How To Configure Linux In A Windows AD Using Sssd And Krb5?

Alex
How To Configure Linux In A Windows AD Using Sssd And Krb5_

How To Configure Linux In A Windows AD Using Sssd And Krb5?

There was a need to introduce a Ubuntu machine into the Windows domain. For these purposes, Samba and Winbind are commonly used. But an alternative is possible with sssd, a brief guide to it below.

For example, we will use:

Domain = contoso.com
Domain Controller = dc.contoso.com

Launch Ubuntu terminal.

1. Switch to root:


sudo -i

</div>
</div>

2. Install the necessary packages:


apt install sssd heimdal-clients msktutil

</div>

3. Edit/etc/krb5.conf, use tabs as indents:


[libdefaults]
default_realm = CONTOSO.COM

[realms]
CONTOSO.COM = {
kdc = DC
admin_server = dc.contoso.com
default_domain = contoso.com
}

[login]
krb4_convert = true
krb4_get_tickets = false

[domain_realm]
.contoso.com = CONTOSO.COM
contoso.com = CONTOSO.COM

</div>
</div>

4. Edit the/etc/hosts file, specify the FQDN for this host:


127.0.0.1 localhost
127.0.1.1 <hostname>.contoso.com <hostname>

5. We try to get the Kerberos ticket on behalf of the domain administrator:


root@ubuntu:~# kinit YourDomainAdmin
YourDomainAdmin@CONTOSO.COM's Password:

Checking:


root@ubuntu:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: YourDomainAdmin@CONTOSO.COM

Issued Expires Principal
Dec 1 15:08:27 2018 Dec 2 01:08:22 2018 krbtgt/CONTOSO.COM@CONTOSO.COM

</div>

If the ticket is received successfully, then now Kerberos principals can be generated for this host, the register is important:


msktutil -c -b 'CN=YourComputersOU' -s HOST/HOSTNAME.contoso.com -k /etc/sssd/HOSTNAME.keytab --computer-name HOSTNAME --upn HOSTNAME$ --server dc.contoso.com —user-creds-only

msktutil -c -b 'CN=YourComputersOU' -s HOST/HOSTNAME -k /etc/sssd/HOSTNAME.keytab --computer-name HOSTNAME --upn HOSTNAME$ --server dc.contoso.com --user-creds-only

</div>

Now, our host should appear in the list of computers in the directory. If everything is so, we delete the received Kerberos ticket:


kdestroy

</div>

6. Create the file /etc/sssd/sssd.conf with the following contents:


[sssd]

services = nss, pam
config_file_version = 2
domains = contoso.com

[nss]

entry_negative_timeout = 0
debug_level = 3

[pam]

debug_level = 3

[domain / contoso.com]

debug_level = 3

ad_domain = contoso.com
ad_server = dc.contoso.com
enumerate = false

id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = simple
simple_allow_groups = users # which groups are allowed to login, separated by commas. There is a restriction - the names of groups must be in small letters.
ldap_schema = ad
ldap_id_mapping = true
fallback_homedir = / home /% u
default_shell = / bin / bash
ldap_sasl_mech = gssapi
ldap_sasl_authid = <HOSTNAME> $
ldap_krb5_init_creds = true
krb5_keytab = /etc/sssd/<HOSTNAME>.keytab

Description of sssd config parameters can be found here.

Set permissions for the sssd.conf file:


chmod 600 /etc/sssd/sssd.conf

Restart the SSSD service


service sssd restart

7. Edit PAM Settings:

Bad decision

Now, edit the file /etc/pam.d/common-session, after the line.


session required                       pam_unix.so

Adding a row:


session required pam_mkhomedir.so skel=/etc/skel <span class="hljs-built_in">umask</span>=0022

Good decision

override parameters via PAM system settings, call:


pam-auth-update

And, mark the points sss auth and makehomdir. This will automatically add
The line is higher in common-session and it will not be overwritten when the system is updated.

Now we can log in to the machine by domain users who are allowed to log in.

PS: You can give rights to use sudo domain groups. We edit the /etc/sudoers file, add the required group — for example, Domain Admins (if there are spaces in the group name, they must be escaped):


%Domain\ Admins ALL=(ALL) ALL

Thanks for reading.

Related posts:

IP Address Conflict on Linux Main LogoDetail Breakdown On How to Resolve IP Address Conflict on Linux How to efficiently and productively work on Linux OSHow to efficiently and productively work on Linux OS? The Most 5 Common Misconceptions Regarding Linux Practical Linux application deployment on desktops
Alex

Meet the mastermind behind Smart Spate, the company's founder and leader. He is committed to delivering top-notch work and providing support to team members. With his expertise in digital innovation, he constantly conducts research on the latest techniques and systems to keep SmartSpate at the forefront of the industry. His passion for web development and the IT field is undeniable, and he takes pleasure in exploring the constantly evolving world of web design. His dedication to ensuring that every topic covered by SmartSpate is of the highest quality and presented in the most informative manner is truly remarkable.