Before starting, make sure your hostname is less than 15 characters long and unique. Picking a non-unique hostname, such as “computer” or “ubuntu”, can result in being unable to join correctly.<\/p>\n
Log in with a user account with sudo privileges.<\/p>\n
Set the example hostname ‘foo’<\/p>\n
$ sudo hostnamectl set-hostname foo\r\n<\/pre>\nEdit \/etc\/hosts, with these entries for ‘foo’:<\/p>\n
127.0.0.1 localhost\r\n127.0.1.1 foo.ad.bu.edu foo.bu.edu foo\r\n# Only use if there's a DNS entry for foo.bu.edu (e.g. static IP) \r\n<\/pre>\nand test hostname and FQDN are correct<\/p>\n
$ hostname\r\nfoo\r\n$ hostname -f\r\nfoo.ad.bu.edu\r\n<\/pre>\nConfigure Realm<\/h2>\n
Create a file called \/etc\/realmd.conf, with these contents:<\/p>\n
[users]\r\ndefault-home = \/home\/%U\r\ndefault-shell = \/bin\/bash\r\n \r\n[active-directory]\r\ndefault-client = sssd\r\nos-name = Ubuntu\r\nos-version = 18.04\r\n \r\n[service]\r\n# Set this to no to disable automatic installation of packages via package-kit.\r\n#automatic-install = no\r\n \r\n[ad.bu.edu]\r\nfully-qualified-names = no\r\nautomatic-id-mapping = no\r\nuser-principal = yes\r\nmanage-system = yes\r\n#computer-name = HOSTNAME\r\ncomputer-ou = OU=Linux,OU=ENGIT,OU=Administration,OU=Desktop,OU=ENG,DC=ad,DC=bu,DC=edu<\/pre>\nConfigure Kerberos<\/h2>\n
Copy the krb5.conf file to \/etc\/krb5.conf. This will place the Kerberos configuration setup for the BU AD into the proper place.<\/p>\n
Here’s the file:<\/p>\n
[logging]\r\n default = FILE:\/var\/log\/krb5libs.log\r\n kdc = FILE:\/var\/log\/krb5kdc.log\r\n admin_server = FILE:\/var\/log\/kadmind.log\r\n\r\n# Default settings for kerberos.\r\n# \r\n# rdns = false is essential if reverse DNS queries don't resolve correctly\r\n# (which for active directory, they don't!) According to the krb5.conf docs,\r\n# this is actually *more* secure than the default reverse DNS behavior. But,\r\n# it means we will need to use the correct fully-qualified domain names\r\n# consistently for kerberized stuff to work.\r\n# See also: the \"-l\" option to rpc.gssd.\r\n\r\n[libdefaults]\r\n default_realm = AD.BU.EDU\r\n dns_lookup_realm = false\r\n dns_lookup_kdc = false\r\n ticket_lifetime = 24h\r\n renew_lifetime = 7d\r\n forwardable = true\r\n rdns = false\r\n\r\n[realms]\r\n\r\n# The bu.edu kerberos realm, separate from active directory.\r\n# \r\n# We're not currently using this, but it's in the BU Linux config and available\r\n# if you specify user@bu.edu instead of letting it use the default realm.\r\n# Unlike with the active directory realm below, it doesn't look like there's\r\n# any unified setup in DNS for the KDC's, so each kdc is listed separately.\r\n# bu.edu = {\r\n# kdc = kerberos1.bu.edu.\r\n# kdc = kerberos2.bu.edu.\r\n# kdc = kerberos3.bu.edu.\r\n# admin_server = kerberos1.bu.edu.\r\n# }\r\n\r\n# The BU active directory realm.\r\n# \r\n# We could also explicitly list all the domain controllers here, but the domain\r\n# points to the whole set of ist-adc1.bu.edu -> ist-adc5.bu.edu, so this is\r\n# really all that's needed.\r\n# NOTE ABOUT SSSD:\r\n# The sssd package adds plugins to the krb5 library in \/usr\/lib64\/krb5\/plugins\r\n# and one effect of this is that basic kerberos commands like kinit and kvno\r\n# are actually affected by SSSD's settings, in particular this cached KDC info:\r\n# \/var\/lib\/sss\/pubconf\/kdcinfo.AD.BU.EDU\r\n# If you change the kdc settings here, also delete that cache and check the\r\n# krb5_server setting in \/etc\/sssd\/sssd.conf.\r\n\r\n AD.BU.EDU = {\r\n kdc = ad.bu.edu.\r\n admin_server = ad.bu.edu.\r\n}\r\n\r\n# Mapping of domains to kerberos realms.\r\n# \r\n# These entries will at least map any reference to an active directory hostname\r\n# to the realm, and if we wanted we could also point bu.edu to that as well.\r\n# As per the docs on krb5.conf, an entry starting with a period is for a whole\r\n# domain, while one without specifies an actual host.\r\n\r\n[domain_realm]\r\n .ad.bu.edu = AD.BU.EDU\r\n ad.bu.edu = AD.BU.EDU\r\n\r\n[appdefaults]\r\n pam = {\r\n minimum_uid = 3000\r\n}<\/pre>\nInstall Packages<\/h2>\n
