How To Configure Linux In A Windows AD Using Sssd And Krb5?
There was a need to introduce a Ubuntu machine into the Windows domain. For these purposes, Samba and Winbind are commonly used. But an alternative is possible with sssd, a brief guide to it below.
For example, we will use:
Domain = contoso.com
Domain Controller = dc.contoso.com
Launch Ubuntu terminal.
1. Switch to root:
sudo -i </div> </div>
2. Install the necessary packages:
apt install sssd heimdal-clients msktutil </div>
3. Edit/etc/krb5.conf, use tabs as indents:
[libdefaults] default_realm = CONTOSO.COM [realms] CONTOSO.COM = { kdc = DC admin_server = dc.contoso.com default_domain = contoso.com } [login] krb4_convert = true krb4_get_tickets = false [domain_realm] .contoso.com = CONTOSO.COM contoso.com = CONTOSO.COM </div> </div>
4. Edit the/etc/hosts file, specify the FQDN for this host:
127.0.0.1 localhost 127.0.1.1 <hostname>.contoso.com <hostname>
5. We try to get the Kerberos ticket on behalf of the domain administrator:
root@ubuntu:~# kinit YourDomainAdmin YourDomainAdmin@CONTOSO.COM's Password:
Checking:
root@ubuntu:~# klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: YourDomainAdmin@CONTOSO.COM Issued Expires Principal Dec 1 15:08:27 2018 Dec 2 01:08:22 2018 krbtgt/CONTOSO.COM@CONTOSO.COM </div>
If the ticket is received successfully, then now Kerberos principals can be generated for this host, the register is important:
msktutil -c -b 'CN=YourComputersOU' -s HOST/HOSTNAME.contoso.com -k /etc/sssd/HOSTNAME.keytab --computer-name HOSTNAME --upn HOSTNAME$ --server dc.contoso.com —user-creds-only msktutil -c -b 'CN=YourComputersOU' -s HOST/HOSTNAME -k /etc/sssd/HOSTNAME.keytab --computer-name HOSTNAME --upn HOSTNAME$ --server dc.contoso.com --user-creds-only </div>
Now, our host should appear in the list of computers in the directory. If everything is so, we delete the received Kerberos ticket:
kdestroy </div>
6. Create the file /etc/sssd/sssd.conf with the following contents:
[sssd] services = nss, pam config_file_version = 2 domains = contoso.com [nss] entry_negative_timeout = 0 debug_level = 3 [pam] debug_level = 3 [domain / contoso.com] debug_level = 3 ad_domain = contoso.com ad_server = dc.contoso.com enumerate = false id_provider = ad auth_provider = ad chpass_provider = ad access_provider = simple simple_allow_groups = users # which groups are allowed to login, separated by commas. There is a restriction - the names of groups must be in small letters. ldap_schema = ad ldap_id_mapping = true fallback_homedir = / home /% u default_shell = / bin / bash ldap_sasl_mech = gssapi ldap_sasl_authid = <HOSTNAME> $ ldap_krb5_init_creds = true krb5_keytab = /etc/sssd/<HOSTNAME>.keytab
Description of sssd config parameters can be found here.
Set permissions for the sssd.conf file:
chmod 600 /etc/sssd/sssd.conf
Restart the SSSD service
service sssd restart
7. Edit PAM Settings:
Bad decision
Now, edit the file /etc/pam.d/common-session, after the line.
session required pam_unix.so
Adding a row:
session required pam_mkhomedir.so skel=/etc/skel <span class="hljs-built_in">umask</span>=0022
Good decision
override parameters via PAM system settings, call:
pam-auth-update
And, mark the points sss auth and makehomdir. This will automatically add
The line is higher in common-session and it will not be overwritten when the system is updated.
Now we can log in to the machine by domain users who are allowed to log in.
PS: You can give rights to use sudo domain groups. We edit the /etc/sudoers file, add the required group — for example, Domain Admins (if there are spaces in the group name, they must be escaped):
%Domain\ Admins ALL=(ALL) ALL
Thanks for reading.
Related posts:
Meet the mastermind behind Smart Spate, the company's founder and leader. He is committed to delivering top-notch work and providing support to team members. With his expertise in digital innovation, he constantly conducts research on the latest techniques and systems to keep SmartSpate at the forefront of the industry. His passion for web development and the IT field is undeniable, and he takes pleasure in exploring the constantly evolving world of web design. His dedication to ensuring that every topic covered by SmartSpate is of the highest quality and presented in the most informative manner is truly remarkable.