SSSD with Active Directory on Ubuntu

We're in the middle of deploying multiple Hadoop clusters with different flavors. Since many of Azure's larger customers use an on-prem Active Directory forest for authentication, extending those identities and permissions to their Hadoop clusters was an important requirement.

Once the Hadoop cluster's been Kerberized, various security/identity features including user group mappings require SSSD (There are other methods, but I none of them seemed as secure - for eg: LDAP requires saving credentials in a file somewhere on disk)

I found many different install guides for getting SSSD with Active Directory working on Centos hosts and it always seemed like something was broken when it came to following the same steps on Ubuntu. I've included links to some of the resources I've used, but none of them worked exactly as advertised on Ubuntu.

The following steps will get you a domain-joined, Ubuntu 16.04 machine that allows SSH access using Active Directory credentials.

This guide does not include the steps to get a Kerberos Realm and KDC setup. There are many guides that go through that initial process. I've included some of those links at the end of my post.

Here's a description of the variables we'll use (Pay attention to the casing in the examples):

  • AD_DOMAIN: mydomain.local
  • AD_REALM: MYDOMAIN.LOCAL
  • WORKGROUP: MYDOMAIN
Install the relevant components

apt install -y krb5-user samba sssd chrony

Configure Samba for Netbios

vim /etc/samba/smb.conf

# Delete the workgroup line and add these:
   workgroup = WORKGROUP
   client signing = yes
   client use spnego = yes
   kerberos method = secrets and keytab
   realm = AD_REALM
   security = ads
Create the sssd conf file

vim /etc/sssd/sssd.conf

[sssd]
services = nss, pam, ssh, autofs, pac  
config_file_version = 2  
domains = AD_DOMAIN  
override_space = _

[domain/AD_DOMAIN]
id_provider = ad  
auth_provider = ad  
chpass_provider = ad  
access_provider = ad  
enumerate = False  
krb5_realm = AD_REALM  
ldap_schema = ad  
ldap_id_mapping = True  
cache_credentials = True  
ldap_access_order = expire  
ldap_account_expire_policy = ad  
ldap_force_upper_case_realm = true  
fallback_homedir = /home/%d/%u  
default_shell = /bin/false  
ldap_referrals = true  
use_fully_qualified_names = False

[nss]
memcache_timeout = 3600  
override_shell = /bin/bash  
Set sssd conf permissions
chown root:root /etc/sssd/sssd.conf  
chmod 600 /etc/sssd/sssd.conf  
Join the machine to the domain

You need a valid kerberos ticket for an Active Directory user with Domain Join privileges for this step

kinit domain_join_user@AD_REALM  
net ads join -k  
Ensure pam creates a new user's home directory on successful login

vim /etc/pam.d/common-session

# Add this line to the end
session optional                        pam_mkhomedir.so  
Restart all the relevant services.
systemctl restart smbd.service nmbd.service  
systemctl restart sssd.service  
Test your config:
getent passwd ad_user@AD_REALM  
sudo su - ad_user@AD_REALM  

If that was successful, you're good to go! You should be able to SSH into this machine with your Active Directory credentials.

Troubleshooting:
  • SSSD conf typo:

    If you've been unlucky, and had a typo in your sssd conf you may have to reboot your VM in safe mode and delete the sssd.conf file before continuing with boot.

  • Glitchy install:

    I've had some machines where the install simply freezes and there's no way to successfully continue with the install. In those cases, I would recommend completely purging the installed components and restarting. Use the following commands to completely purge the installed components:

  apt remove --purge -y samba sssd chrony
  apt-get autoremove -y 
  apt-get purge -y samba samba-common
  • Debugging SSSD:

    Add the debug_level = [1..9] statement under each section in sssd.conf you want to debug.

Here are some of the links that I've used as a reference:

Feel free to reach out to me @rohchak if you have any questions! - chances are I've worked my way through it :)