Campus Active Directory - Linux Integration for NetID Authentication
This document explains how to configure System Security Services Daemon (SSSD) for Campus Active Directory Services (CADS) so that users can login to linux computers with their NetID credentials.
SSSD provides NSS and PAM modules that can either provide kerberos authentication for NetID passwords with local users and groups or full Active Directory integration for authentication, authorization, user, and group information by joining a linux host to CADS
- Campus AD Kerberos Authentication for CentOS or Red Hat linux
- Joining a CentOS or Red Hat linux computer to Campus AD
- Campus AD Kerberos Authentication for Ubuntu linux
- Joining an Ubuntu linux computer to Campus AD
Campus AD Kerberos Authentication for CentOS or Red Hat linux
Under this SSSD configuration option users and groups are managed locally on the linux computer but NetID passwords are used for kerberos authentication. It does not require a Campus Active Directory OU or admin account.
- Use yum upgrade to install package updates.
$ sudo yum upgrade
- Install SSSD and related packages.
$ sudo yum install sssd ntpdate ntp krb5-user
- Configure the linux computer to use DoIT NTP Servers .
$ systemctl enable ntpd.service ; systemctl stop ntpd.service ; ntpdate 144.92.9.22 ; systemctl start ntpd.service
- Verify hostnames are properly set in /etc/hosts
$ sudo vi /etc/hosts
- Edit the SSSD /etc/sssd/sssd.conf config file and restart the service
$ sudo vi /etc/sssd/sssd.conf [sssd] services = nss, pam domains = AD.WISC.EDU debug_level=3 [domain/AD.WISC.EDU] id_provider = files auth_provider = krb5 krb5_realm = AD.WISC.EDU krb5_server = ad.wisc.edu ldap_krb5_init_creds = True debug_level=3
$ sudo rm -f /var/lib/sss/db/* $ sudo systemctl restart sssd
- Edit the Kerberos /etc/krb5.conf config file
$ sudo vi /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 10h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt spake_preauth_groups = edwards25519 default_realm = AD.WISC.EDU default_ccache_name = KEYRING:persistent:%{uid} [realms] AD.WISC.EDU = { kdc = ad.wisc.edu admin_server = ad.wisc.edu } [domain_realm] .ad.wisc.edu = AD.WISC.EDU ad.wisc.edu = AD.WISC.EDU
- Use the kinit command to get a Kerberos ticket for your NetID from Campus AD.
$ kinit mplayde Password for mplayde@AD.WISC.EDU:
- Use the klist command to verify the Kerberos ticket.
$ klist Ticket cache: KCM:1000:3900 Default principal: mplayde@AD.WISC.EDU Valid starting Expires Service principal 06/17/21 14:23:23 06/18/21 00:23:17 krbtgt/AD.WISC.EDU@AD.WISC.EDU renew until 06/24/21 14:23:17
- Provision a local user object with a username matching the NetID of each user authorized access to the host
$ sudo useradd mplayde $ sudo passwd -d mplayde
- Test connectivity to the computer via ssh.
- Refer to vendor documentation RHEL 7/CentOS 7 AD Kerberos Authentication Provider or RHEL 8/CentOS 8 AD Kerberos Authentication Provider for configuration options.
Joining a CentOS or Red Hat linux computer to Campus AD
Under this SSSD configuration option the linux computer is joined to Campus Active Directory and users, groups, and policies are managed in AD. It requires a Campus Active Directory OU or admin account.
- Use yum upgrade to install package updates.
$ sudo yum upgrade
- Install SSSD and related packages.
$ sudo yum install realmd sssd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools ntpdate ntp krb5-user
- Configure the linux computer to use DoIT NTP Servers .
