There are quite a few guides lying around the internet for getting Ubuntu 16.04 working with Active Directory. I followed a few of them, and always ended up with problems. Can su – to the user, but can’t ssh. Can su – to the user and ssh as the user, but cannot connect via RDP, or local X11. Searched all over the place for solutions, but nothing worked. Finally after trial and error, I found a combination of settings to get everything working.
Since working in a mixed Windows / Linux environment is never particularly fun, I thought I would document my process to save others from having to figure this out from scrach. So here is my guide to getting everything working with RealmD and SSSD. Using an example active directory domain of my.domain.com in everything below. This guide is pretty close to others you’ll find. But there are a few key differences, the primary ones are within the SSSD configuration.
Install Required Packages
|
1 |
apt-get -y install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli ntp |
You’ll be prompted for some Kerberos Auth Configuration during the install, just enter your AD domain or domain controllers using all caps, ie. MY.DOMAIN.COM
Configure ntp
Next you’ll need to make sure your ubuntu server’s time is in sync with the active directory servers. For that, you’ll need to edit your /etc/ntp.conf file, comment out the current ones, and add your Domain controllers by either the FQDN or the IP.
|
1 2 3 4 5 6 7 8 9 10 |
... #server 0.ubuntu.pool.ntp.org #server 1.ubuntu.pool.ntp.org #server 2.ubuntu.pool.ntp.org #server 3.ubuntu.pool.ntp.org server my.doimain.com server my.domain.com #Use Ubuntu's ntp server as a fallback. #server ntp.ubuntu.com ... |
Restart your ntp service:
|
1 |
/etc/init.d/ntp restart |
Configure RealmD
Next, we’ll need to configure RealmD. Create the /etc/realmd.conf file with the following contents:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
[users] default-home = /home/%U default-shell = /bin/bash [active-directory] default-client = sssd os-name = Ubuntu Server os-version = 16.04 [service] automatic-install = no [my.domain.com] fully-qualified-names = no automatic-id-mapping = yes user-principal = yes manage-system = no |
Kerberos Configuration
Slight change needed to the /etc/krb5.conf file. Top of the file, make the following change:
|
1 2 |
[libdefaults] default_realm = MY.DOMAIN.COM |
Join Ubuntu to Domain
|
1 2 3 4 |
sudo kinit administrator@MY.DOMAIN.COM Password for administrator@MY.DOMAIN.COM: sudo realm --verbose join my.domain.com --user-principal=UBUNTU/administrator@MY.DOMAIN.COM |
Auto creation of user home directories
Slight addition to the end of /etc/pam.d/common-session:
|
1 2 |
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 #end of pam-auth-update config |
Edit X11 Config
Personally I did not need to do this, because I did not need local logins via X11. But I had posted a question about RDP logins via Active Directory which I answered myself. Another user responded that my changes worked, but he had to make the following additional change for X11.
Edit /etc/X11/Xwrapper.config and change to allowed_users=anybody
Configure SSSD
RealmD comes pretty close to setting up the sssd.conf file properly, but there are a few changes needed to be able to login via SSH and RDP. Edit the /etc/sssd/sssd.conf file so it looks like this:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
[sssd] domains = my.domain.com config_file_version = 2 services = nss, pam [domain/my.domain.com] ad_domain = my.domain.com krb5_realm = MY.DOMAIN.COM realmd_tags = joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True ad_gpo_access_control = permissive default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%u simple_allow_users = $ access_provider = ad |
The key changes I had to make:
- changing access_provider from simple to ad. Without this I could not ssh in.
- adding ad_gpo_access_control = permissive. Without this I could not connect via RDP.
