How To Configure Linux In A Windows AD Using Sssd And Krb5?

How To Configure Linux In A Windows AD Using Sssd And Krb5_

How To Configure Linux In A Windows AD Using Sssd And Krb5?

There was a need to introduce a Ubuntu machine into the Windows domain. For these purposes, Samba and Winbind are commonly used. But an alternative is possible with sssd, a brief guide to it below.

For example, we will use:

Domain = contoso.com
Domain Controller = dc.contoso.com

Launch Ubuntu terminal.

1. Switch to root:


sudo -i

</div>
</div>

2. Install the necessary packages:


apt install sssd heimdal-clients msktutil

</div>

3. Edit/etc/krb5.conf, use tabs as indents:


[libdefaults]
default_realm = CONTOSO.COM

[realms]
CONTOSO.COM = {
kdc = DC
admin_server = dc.contoso.com
default_domain = contoso.com
}

[login]
krb4_convert = true
krb4_get_tickets = false

[domain_realm]
.contoso.com = CONTOSO.COM
contoso.com = CONTOSO.COM

</div>
</div>

4. Edit the/etc/hosts file, specify the FQDN for this host:


127.0.0.1 localhost
127.0.1.1 <hostname>.contoso.com <hostname>

5. We try to get the Kerberos ticket on behalf of the domain administrator:


root@ubuntu:~# kinit YourDomainAdmin
YourDomainAdmin@CONTOSO.COM's Password:

Checking:


root@ubuntu:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: YourDomainAdmin@CONTOSO.COM

Issued Expires Principal
Dec 1 15:08:27 2018 Dec 2 01:08:22 2018 krbtgt/CONTOSO.COM@CONTOSO.COM

</div>

If the ticket is received successfully, then now Kerberos principals can be generated for this host, the register is important:


msktutil -c -b 'CN=YourComputersOU' -s HOST/HOSTNAME.contoso.com -k /etc/sssd/HOSTNAME.keytab --computer-name HOSTNAME --upn HOSTNAME$ --server dc.contoso.com —user-creds-only

msktutil -c -b 'CN=YourComputersOU' -s HOST/HOSTNAME -k /etc/sssd/HOSTNAME.keytab --computer-name HOSTNAME --upn HOSTNAME$ --server dc.contoso.com --user-creds-only

</div>

Now, our host should appear in the list of computers in the directory. If everything is so, we delete the received Kerberos ticket:


kdestroy

</div>

6. Create the file /etc/sssd/sssd.conf with the following contents:


[sssd]

services = nss, pam
config_file_version = 2
domains = contoso.com

[nss]

entry_negative_timeout = 0
debug_level = 3

[pam]

debug_level = 3

[domain / contoso.com]

debug_level = 3

ad_domain = contoso.com
ad_server = dc.contoso.com
enumerate = false

id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = simple
simple_allow_groups = users # which groups are allowed to login, separated by commas. There is a restriction - the names of groups must be in small letters.
ldap_schema = ad
ldap_id_mapping = true
fallback_homedir = / home /% u
default_shell = / bin / bash
ldap_sasl_mech = gssapi
ldap_sasl_authid = <HOSTNAME> $
ldap_krb5_init_creds = true
krb5_keytab = /etc/sssd/<HOSTNAME>.keytab

Description of sssd config parameters can be found here.

Set permissions for the sssd.conf file:


chmod 600 /etc/sssd/sssd.conf

Restart the SSSD service


service sssd restart

7. Edit PAM Settings:

Bad decision

Now, edit the file /etc/pam.d/common-session, after the line.


session required                       pam_unix.so

Adding a row:


session required pam_mkhomedir.so skel=/etc/skel <span class="hljs-built_in">umask</span>=0022

Good decision

override parameters via PAM system settings, call:


pam-auth-update

And, mark the points sss auth and makehomdir. This will automatically add
The line is higher in common-session and it will not be overwritten when the system is updated.

Now we can log in to the machine by domain users who are allowed to log in.

PS: You can give rights to use sudo domain groups. We edit the /etc/sudoers file, add the required group — for example, Domain Admins (if there are spaces in the group name, they must be escaped):


%Domain\ Admins ALL=(ALL) ALL

Thanks for reading.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.