etc/krb5.conf, use tabs as indents.
4. Edit the / etc / hosts file, specify the FQDN for this host:
5. We try to get the Kerberos ticket on behalf of the domain administrator:
Checking:
If the ticket is received successfully, then now Kerberos principals can be generated for this host, the register is important:
Now our host should appear in the list of computers in the directory. If everything is so, we delete the received Kerberos ticket:
6. Create the file /etc/sssd/sssd.conf with the following contents:
Description of sssd config parameters can be found here.
Set permissions for the sssd.conf file:
Restart the SSSD service
7. Edit PAM Settings
Bad decision:
edit the file /etc/pam.d/common-session, after the line
add row
Good decision:
override parameters via PAM system settings, call
and mark the points sss auth and makehomdir . This will automatically add
The line is higher in common-session and it will not be overwritten when the system is updated.
Now we can log in to the machine by domain users who are allowed to login.
PS: You can give the right to use sudo domain groups. Using visudo, we edit the file / etc / sudoers, or better, as recommended by maxzhurkin and iluvar , create a new file in /etc/sudoers.d/ and edit it
Add the required group - for example, Domain Admins (if there are spaces in the group name, they must be escaped):
For example, we will use:
Domain = contoso.com
Domain Controller = dc.contoso.com
Launch Ubuntu terminal:
1. Switch to root
sudo -i 2. Install the necessary packages
apt install sssd heimdal-clients msktutil 3. Edit /etc/krb5.conf, use tabs as indents.
[libdefaults] default_realm = CONTOSO.COM [realms] CONTOSO.COM = { kdc = DC admin_server = dc.contoso.com default_domain = contoso.com } [login] krb4_convert = true krb4_get_tickets = false [domain_realm] .contoso.com = CONTOSO.COM contoso.com = CONTOSO.COM 4. Edit the / etc / hosts file, specify the FQDN for this host:
127.0.0.1 localhost 127.0.1.1 <hostname>.contoso.com <hostname> 5. We try to get the Kerberos ticket on behalf of the domain administrator:
root@ubuntu:~# kinit YourDomainAdmin YourDomainAdmin@CONTOSO.COM's Password: Checking:
root@ubuntu:~# klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: YourDomainAdmin@CONTOSO.COM Issued Expires Principal Dec 1 15:08:27 2018 Dec 2 01:08:22 2018 krbtgt/CONTOSO.COM@CONTOSO.COM If the ticket is received successfully, then now Kerberos principals can be generated for this host, the register is important:
msktutil -c -b 'CN=YourComputersOU' -s HOST/HOSTNAME.contoso.com -k /etc/sssd/HOSTNAME.keytab --computer-name HOSTNAME --upn HOSTNAME$ --server dc.contoso.com —user-creds-only msktutil -c -b 'CN=YourComputersOU' -s HOST/HOSTNAME -k /etc/sssd/HOSTNAME.keytab --computer-name HOSTNAME --upn HOSTNAME$ --server dc.contoso.com --user-creds-only Now our host should appear in the list of computers in the directory. If everything is so, we delete the received Kerberos ticket:
kdestroy 6. Create the file /etc/sssd/sssd.conf with the following contents:
[sssd] services = nss, pam config_file_version = 2 domains = contoso.com [nss] entry_negative_timeout = 0 debug_level = 3 [pam] debug_level = 3 [domain/contoso.com] debug_level = 3 ad_domain = contoso.com ad_server = dc.contoso.com enumerate = false id_provider = ad auth_provider = ad chpass_provider = ad access_provider = simple simple_allow_groups = users #каким группам разрешено логиниться, через запятую. Есть ограничение — названия групп должны быть с маленькой буквы. ldap_schema = ad ldap_id_mapping = true fallback_homedir = /home/%u default_shell = /bin/bash ldap_sasl_mech = gssapi ldap_sasl_authid = <HOSTNAME>$ ldap_krb5_init_creds = true krb5_keytab = /etc/sssd/<HOSTNAME>.keytab Description of sssd config parameters can be found here.
Set permissions for the sssd.conf file:
chmod 600 /etc/sssd/sssd.conf Restart the SSSD service
service sssd restart 7. Edit PAM Settings
Bad decision:
edit the file /etc/pam.d/common-session, after the line
session required pam_unix.so add row
session required pam_mkhomedir.so skel=/etc/skel umask=0022 Good decision:
override parameters via PAM system settings, call
pam-auth-update and mark the points sss auth and makehomdir . This will automatically add
The line is higher in common-session and it will not be overwritten when the system is updated.
Now we can log in to the machine by domain users who are allowed to login.
PS: You can give the right to use sudo domain groups. Using visudo, we edit the file / etc / sudoers, or better, as recommended by maxzhurkin and iluvar , create a new file in /etc/sudoers.d/ and edit it
visudo -f /etc/sudoers.d/ваш_файл Add the required group - for example, Domain Admins (if there are spaces in the group name, they must be escaped):
%Domain\ Admins ALL=(ALL) ALL Source: https://habr.com/ru/post/437546/