AD Authentication
Before starting, make sure your hostname is less than 15 characters long and unique. Picking a non-unique hostname, such as “computer” or “ubuntu”, can result in being unable to join correctly.
Log in with a user account with sudo privileges.
Configure Hostname
Set the example hostname ‘foo’
$ sudo hostnamectl set-hostname foo
Edit /etc/hosts, with these entries for ‘foo’:
127.0.0.1 localhost 127.0.1.1 foo.ad.bu.edu foo.bu.edu foo # Only use if there's a DNS entry for foo.bu.edu (e.g. static IP)
and test hostname and FQDN are correct
$ hostname foo $ hostname -f foo.ad.bu.edu
Configure Realm
Create a file called /etc/realmd.conf, with these contents:
[users] default-home = /home/%U default-shell = /bin/bash [active-directory] default-client = sssd os-name = Ubuntu os-version = 18.04 [service] # Set this to no to disable automatic installation of packages via package-kit. #automatic-install = no [ad.bu.edu] fully-qualified-names = no automatic-id-mapping = no user-principal = yes manage-system = yes #computer-name = HOSTNAME computer-ou = OU=Linux,OU=ENGIT,OU=Administration,OU=Desktop,OU=ENG,DC=ad,DC=bu,DC=edu
Configure Kerberos
Copy the krb5.conf file to /etc/krb5.conf. This will place the Kerberos configuration setup for the BU AD into the proper place.
Here’s the file:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
# Default settings for kerberos.
#
# rdns = false is essential if reverse DNS queries don't resolve correctly
# (which for active directory, they don't!) According to the krb5.conf docs,
# this is actually *more* secure than the default reverse DNS behavior. But,
# it means we will need to use the correct fully-qualified domain names
# consistently for kerberized stuff to work.
# See also: the "-l" option to rpc.gssd.
[libdefaults]
default_realm = AD.BU.EDU
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
[realms]
# The bu.edu kerberos realm, separate from active directory.
#
# We're not currently using this, but it's in the BU Linux config and available
# if you specify user@bu.edu instead of letting it use the default realm.
# Unlike with the active directory realm below, it doesn't look like there's
# any unified setup in DNS for the KDC's, so each kdc is listed separately.
# bu.edu = {
# kdc = kerberos1.bu.edu.
# kdc = kerberos2.bu.edu.
# kdc = kerberos3.bu.edu.
# admin_server = kerberos1.bu.edu.
# }
# The BU active directory realm.
#
# We could also explicitly list all the domain controllers here, but the domain
# points to the whole set of ist-adc1.bu.edu -> ist-adc5.bu.edu, so this is
# really all that's needed.
# NOTE ABOUT SSSD:
# The sssd package adds plugins to the krb5 library in /usr/lib64/krb5/plugins
# and one effect of this is that basic kerberos commands like kinit and kvno
# are actually affected by SSSD's settings, in particular this cached KDC info:
# /var/lib/sss/pubconf/kdcinfo.AD.BU.EDU
# If you change the kdc settings here, also delete that cache and check the
# krb5_server setting in /etc/sssd/sssd.conf.
AD.BU.EDU = {
kdc = ad.bu.edu.
admin_server = ad.bu.edu.
}
# Mapping of domains to kerberos realms.
#
# These entries will at least map any reference to an active directory hostname
# to the realm, and if we wanted we could also point bu.edu to that as well.
# As per the docs on krb5.conf, an entry starting with a period is for a whole
# domain, while one without specifies an actual host.
[domain_realm]
.ad.bu.edu = AD.BU.EDU
ad.bu.edu = AD.BU.EDU
[appdefaults]
pam = {
minimum_uid = 3000
}
Install Packages
$ sudo apt install -y realmd sssd sssd-tools libnss-sss libpam-sss krb5-user adcli samba-common-bin
Set DNS Search Domains
This used to be set in the NetworkManager GUI , but was removed in recent versions. Now use wither the old GUI:
$ sudo nm-connection-editor
In the IPv4 Settings tab set the search domains to “ad.bu.edu, bu.edu”.
Then restart the NetworkManager service
$ sudo systemctl restart NetworkManager
Or set it via the command line
# nmcli c show # nmcli c modify "Wired connection 1" ipv4.dns-search "ad.bu.edu, bu.edu" # nmcli c down "Wired connection 1" && nmcli c up "Wired connection 1"
More with this link.
