SSSD with Active Directory on Ubuntu
We're in the middle of deploying multiple Hadoop clusters with different flavors. Since many of Azure's larger customers use an on-prem Active Directory forest for authentication, extending those identities and permissions to their Hadoop clusters was an important requirement.
Once the Hadoop cluster's been Kerberized, various security/identity features including user group mappings require SSSD (There are other methods, but I none of them seemed as secure - for eg: LDAP requires saving credentials in a file somewhere on disk)
I found many different install guides for getting SSSD with Active Directory working on Centos hosts and it always seemed like something was broken when it came to following the same steps on Ubuntu. I've included links to some of the resources I've used, but none of them worked exactly as advertised on Ubuntu.
The following steps will get you a domain-joined, Ubuntu 16.04 machine that allows SSH access using Active Directory credentials.
This guide does not include the steps to get a Kerberos Realm and KDC setup. There are many guides that go through that initial process. I've included some of those links at the end of my post.
Here's a description of the variables we'll use (Pay attention to the casing in the examples):
- AD_DOMAIN: mydomain.local
- AD_REALM: MYDOMAIN.LOCAL
- WORKGROUP: MYDOMAIN
Install the relevant components
apt install -y krb5-user samba sssd chrony
Configure Samba for Netbios
vim /etc/samba/smb.conf
# Delete the workgroup line and add these:
workgroup = WORKGROUP
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = AD_REALM
security = ads
Create the sssd conf file
vim /etc/sssd/sssd.conf
[sssd]
services = nss, pam, ssh, autofs, pac
config_file_version = 2
domains = AD_DOMAIN
override_space = _
[domain/AD_DOMAIN]
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
enumerate = False
krb5_realm = AD_REALM
ldap_schema = ad
ldap_id_mapping = True
cache_credentials = True
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
fallback_homedir = /home/%d/%u
default_shell = /bin/false
ldap_referrals = true
use_fully_qualified_names = False
[nss]
memcache_timeout = 3600
override_shell = /bin/bash
Set sssd conf permissions
chown root:root /etc/sssd/sssd.conf
chmod 600 /etc/sssd/sssd.conf
Join the machine to the domain
You need a valid kerberos ticket for an Active Directory user with Domain Join privileges for this step
kinit domain_join_user@AD_REALM
net ads join -k
Ensure pam creates a new user's home directory on successful login
vim /etc/pam.d/common-session
# Add this line to the end
session optional pam_mkhomedir.so
Restart all the relevant services.
systemctl restart smbd.service nmbd.service
systemctl restart sssd.service
Test your config:
getent passwd ad_user@AD_REALM
sudo su - ad_user@AD_REALM
If that was successful, you're good to go! You should be able to SSH into this machine with your Active Directory credentials.
Troubleshooting:
-
SSSD conf typo:
If you've been unlucky, and had a typo in your sssd conf you may have to reboot your VM in safe mode and delete the sssd.conf file before continuing with boot.
-
Glitchy install:
I've had some machines where the install simply freezes and there's no way to successfully continue with the install. In those cases, I would recommend completely purging the installed components and restarting. Use the following commands to completely purge the installed components:
apt remove --purge -y samba sssd chrony
apt-get autoremove -y
apt-get purge -y samba samba-common
-
Debugging SSSD:
Add the
debug_level = [1..9]
statement under each section insssd.conf
you want to debug.
Here are some of the links that I've used as a reference:
- http://web.mit.edu/kerberos/krb5-devel/doc/admin/install_kdc.html
- https://github.com/HortonworksUniversity/Security_Labs/blob/master/HDP-2.6-AD.md#lab-4
- https://help.ubuntu.com/lts/serverguide/sssd-ad.html
Feel free to reach out to me @rohchak if you have any questions! - chances are I've worked my way through it :)