Restart your sssd service
|
1 |
service sssd restart |
At this point, using your active directory user, you should be able to SSH into your ubuntu server, RDP into your desktop environment, or do a local X11 login.
nsswitch.conf
With the default SSSD configuration, everytime a user executes a sudo action it will generate an email to your root account with the contents of:
|
1 |
root : problem with defaults entries ; TTY=pts/2 ; PWD=/root ; |
This isn’t really an error, it’s just noise since sssd does not support sudo rules for local users. It’s an easy fix to stop this. Just edit your /etc/nsswitch.conf file. Find this line:
|
1 |
sudoers: files sss |
and change it to:
|
1 |
sudoers: files |
Allowing/Restricting logins
If you want to restrict or allow access to only certain users or groups, then you can modify the /etc/sssd/sssd.conf file, and in the [domain/my.domain.com] section, you can use any of these options:
|
1 2 3 4 |
simple_allow_users = user1,user2 simple_deny_users = user1,user2 simple_allow_groups = group1,group2 simple_deny_groups = group1,group2 |
Thanx man, it’s working! I was impressed how it is easy. Is it possible to restrict login access with AD groups
Yeah, it’s possible by editing the /etc/sssd/sssd.conf. In the example above, under the [domain/mydomain.com] section. You can control by user or by group with any of these options:
simple_allow_users = user1,user2
simple_deny_users = user1,user2
simple_allow_groups = group1,group2
simple_deny_groups = group1,group2
Incidentally, under 16.04 you don’t need to preconfigure realmd or krb5 as this will happen when the domain is joined, assuming the AD is setup properly with listings for LDAP services and whatnot. Likewise, you don’t have to kinit first.
Ah, thanks for pointing that out. I’ll try and clean things up a bit with that in mind. I actually just found another reason where kinit is nice is to be able to do something like — echo ${PASS} | kinit username, which allows to not have to manually enter the password when trying to automate everything using things like terraform or ansible.
Hey, can you explain more about ‘–user-principal=UBUNTU/[email protected]’
What exactly is the UBUNTU here?
In your example, UBUNTU will be the hostname that ends up being registered with Active Directory. Format is user-principal=host/name@REALM
how can I query the AD groups from the ubuntu server ?
I am trying to add a specific AD group to sudoers but seems users are not managing to sudo to the server.
You should be able to achieve that by editing your /etc/sudoers file. Say you want everyone in the Domain Admins group to be able to sudo, you’d add the following (\ needed to escape the space):
%Domain\ Admins ALL=(ALL:ALL) NOPASSWD: ALLAfter you modify that file, just restart your ssh service.
Realized I didn’t answer another part of your question. If you want to query to get a list of AD groups, you can use the ldapsearch command. Something like:
ldapsearch -x -h domain.com -D "[email protected]" -W -b "dc=domain,dc=com" "(objectclass=group)" 1.1Change the domain.com and the user in the above for your needs and you’ll get a list of your AD groups.
Hi, how can i delete a user? if i try
sudo sss_userdel user1
Error initializing the tools – no local domain
Unfortunately I do not know the answer to that. I’ve always managed users directly on the AD controller, so this isn’t something I’ve looked into.
Rick, a sincere thank you! I’ve used this method on several new 16.04 installs.
Now the $64,000 question: how do I make this work on existing installs?
I know you may not be aware but I’ve exhausted my options. As I said, new installs work great but an existing install pukes on the installs with apt-get. I keep my servers up to date, so I was confused when I went to an install and I get:
The following packages have unmet dependencies:
krb5-user : Depends: libkrb5-3 (= 1.13.2+dfsg-5) but 1.13.2+dfsg-5ubuntu2 is to be installed
E: Unable to correct problems, you have held broken packages.
Following an intense several days of Googling, I’ve attempted to force, manually install, wait for updates, and uninstall packages. Haven’t found a working combination yet.
Any ideas for a desperate admin?
No thoughts? Bummer.
Btw, I’ve also used this on Raspberry Pi installs with Raspbian!
Sorry for the delay in replying here. Past couple weeks I’m neck deep in looking for a new full time job, so I’ve kind of neglected keeping up here. Unfortunately I haven’t came across that particular error. Not sure if you’ve seen this askubuntu post or not. The problem was a bit different, but one of the package errors looks the same and there is an accepted answer that you might try:
https://askubuntu.com/questions/933253/but-it-is-not-going-to-be-installed-nightmare