Adding AD Authentication to Linux
We have a number of Linux servers that we manage for various reason and wanted to integrate Single Sign-on with our Active Directory domain accounts for user login for better security and ease of user management. This has been tested on Ubuntu 20.04 LTS.
As a prerequisite, create a security group in Active Directory that you’ll use to allow members of the group to log into the server. I use a group called sec_LinuxUsers.
Package Installation
Install the following packages
sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
DNS/Hostname Settings
Change the FQDN of the server to match your AD domain
sudo hostnamectl set-hostname hostname.domain.local
Once changed, confirm the new hostname shows your AD domain
hostnamectl
The output should look something like this
Static hostname: hostname.domain.local Icon name: computer-vm Chassis: vm Machine ID: dbdfbebfbafd4c5382bdda00a4c84321 Boot ID: efcef4e841c8448a9ecea572ca4042c0 Virtualization: microsoft Operating System: Ubuntu 20.04.3 LTS Kernel: Linux 5.11.0-36-generic Architecture: x86-64
Next, we need to unlink the resolv.conf file so we can edit it
sudo unlink /etc/resolv.conf
Edit the /etc/resolv.conf file and add your domain’s DNS servers (yes, I use nano!)
sudo nano /etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit. # # This is a dynamic resolv.conf file for connecting local clients to the # internal DNS stub resolver of systemd-resolved. This file lists all # configured search domains. # # Run "resolvectl status" to see details about the uplink DNS servers # currently in use. # # Third party programs must not access this file directly, but only through the # symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way, # replace this symlink by a static file or a different symlink. # # See man:systemd-resolved.service(8) for details about the supported modes of # operation for /etc/resolv.conf. nameserver 192.168.1.2 nameserver 192.168.1.3 options edns0 trust-ad search domain.local
Save the changes by pressing Ctrl+X, Y for Yes, and Enter to select the file name to write (by default is the file we have opened)
By default Ubuntu 20.04 uses systemd-resolve for DNS resolution which will not be suitable for our needs so we’ll stop and disable the service and use resolv.conf instead
sudo systemctl stop systemd-resolved && sudo systemctl disable systemd-resolved
Joining to the Domain
First, see if you’re able view the domain
realm discover domain.local
The output should look something like this
domain.local type: kerberos realm-name: DOMAIN.LOCAL domain-name: domain.local configured: kerberos-member server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin
Once verified yo have domain access, join the domain. Replace [ad_username] with your domain account. Enter your password once prompted
sudo realm join -v -U [ad_username] domain.local
Joining should only take a few seconds. Once done, verify in AD that you can see the computer and run the command below to verify as well
realm list
The output should look something like this
domain.local type: kerberos realm-name: DOMAIN.LOCAL domain-name: domain.local configured: kerberos-member server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin login-formats: %U@domain.local login-policy: allow-realm-logins
Enable Home Directory creation
sudo bash -c "cat > /usr/share/pam-configs/mkhomedir" <<EOF
Copy and paste the following into the file and hit Enter once finished
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel
EOFNow active the Home Directory creation
sudo pam-auth-update
Use Tab to navigate to activate mkhomedir and press the spacebar to activate. Press Tab until you get to <OK> and press the spacebar again to accept changes and exit the screen
Edit the /etc/sssd/sssd.conf file and make the following changes
sudo nano /etc/sssd/sssd.conf
Add/Change the following:
override_shell = /bin/bash
fallback_shell = /bin/bash
fallback_homedir = /home/%u (creates homedir without full domain name)
use_fully_qualified_names = False (allows login without full domain name)
[sssd] domains = domain.local config_file_version = 2 services = nss, pam [domain/domain.local] default_shell = /bin/bash override_shell = /bin/bash fallback_shell = /bin/bash krb5_store_password_if_offline = True cache_credentials = True krb5_realm = DOMAIN.LOCAL realmd_tags = manages-system joined-with-adcli id_provider = ad fallback_homedir = /home/%u ad_domain = domain.local use_fully_qualified_names = False ldap_id_mapping = True
Save the changes by pressing Ctrl+X, Y for Yes, and Enter to select the file name to write (by default is the file we have opened)
Restart the sssd service so changes to the /etc/sssd/sssd.conf file become available
sudo systemctl restart sssd
If everything is working, you should be able to get the AD info of a user
id [ad_username]
Access Control via Groups
Now we’ll permit the security group we created in Active Directory. Any users added to this group will be allowed to log into the servers.
sudo realm permit -g sec_LinuxUsers
Verify the settings have been added
realm list
The output should look something like this (notice the group added at the end of the output)
domain.local type: kerberos realm-name: DOMAIN.LOCAL domain-name: domain.local configured: kerberos-member server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin login-formats: %U login-policy: allow-permitted-logins permitted-logins: permitted-groups: sec_LinuxUsers
Restart the sssd service so changes to the /etc/sssd/sssd.conf file become available
sudo systemctl restart sssd
Allow the sec_LinuxUsers group sudo access to make system-wide changes (be very careful editing this file as you can lockout all users)
sudo nano /etc/sudoers
Add %sec_linuxusers ALL=(ALL) ALL under the Members of the admin group may gain root priviledges section
# # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL %sec_linuxusers ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d
Save the changes by pressing Ctrl+X, Y for Yes, and Enter to select the file name to write (by default is the file we have opened)
Verify users are able to login and that their home directories are created in /home