Despite its age, Active Directory does a pretty solid job of identity management. A lot of businesses still rely on it, and numerous third-party systems offer ways to integrate with it.
While AD doesn’t do much for system management when it comes to Linux machines (unlike GPO’s for Windows), it’s still possible to leverage it’s identity management to consolidate credentials and permissions. A lot of operations that rely on Active Directory for Linux authentication usually tackle system management through specialized tools like Ansible or Mobile Device Management solutions.
Now that we’ve touched on the why (and if you’re reading this, it’s you probably already understand that part), let’s get to the how.
Prerequisites
To set up LDAP login on a Linux machine, we need to connect it to the domain. For that, the Linux machine must be pointed at authoritative domain DNS server(s) and also configured to search the correct domain. That said, most Linux machines that are running an external DNS server won’t qualify unless they have multiple IPs or network adapters configured first (one for the internal domain and another for handling external DNS requests).
So let’s go through the process for setting up a Debian machine for LDAP authentication. The first config file of interest is the network configuration file.
nano /etc/network/interfacesThe “dns-nameservers” option here should be pointed to the IP address (or addresses) of your domain’s DNS server(s). The “dns-search” option should also be set to the domain name, e.g. “mydomain.local”. After making the necessary changes, save and exit the file.
Now that we’ve updated our networking configuration, we’ll need to ensure our hosts file contains the FQDN of the local machine, and not just the hostname.
nano /etc/hostsAssuming our machine’s hostname is “linux-server”, and our domain is “mydomain.local” we’ll need to make sure that our host file appears like the following:
127.0.0.1 localhost
127.0.1.1 linux-server.mydomain.local linux-serverPlease note, we put the FQDN of our server before the hostname. Again, save and close the file.
Install Required Packages
As the root user or as a user with sudo privileges, run the following:
apt-get install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekitDiscover the Domain
We can now utilize the “realm discover” command to evaluate the Active Directory domain. “Realm” is a command line utility that helps manage enrollment in Kerberos realms (such as Active Directory domains). The discover option enables the system to locate a realm/domain and its features. Executing the “realm discover” command should provide details about the domain and help identify the most suitable software stack to use with sssd.
realm discover i7media.local
The command should return info about the domain as well as what software packages are required to connect to it (though in our case, we’ve already installed them).
Join the Domain
The “realm join” command will join the current machine to the domain that we specify. To join the domain, we have to use a pre-existing domain account with join privileges. The command should look something like this:
realm join -U <username> mydomain.local
Tuning the Setup
While the default configuration will indeed allow for domain authenticated logins, there are a few things we can do to avoid annoyance later. Tuning the configuration benefits us in the following four ways:
- We want to avoid sssd related errors on boot (the errors do not affect the ability to login however they can be confusing) as outlined here – https://phabricator.wikimedia.org/T291585
- We will streamline the login process (by default, accounts have to use the full FQDN when logging in and not just the username).
- We can restrict logins to only members of certain Active Directory groups (regular office staff normally don’t need to login to servers)
- We will address an issue that can cause intermittent login failures (this issue may be fixed in future releases so it is a good idea to check periodically)
All of these configuration changes can be made by editing the “/etc/sssd/sssd.conf” file in your editor of choice. After editing, the result should look like the following:
[sssd]
domains = mydomain.local
config_file_version = 2
[domain/mydomain.local]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = MYDOMAIN.LOCAL
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = MYDOMAIN.LOCAL
use_fully_qualified_names = False
ldap_id_mapping = True
access_provider = simple
simple_allow_groups = Domain [email protected]
ad_gpo_access_control = permissiveYou can find a list of configuration options in the man page for SSSD, while the configuration above is all most people will need, you can find said page at the link below:
https://linux.die.net/man/5/sssd.conf
After making your changes, save and close the file and then restart the sssd service:
service sssd restart
Create Home Directory for Accounts on Logon
Typically when domain users log in they don’t get their own home directory. However, we can configure it so that these home directories are created automatically upon login via the following:
pam-auth-update --enable mkhomedirTest Logon with Domain Account
You can now test domain login by using the “login” command along with the domain user’s credentials. If all goes well, you should be able to log in as that user without any issues.
Install and Configure sudo
It’s awesome to authenticate using a domain account, but to perform admin tasks on the machine, we need to make sure the right accounts have sudo privileges. The typical Debian server setup doesn’t have sudo pre-installed, so we’ll have to install it first.
apt-get install sudoNext we’ll need to add the desired Active Directory group to a sudo config file so users will be allowed to run commands as root. In our example above, we configured LDAP login for the “Domain Admins” group so in keeping with that example we will name the sudo config file accordingly:
nano /etc/sudoers.d/domain_adminsThen inside of that new file we will specify the group:
"%domain admins" ALL=(ALL:ALL) ALLNote that because there is a space in the group name we have to use quotation marks. After saving and closing the file, you should be able to login and run sudo with any user in the “Domain Admins” group.
Add Users to the Linux ADM Group
Although we’ve already given our domain administrators supercow powers via sudo, there might be certain tasks that require the user to be a member of the “adm” group (like accessing system logs). No worries, though, this is pretty straightforward. Once you’re logged in, just execute the following command:
sudo usermod -aG adm <username>After logging out and then back in again (assuming you are adding the current account being used into said group) your account will have admin group access on the machine.
Final Notes
If this writeup has saved you some time or annoyance consider leaving a greeting in the comments section. I’m always happy to help with technical questions anyway I can. 🙂
