This document explains the process on how we bring Ubuntu or Debian with SSSD / Kerberos / PAM to a state where it is on the domain and can authenticate users via SSH login. This process has been tested on Debian 11 “Bullseye” and Ubuntu 22.04 (Jammy Jellyfish). I tested this on a Server 2016 compatible active directory installation. In Active directory I created a group called “Linux_Admins” and placed all authorized users into this group. In order to be able to login after setting up the machine, users will be required to be a part of the Linux_Admins group in order to login and get shell access.
In order to join an Active Directory domain, you’ll obviously need to have a Windows Server with AD services setup and running. You’ll need to have created the group “Linux_Admins” or some other group that needs to match the group you choose to allow for logins in step 6, as well as sudo access.
Setting up Linux:
- First thing is ensuring that all prerequisites packages are installed:
sudo apt install sssd-ad sssd-tools realmd adcli packagekit libnss-sss krb5-user libpam-sss
- Next we need to blow away the old /etc/krb5.conf and create a new one with the following configuration:
[libdefaults] default_realm = ECORP.NET dns_lookup_kdc = true dns_lookup_realm = true
- Typically I reboot the system here just to make sure that everything is fresh may not actually be required, but I ran into one test where it did benefit to do so.
- Next we join the domain with the following commands. Once the below is completed, the Linux machine will appear in active directory as a computer object. You’ll also need to specify the groups that you intend to permit using the -g flag, as well as enable the creation of home directories for users logging into the machine.
realm join -v -U yourusername ECORP.NET realm permit -g "linux_admins" path-auth-update –-enable mkhomedir
- Next, we edit /etc/sssd/sssd.conf and change or add the following directives:
use_fully_qualified_names = True ad_gpo_access_control = permissive krb_store_password_if_offline = False cache_credentials = False ignore_group_members = True
One thing of note is that you may not need the “ignore_group_members” directive. Though on large domains with lots of nested groups you may find that SSSD doesn’t want to allow you to login timely. As a matter of fact, there can be a delay of minutes on Active Directory installations with many thousands of users and groups. Adding this directive will speed up the login process when authenticating using SSSD.
- Now we’ll need to edit the /etc/ssh/sshd_config file to uncomment and change, or add the following directives:
AuthorizedKeysCommand and append /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody PasswordAuthentication yes ChallengeResponseAuthentication no UsePAM yes AllowGroups ssh AllowGroups “firstname.lastname@example.org”
- Restart services as follows:
systemctl restart sssd systemctl restart sshd
- Enable the creation of home directories for admin users by editing the file /etc/pam.d/common-session and add the following:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
- If you would like to delegate sudo permissions to your active directory users you can add something similar to your sudoers file to allow them access:
%email@example.com ALL=(ALL) ALL
When logging into Linux, you’ll need to enter your username in the format of username@domain, as entering a username without any domain suffix will just be the local accounts on the machine.
Commands to test if stuff is working properly:
- The following command should return a hash:
getent passwd firstname.lastname@example.org
- This command will return groups and other information about a user
- This command will dump any of the AD cache held by SSS