It has, over the years always been quite a quandary to get SSO auth working from *nix->MS AD without a huge amount of fiddling and tinkering, but there is a new auth framework in town by the name of realmd . While tinkering with The Foreman recently it had dawned on me it would be cool to have it set up such that, after the VM had been automatically provisioned it would allow me to SSH into it using my AD credentials.

This has the double benefit of providing SSO for users through SASL/GSSAPI and auto registering the linux box in Windows DNS if that is what you use as your DNS server backend.

Obviously before you can script something like this with Puppet/Foreman it is a good idea to do a test install on a blank Ubuntu 14.04.1 box so you know what exactly needs configured, so I spun up a VM using my newly created PXE boot environment to start playing around with.

realmd encompasses a number of existing technologies into a rather easy to install and configure package to get SSO/LDAP integration to work, primarily it uses a package developed by RedHat called SSSD that takes care of LDAP and Kerberos communications for you.

RedHat docs on SSSD/Kerberos/LDAP setup, pros/cons (Section 6.3).

The reason I chose this implementation is clearly outlined in the RedHat doc above:

Kerberos SSO capable

Supports SASL/GSSAPI binds for LDAP queries (optional)

Enforces encrypted authentication only

Client side caching of user information

Off-line caching of previously authenticated user credentials

Reduces number of client queries to server

Graceful ID collision management

realmd is really a wrapper for SSSD and to quote the site:

realmd configures sssd or winbind to do the actual network authentication and user account lookups.

To the configuration then, first we have to install realmd and sssd :

aptitude install realmd sssd samba-common samba-common-bin samba-libs sssd-tools krb5-user adcli packagekit -y

Enter your full domain name in all caps when prompted for Default Kerberos version 5 realm , e.g. EXAMPLE.DOMAIN.COM

Gain a kerberos ticket from AD:

kinit -V myles.gray

Add the short and long domain names to the /etc/hosts file (order is important) and save:

#edit the localhost entry to include the box's short and long names like below 127.0.0.1 test1.domain.example.com test1 localhost

N.B. If you don’t do the above you will see an error in the following output similar to the below:

DNS update failed: NT_STATUS_INVALID_PARAMETER Using short domain name -- {your domain name here} Joined 'TEST1' to dns domain 'domain.example.com' No DNS domain configured for test1. Unable to perform DNS Update.

If you do come across this problem leave the domain and then edit the /etc/hosts file. You can leave the domain with the following command:

realm --verbose leave -U myles.gray domain.example.com

Now we can run our realm join command to join us to AD:

realm --verbose join -U myles.gray domain.example.com

You will be prompted for your admin user’s password, enter this and you should receive an output like below:

[email protected]:~# realm --verbose join -U myles.gray domain.example.com * Resolving: _ldap._tcp.domain.example.com * Performing LDAP DSE lookup on: 10.0.1.123 * Performing LDAP DSE lookup on: 10.0.1.124 * Successfully discovered: domain.example.com Password for myles.gray: * Unconditionally checking packages * Resolving required packages * Installing necessary packages: sssd-tools, libpam-sss, libnss-sss, sssd, samba-common-bin * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.X2OPQX -U myles.gray ads join domain.example.com Enter myles.gray's password: Using short domain name -- DOMAIN Joined 'TEST1' to dns domain 'domain.example.com' * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.X2OPQX -U myles.gray ads keytab create Enter myles.gray's password: * /usr/sbin/update-rc.d sssd enable update-rc.d: /etc/init.d/sssd: file does not exist * /usr/sbin/service sssd restart stop: Unknown instance: sssd start/running, process 9085 * Successfully enrolled machine in realm

We need to also comment out this line in our /etc/sssd/sssd.conf file because of a segfault bug known to RH:

#use_fully_qualified_names = True

Restart sssd service:

service sssd restart

Now if we run a realm list we should see some info about our newly joined domain:

# realm list domain.example.com type: kerberos realm-name: domain.example.com domain-name: domain.example.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin login-formats: %U login-policy: allow-realm-logins

Check the group membership of our AD user and that the AD integration is working correctly:

[email protected]:~# id myles.gray uid=952601104(myles.gray) gid=952600513(domain users) groups=952600513(domain users),952601139(virtualisation admins),952600519(enterprise admins),952601127(inet_filter_none),952603106(foreman_admins),952600512(domain admins),952600518(schema admins),952603117(linux_admins),952603116(linux_users),952601103(net-users),952601152(vpn users),952600572(denied rodc password replication group)

Now choose the groups we want to allow login from by denying all (default is allow all) then allowing explicit AD groups (in my case, Linux_Users):

realm deny -R domain.example.com -a realm permit -R domain.example.com -g Linux_Users

Now we can add our Active Directory Domain Admins and Linux_Admins groups to the /etc/sudoers file to give root access for users in those security groups:

visudo

Add the following lines (it is important to escape spaces in group names with a \ ):

%domain\ admins ALL=(ALL:ALL) ALL %Linux_Admins ALL=(ALL:ALL) ALL

One thing I like to do is have each user get their own automatically generated home directory in the format /home/domain.example.com/myles.gray , PAM can do this for us if we edit the /etc/pam.d/common-session file:

nano /etc/pam.d/common-session

Add this line at the end of the file:

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

User directories will be automatically created in the format /home/domain.example.com/myles.gray upon login.

You should now be able to SSH into the guest with your AD credentials and sudo bash if you are a member of Linux_Admins or Domain Admins AD groups:

Myless-MacBook-Pro:~ myles.gray$ ssh [email protected] [email protected]'s password: Creating directory '/home/home.kharms.co.uk/myles.gray'. Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-40-generic x86_64) * Documentation: https://help.ubuntu.com/ The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Dec 8 00:31:25 2014 from 10.0.3.2 [email protected]:~$

Run a pwd to make sure our home directory was created and we were placed there:

Check out if we can sudo bash as a member of one of the two AD groups we configured as sudoers :

You now have full AD auth for users and groups in your linux environment. I will likely revisit this or make another post about SSO/password-less ssh login using Kerberos in the near future. For the moment, good luck!

Sources:

Why not follow @mylesagray on Twitter for more like this!

Show some love: Reddit

Twitter

Pocket

LinkedIn

Email

Telegram

