HOWTO – Linux Active Directory Integration with SSSD

Abstract

Integrating Open Source Operating Systems into a centralized Accounting and Authorization system Active Directory from Microsoft.

To facilitate this integration, we are making use of the System Security Services Daemon (SSSD) package, which provides us with access to local or remote identity and authentication resources through a common framework that can provide caching and offline support to the system.

It provides several interfaces, including NSS and PAM modules or a D-Bus interface.

Installation and configuration.

Check DNS resolving.

Verify if your OS can resolve the domain’s ldap SRV records:

$ dig -t SRV _ldap._tcp.mydomain.com

Verify if your OS can resolve the domain’s AD SRV records:

$  dig -t SRV _ldap._tcp.dc._msdcs.mydomain.com

NOTE: Verify if you can ping all displayed IPv4 and IPv6 addresses to check if there are no routing or firewall issues.

Check your hostname configuration. 

Before you will be able to join the domain successfully without any error messages you need to verify your hosts file configuration. NOTE: the order in which you specify your hostnames is important, make sure that you FQDN of your computername is in the first position.

$ cat /etc/hosts 
127.0.0.1       localhost
127.1.0.1       myhost.mydomain.com myhost
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Software Installation

Install the required packages for SSSD.

$ apt-get update
$ apt-get install realmd sssd sssd-tools samba-common samba-common-bin samba-libs krb5-user adcli ntp sssd-tools sssd libnss-sss libpam-sss adcli policykit-1 packagekit

Software Configuration

Configure your time service to syncronise with your domain controllers.

Stop your NTP server.

$ systemctl stop ntp

Edit your ntp.conf file.

$ vi /etc/ntp.conf

Modify the ntp.conf contents to reflect below configuration.

#-- replace below lines:
pool 0.debian.pool.ntp.org iburst
pool 1.debian.pool.ntp.org iburst
pool 2.debian.pool.ntp.org iburst
pool 3.debian.pool.ntp.org iburst

#-- replace with
server ntp.mydomain.com

Now save your config file.

Synchronize one time manually for initial time sync.

$ apt install ntpdate 
$ ntpdate domaincontroller.mydomain.com

Now restart your NTP daemon for automatic operation.

$ systemctl start ntp

Verify that your service is running correctly.

$ systemctl status ntp

Configure sssd

Join the server to the Active Directory, this will create an initial sssd.conf file for us.

$ realm join -U Administrator mydomain.com --verbose

Check the permissions of the /etc/sssd/sssd.conf file, it should be 0600 Correct if necessary.

$ chown root:root /etc/sssd/sssd.conf
$ chmod 0600 /etc/sssd/sssd.conf

Modify your /etc/sssd/sssd.conf file:

[nss]
filter_groups = root,adm
filter_users = root,adm
reconnection_retries = 3

[pam]
reconnection_retries = 3

[sssd]
domains = mydomain.com
config_file_version = 2
services = nss, pam

[domain/mydomain.com]
ad_domain = mydomain.com
krb5_realm = MYDOMAIN.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
override_homedir = /home/%u@%d
enumerate = False
ad_gpo_access_control = permissive

# Note: below two configuration lines are only required when u want to restrict ssh access based on AD groups.

access_provider = simple
simple_allow_groups = myadgroup

The server should create a home directory for the user logging in:

$ vi /etc/pam.d/common-account

add to the bottom of the file

session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

We will assign an AD group for sudo access to the server:

$ vi /etc/sudoers.d/10-adsudo-grant-all 
%myadsudogroup ALL=(ALL) ALL

$ chmod 0440 /etc/sudoers.d/10-adsudo-grant-all

Now that we have set up and configured sssd lets restart the service to activate this.

$ sudo systemctl restart sssd

Set-up the Samba server.

$ apt-get install samba

Stop your samba server

$ systemctl stop smbd

Edit your smb.conf file, and add any shares you need in the configuration

$ vi /etc/samba/smb.conf 
# Global parameters
[global]
        realm = MYDOMAIN.COM
        server string = %h server (Samba, Ubuntu)
        workgroup = MYDOMAIN
        log file = /var/log/samba/log.%m
        max log size = 1000
        syslog = 0
        panic action = /usr/share/samba/panic-action %d
        load printers = No
        client signing = if_required
        kerberos method = secrets and keytab
        security = ADS
        idmap config * : backend = tdb

[SHARE]
        comment = MyShare
        path = /srv/share
        create mask = 0664
        directory mask = 02775
        force create mode = 0664
        force directory mode = 02775
        valid users = localuser @adsmbaccessgroup

Now join your Samba server to AD

$ net ads join -U myusername
Advertisement

Published by

Ronny Van den Broeck

I'm a network and system engineer for more than 20 years now. During this period I became a pro in hunting down one's and zero's, with an eager mindset to help people accomplish the same or abstract them away from the matrix.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s