Sync time with the AD domain
Kerberos only works if the date and time of the computer to join the AD and the AD are the same. First, edit /etc/systemd/timesyncd.conf so that the [Time] section looks like this:
[Time] NTP=ad.bu.edu FallbackNTP=ntp1.bu.edu ntp2.bu.edu ntp3.bu.edu
To sync the time on the localhost, run:
$ sudo timedatectl set-ntp true $ sudo timedatectl set-timezone America/New_York $ sudo systemctl restart systemd-timesyncd.service $ sudo timedatectl --adjust-system-clock
Check it worked with the following:
$ timedatectl status
Use Pam to make Home Directories
This can be done two ways.
i. Using the pam-auth-update tool: Run the command to launch pam-auth-update:
$ sudo pam-auth-update
A window will open. Check the “Create home directory on login” box. You’ll need to use the down arrow.
ii. Through command line:
Edit /etc/pam.d/common-session, and add this line directly after session required pam_unix.so:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
Join the domain
Run the following command to join the example system to the AD realm in the Engineering OU:
$ sudo realm join -v --computer-name=<hostname> --user=<username>-adm ad.bu.edu
Where <hostname>is not the FQDM
Configure SSSD
Joining AD creates a file /etc/sssd/sssd.conf. You need to make configure SSSD, adding the following lines:
# Use UID and GID from Active Directory with BU specific ID fields ldap_user_gecos = displayName ldap_user_uid_number = bu-ph-index-id-numeric ldap_user_gid_number = bu-ph-index-id-numeric # Enable Dynamic DNS Updates dyndns_update = true dyndns_refresh_interval = 43200 dyndns_update_ptr = true dyndns_ttl = 3600 # For Legacy ENGNAS support override_gid = 100 # Make account name be just username, not “username@domain” full_name_format = %1$s # Helpful for figuring out what LDAP queries are being done #debug_level = 7
To restrict access, add one of these to the end of the sssd.conf file:
### Restrict login access to specific accounts ### access_provider = simple simple_allow_groups = BU_ENG_Everyone
- -or-
### Restrict login access to specific accounts ### #access_provider = ad # Pick one of: # IS&T #ad_access_filter = (bu-ph-deptid=51*) # ENG 24043 #ad_access_filter = (bu-ph-deptid=24*) #ad_access_filter = (|(sAMAccountName=moe)(sAMAccountName=larry)(sAMAccountName=curly)) #ad_access_filter = (|(manager=CN=smith,OU=People,DC=ad,DC=bu,DC=edu)(manager=CN=jones,OU=People,DC=ad,DC=bu,DC=edu))
Restart SSSD as root to implement changes
Restart the service and clear the SSS cache:
$ sudo systemctl restart sssd && sss_cache -E
Confirm the join by logging into AD
Install the OpenSSH server:
$ sudo apt -y install openssh-server
And setup a firewall restricting access to BU IP Space
$ sudo ufw default deny incoming $ sudo ufw default allow outgoing $ sudo ufw allow from 128.197.0.0/16 to any port 22 $ sudo ufw allow from 10.0.0.0/8 to any port 22 $ sudo ufw allow from 168.122.0.0/16 to any port 22 $ sudo ufw enable
Now test login
$ ssh kerberos_username@localhost
This should prompt for your Kerberos password and should successfully log into AD.
Ubuntu Server 22.04
In Ubuntu 22.04, SSH prioritizes public key authentication over password authentication. When you join an Ubuntu server to Active Directory, it doesn’t automatically configure SSH to allow password authentication for AD users. Here’s a breakdown of the issue and how to resolve it:
Understanding the Problem
- Public Key Authentication: SSH tries to authenticate users based on cryptographic keys. If you haven’t set up key-based authentication for your AD users on the Ubuntu server, this method will fail, resulting in “Permission denied (publickey).”
- Password Authentication: Even though your AD users can log in via the console (using their passwords), SSH might be configured to disallow password authentication, especially if
PasswordAuthentication nois set in the SSH server configuration. -
Locate the Correct File: Check the contents of
/etc/ssh/sshd_configfor anIncludedirective. It might point to files within/etc/ssh/sshd_config.d/. Alternatively, check the files in/etc/ssh/sshd_config.d/directly to see which one contains thePasswordAuthenticationsetting. -
Edit the File: Use
sudo nano /etc/ssh/sshd_config.d/50-cloud-init.conf(or the appropriate file name) to edit the file. -
Set
PasswordAuthentication yes: Ensure that thePasswordAuthenticationdirective is set toyes. If the line is commented out (preceded by a#), uncomment it. -
Restart SSH: After making the changes, restart the SSH service:
sudo systemctl restart ssh -
Cloud-Init Considerations: If
cloud-initis actively managing the system, it might revert your changes on the next reboot or instance restart. To prevent this, you’ll need to configurecloud-inititself. This can be done by modifying the cloud-init configuration files (usually in/etc/cloud/cloud.cfg.d/) or by using cloud-init modules to manage SSH settings. The exact method depends on your cloud provider or setup.
CentOS
For instructions on joining CentOS 7 & 8 systems to AD, see the BU IS&T page here.
Adding Users
- When you add users that will authenticate with kerberos, they should have the same UID as their BU account. If you don’t know the UID, you can find it in the BU Directory. The UID is the numeric part of the Index ID
- If you have already made a user with the correct name but incorrect UID, you need to change the UID (and hence all files associated with that UID) to the correct number. Replace $OLD_UID, and $NEW_UID with the appropriate numbers in the following commands.
- Change the UID (this will automatically change files in the home directory to the new UID):
sudo usermod -u $NEW_UID user_name
- If the user owns files outside of their home directory, you may want to search them out and change the UID.
find /tmp -uid $OLD_UID -exec chown $NEW_UID {} \;