Home>Computers>Debian / Ubuntu Linux Active Directory Authentication How-to

Debian / Ubuntu Linux Active Directory Authentication How-to

This document explains the process on how we bring Ubuntu or Debian with SSSD / Kerberos / PAM to a state where it is on the domain and can authenticate users via SSH login. This process has been tested on Debian 11 “Bullseye” and Ubuntu 22.04 (Jammy Jellyfish). I tested this on a Server 2016 compatible active directory installation. In Active directory I created a group called “Linux_Admins” and placed all authorized users into this group. In order to be able to login after setting up the machine, users will be required to be a part of the Linux_Admins group in order to login and get shell access.

In order to join an Active Directory domain, you’ll obviously need to have a Windows Server with AD services setup and running. You’ll need to have created the group “Linux_Admins” or some other group that needs to match the group you choose to allow for logins in step 6, as well as sudo access.

Setting up Linux:

  1. First thing is ensuring that all prerequisites packages are installed:
sudo apt install sssd-ad sssd-tools realmd adcli packagekit libnss-sss krb5-user libpam-sss
  1. Next we need to blow away the old /etc/krb5.conf and create a new one with the following configuration:
default_realm = ECORP.NET
dns_lookup_kdc = true
dns_lookup_realm = true
  1. Typically I reboot the system here just to make sure that everything is fresh may not actually be required, but I ran into one test where it did benefit to do so.
  1. Next we join the domain with the following commands. Once the below is completed, the Linux machine will appear in active directory as a computer object. You’ll also need to specify the groups that you intend to permit using the -g flag, as well as enable the creation of home directories for users logging into the machine.
realm join -v -U yourusername ECORP.NET
realm permit -g "linux_admins"
path-auth-update-enable mkhomedir
  1. Next, we edit /etc/sssd/sssd.conf and change or add the following directives:
use_fully_qualified_names = True
ad_gpo_access_control = permissive
krb_store_password_if_offline = False
cache_credentials = False
ignore_group_members = True

One thing of note is that you may not need the “ignore_group_members” directive. Though on large domains with lots of nested groups you may find that SSSD doesn’t want to allow you to login timely. As a matter of fact, there can be a delay of minutes on Active Directory installations with many thousands of users and groups. Adding this directive will speed up the login process when authenticating using SSSD.

  1. Now we’ll need to edit the /etc/ssh/sshd_config file to uncomment and change, or add the following directives:
AuthorizedKeysCommand and append /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
AllowGroups ssh
  1. Restart services as follows:
systemctl restart sssd
systemctl restart sshd
  1. Enable the creation of home directories for admin users by editing the file /etc/pam.d/common-session and add the following:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
  • If you would like to delegate sudo permissions to your active directory users you can add something similar to your sudoers file to allow them access:
%linux_admins@ecorp.net ALL=(ALL) ALL

When logging into Linux, you’ll need to enter your username in the format of username@domain, as entering a username without any domain suffix will just be the local accounts on the machine.

Commands to test if stuff is working properly:

  • The following command should return a hash:
getent passwd user@ecorp.net
  • This command will return groups and other information about a user
id user@ecorp.net
  • This command will dump any of the AD cache held by SSS
sss_cache -E

5/5 - (1 vote)