We're in the middle of deploying multiple Hadoop clusters with different flavors. Since many of Azure's larger customers use an on-prem Active Directory forest for authentication, extending those identities and permissions to their Hadoop clusters was an important requirement.
Once the Hadoop cluster's been Kerberized, various security/identity features including user group mappings require SSSD (There are other methods, but I none of them seemed as secure - for eg: LDAP requires saving credentials in a file somewhere on disk)
I found many different install guides for getting SSSD with Active Directory working on Centos hosts and it always seemed like something was broken when it came to following the same steps on Ubuntu. I've included links to some of the resources I've used, but none of them worked exactly as advertised on Ubuntu.
The following steps will get you a domain-joined, Ubuntu 16.04 machine that allows SSH access using Active Directory credentials.
This guide does not include the steps to get a Kerberos Realm and KDC setup. There are many guides that go through that initial process. I've included some of those links at the end of my post.
Here's a description of the variables we'll use (Pay attention to the casing in the examples):
- AD_DOMAIN: mydomain.local
- AD_REALM: MYDOMAIN.LOCAL
- WORKGROUP: MYDOMAIN
Install the relevant components
apt install -y krb5-user samba sssd chrony
Configure Samba for Netbios
# Delete the workgroup line and add these: workgroup = WORKGROUP client signing = yes client use spnego = yes kerberos method = secrets and keytab realm = AD_REALM security = ads
Create the sssd conf file
[sssd] services = nss, pam, ssh, autofs, pac config_file_version = 2 domains = AD_DOMAIN override_space = _ [domain/AD_DOMAIN] id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad enumerate = False krb5_realm = AD_REALM ldap_schema = ad ldap_id_mapping = True cache_credentials = True ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true fallback_homedir = /home/%d/%u default_shell = /bin/false ldap_referrals = true use_fully_qualified_names = False [nss] memcache_timeout = 3600 override_shell = /bin/bash
Set sssd conf permissions
chown root:root /etc/sssd/sssd.conf chmod 600 /etc/sssd/sssd.conf
Join the machine to the domain
You need a valid kerberos ticket for an Active Directory user with Domain Join privileges for this step
kinit domain_join_user@AD_REALM net ads join -k
Ensure pam creates a new user's home directory on successful login
# Add this line to the end session optional pam_mkhomedir.so
Restart all the relevant services.
systemctl restart smbd.service nmbd.service systemctl restart sssd.service
Test your config:
getent passwd ad_user@AD_REALM sudo su - ad_user@AD_REALM
If that was successful, you're good to go! You should be able to SSH into this machine with your Active Directory credentials.
SSSD conf typo:
If you've been unlucky, and had a typo in your sssd conf you may have to reboot your VM in safe mode and delete the sssd.conf file before continuing with boot.
I've had some machines where the install simply freezes and there's no way to successfully continue with the install. In those cases, I would recommend completely purging the installed components and restarting. Use the following commands to completely purge the installed components:
apt remove --purge -y samba sssd chrony apt-get autoremove -y apt-get purge -y samba samba-common
debug_level = [1..9]statement under each section in
sssd.confyou want to debug.
Here are some of the links that I've used as a reference:
Feel free to reach out to me @rohchak if you have any questions! - chances are I've worked my way through it :)