$ sudo apt install -y realmd sssd sssd-tools libnss-sss libpam-sss krb5-user adcli samba-common-bin<\/pre>\nSet DNS Search Domains<\/h2>\n
This used to be set in the NetworkManager GUI , but was removed in recent versions. Now use wither the old GUI:<\/p>\n
$ sudo nm-connection-editor\r\n<\/pre>\nIn the IPv4 Settings<\/strong> tab set the search domains<\/strong> to “ad.bu.edu, bu.edu”.<\/p>\n
Then restart the NetworkManager service<\/p>\n
$ sudo systemctl restart NetworkManager<\/pre>\nOr set it via the command line<\/p>\n
# nmcli c show\r\n# nmcli c modify \"Wired connection 1\" ipv4.dns-search \"ad.bu.edu, bu.edu\"\r\n# nmcli c down \"Wired connection 1\" && nmcli c up \"Wired connection 1\"<\/pre>\nMore with this link<\/a>.<\/p>\n
Sync time with the AD domain<\/h2>\n
Kerberos only works if the date and time of the computer to join the AD and the AD are the same. First, edit \/etc\/systemd\/timesyncd.conf so that the [Time] section looks like this:<\/p>\n
[Time]\r\nNTP=ad.bu.edu\r\nFallbackNTP=ntp1.bu.edu ntp2.bu.edu ntp3.bu.edu<\/pre>\nTo sync the time on the localhost, run:<\/p>\n
$ sudo timedatectl set-ntp true\r\n$ sudo timedatectl set-timezone America\/New_York\r\n$ sudo systemctl restart systemd-timesyncd.service\r\n$ sudo timedatectl --adjust-system-clock<\/pre>\nCheck it worked with the following:<\/p>\n
$ timedatectl status<\/pre>\nUse Pam to make Home Directories<\/h2>\n
This can be done two ways.<\/p>\n
i. Using the pam-auth-update tool: Run the command to launch pam-auth-update:<\/h3>\n
$ sudo pam-auth-update<\/pre>\nA window will open. Check the “Create home directory on login” box. You’ll need to use the down arrow.<\/p>\n
ii. Through command line:<\/h3>\n
Edit \/etc\/pam.d\/common-session, and add this line directly after session required pam_unix.so:<\/p>\n
session required pam_mkhomedir.so skel=\/etc\/skel\/ umask=0022<\/pre>\nJoin the domain<\/h2>\n
Run the following command to join the example system to the AD realm in the Engineering OU:<\/p>\n
$ sudo realm join -v --computer-name=<hostname> --user=<username>-adm ad.bu.edu\r\n<\/pre>\nWhere <hostname>is not the FQDM<\/hostname><\/pre>\n Configure SSSD<\/h2>\n
Joining AD creates a file \/etc\/sssd\/sssd.conf. You need to make configure SSSD, adding the following lines:<\/p>\n
# Use UID and GID from Active Directory with BU specific ID fields\r\nldap_user_gecos = displayName\r\nldap_user_uid_number = bu-ph-index-id-numeric\r\nldap_user_gid_number = bu-ph-index-id-numeric\r\n\r\n# Enable Dynamic DNS Updates\r\ndyndns_update = true\r\ndyndns_refresh_interval = 43200\r\ndyndns_update_ptr = true\r\ndyndns_ttl = 3600\r\n\r\n# For Legacy ENGNAS support\r\noverride_gid = 100\r\n\r\n# Make account name be just username, not \u201cusername@domain\u201d\r\nfull_name_format = %1$s\r\n\r\n# Helpful for figuring out what LDAP queries are being done\r\n#debug_level = 7<\/pre>\nTo restrict access, add one of these to the end of the sssd.conf file:<\/p>\n
### Restrict login access to specific accounts ###\r\n\r\naccess_provider = simple\r\nsimple_allow_groups = BU_ENG_Everyone<\/pre>\n\n
- -or-<\/li>\n<\/ul>\n
### Restrict login access to specific accounts ###\r\n#access_provider = ad\r\n# Pick one of:\r\n\r\n# IS&T\r\n#ad_access_filter = (bu-ph-deptid=51*)\r\n# ENG 24043\r\n#ad_access_filter = (bu-ph-deptid=24*)\r\n\r\n#ad_access_filter = (|(sAMAccountName=moe)(sAMAccountName=larry)(sAMAccountName=curly))\r\n#ad_access_filter = (|(manager=CN=smith,OU=People,DC=ad,DC=bu,DC=edu)(manager=CN=jones,OU=People,DC=ad,DC=bu,DC=edu))<\/pre>\nRestart SSSD as root to implement changes<\/h2>\n
Restart the service and clear the SSS cache:<\/p>\n
$ sudo systemctl restart sssd && sss_cache -E<\/pre>\nConfirm the join by logging into AD<\/h2>\n
Install the OpenSSH server:<\/p>\n
$ sudo apt -y install openssh-server\r\n<\/pre>\nAnd setup a firewall restricting access to BU IP Space<\/p>\n
$ sudo ufw default deny incoming\r\n$ sudo ufw default allow outgoing\r\n$ sudo ufw allow from 128.197.0.0\/16 to any port 22\r\n$ sudo ufw allow from 10.0.0.0\/8 to any port 22\r\n$ sudo ufw allow from 168.122.0.0\/16 to any port 22\r\n$ sudo ufw enable\r\n<\/pre>\nNow test login<\/p>\n
$ ssh kerberos_username@localhost<\/pre>\nThis should prompt for your Kerberos password and should successfully log into AD.<\/p>\n
<\/p>\n
Ubuntu Server 22.04<\/h2>\n
In Ubuntu 22.04, SSH prioritizes public key authentication over password authentication. When you join an Ubuntu server to Active Directory, it doesn’t automatically configure SSH to allow password authentication for AD users. Here’s a breakdown of the issue and how to resolve it:<\/p>\n
Understanding the Problem<\/strong><\/p>\n
\n
- Public Key Authentication:<\/strong> SSH tries to authenticate users based on cryptographic keys. If you haven’t set up key-based authentication for your AD users on the Ubuntu server, this method will fail, resulting in “Permission denied (publickey).”<\/li>\n
- Password Authentication:<\/strong> Even though your AD users can log in via the console (using their passwords), SSH might be configured to disallow password authentication, especially if
PasswordAuthentication no<\/code> is set in the SSH server configuration.<\/li>\n- \n
Locate the Correct File:<\/strong> Check the contents of
\/etc\/ssh\/sshd_config<\/code> for anInclude<\/code> directive. It might point to files within\/etc\/ssh\/sshd_config.d\/<\/code>. Alternatively, check the files in\/etc\/ssh\/sshd_config.d\/<\/code> directly to see which one contains thePasswordAuthentication<\/code> setting.<\/p>\n<\/li>\n- \n
Edit the File:<\/strong> Use
sudo nano \/etc\/ssh\/sshd_config.d\/50-cloud-init.conf<\/code> (or the appropriate file name) to edit the file.<\/p>\n<\/li>\n- \n
Set
PasswordAuthentication yes<\/code>:<\/strong> Ensure that thePasswordAuthentication<\/code> directive is set toyes<\/code>. If the line is commented out (preceded by a#<\/code>), uncomment it.<\/p>\n<\/li>\n- \n
Restart SSH:<\/strong> After making the changes, restart the SSH service:<\/p>\n
<\/code-block><\/response-element><\/p>\n \n\n\nsudo systemctl restart ssh\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n
- \n
Cloud-Init Considerations:<\/strong> If
cloud-init<\/code> is actively managing the system, it might revert your changes on the next reboot or instance restart. To prevent this, you’ll need to configurecloud-init<\/code> itself. This can be done by modifying the cloud-init configuration files (usually in\/etc\/cloud\/cloud.cfg.d\/<\/code>) or by using cloud-init modules to manage SSH settings. The exact method depends on your cloud provider or setup.<\/p>\n<\/li>\n<\/ul>\n<\/p>\n
CentOS<\/h2>\n
For instructions on joining CentOS 7 & 8 systems to AD, see the BU IS&T page here<\/a>.<\/p>\n
Adding Users<\/h1>\n