$ systemctl enable ntpd.service ; systemctl stop ntpd.service ; ntpdate 144.92.9.22 ; systemctl start ntpd.service
- Verify hostnames are properly set in /etc/hosts
$ sudo vi /etc/hosts
- Join the machine to Campus AD with your AD-OU account and place the computer object in your Organizational Unit (OU). Please refer to Campus Active Directory - Requesting an Organizational Unit (OU) Administrator and Campus Active Directory - Naming Convention before joining the computer to AD. Replace references to AD-OU account name with your AD-OU account and replace references to ou=computers,ou=orgUnits,dc=ad,dc=wisc,dc=edu with your OU or see Active Directory - Moving a Newly Joined Machine to Your Organizational Unit.
$ sudo realm join ad.wisc.edu -U AD-OU account name --computer-ou=computers,ou=orgUnits,dc=ad,dc=wisc,dc=edu
- Edit the SSSD /etc/sssd/sssd.conf config file and restart the service
$ sudo vi /etc/sssd/sssd.conf [sssd] domains = ad.wisc.edu config_file_version = 2 services = nss, pam [domain/ad.wisc.edu] ad_domain = ad.wisc.edu krb5_realm = AD.WISC.EDU realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad ldap_group_search_base = dc=ad,dc=wisc,dc=edu?subtree?(!( OU=groups,OU=wisc)) ad_gpo_ignore_unreadable = True
$ sudo rm -f /var/lib/sss/db/* $ sudo systemctl restart sssd
- Edit the Kerberos /etc/krb5.conf config file
$ sudo vi /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 10h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt spake_preauth_groups = edwards25519 default_realm = AD.WISC.EDU default_ccache_name = KEYRING:persistent:%{uid} [realms] AD.WISC.EDU = { kdc = ad.wisc.edu admin_server = ad.wisc.edu } [domain_realm] .ad.wisc.edu = AD.WISC.EDU ad.wisc.edu = AD.WISC.EDU
- Add AD groups allowed for ssh to /etc/ssh/sshd_config. See Campus Active Directory - Security Group Management Recommendation and optionally Manifest and Active Directory Group Guidelines if you would like to use a Manifest group to control access.
$ sudo vi /etc/ssh/sshd_config
Add your desired Campus AD groups to the "AllowGroups" line in sshd_config. Replace "group1@ad.wisc.edu" and "group2@ad.wisc.edu" with your AD group names.
AllowGroups root wheel group1@ad.wisc.edu group2@ad.wisc.edu
$ sudo systemctl restart sshd
- Use the kinit command to get a Kerberos ticket for your NetID from Campus AD.
$ kinit mplayde Password for mplayde@AD.WISC.EDU:
- Use the klist command to verify the Kerberos ticket.
$ klist Ticket cache: KCM:1000:3900 Default principal: mplayde@AD.WISC.EDU Valid starting Expires Service principal 06/17/21 14:23:23 06/18/21 00:23:17 krbtgt/AD.WISC.EDU@AD.WISC.EDU renew until 06/24/21 14:23:17
- Test connectivity to the computer via ssh.
- Refer to vendor documentation RHEL 7/CentOS 7 AD Integration or RHEL 8/CentOS 8 AD Integration for configuration options.
Campus AD Kerberos Authentication for Ubuntu linux
Under this SSSD configuration option users and groups are managed locally on the linux computer but NetID passwords are used for kerberos authentication. It does not require a Campus Active Directory OU or admin account.
- Use apt-get to install package updates.
$ sudo apt-get update $ sudo apt-get dist-upgrade
- Install SSSD and related packages.
$ sudo apt install sssd sssd-ad sssd-tools ntpdate krb5-user libnss-sss libpam-sss
- Configure the linux computer to use DoIT NTP Servers .
$ systemctl enable ntpd.service ; systemctl stop ntpd.service ; ntpdate 144.92.9.22 ; systemctl start ntpd.service
- Verify hostnames are properly set in /etc/hosts
$ sudo vi /etc/hosts
- Edit the SSSD /etc/sssd/sssd.conf config file and restart the service
$ sudo vi /etc/sssd/sssd.conf [sssd] services = nss, pam domains = AD.WISC.EDU debug_level=3 [domain/AD.WISC.EDU] id_provider = files auth_provider = krb5 krb5_realm = AD.WISC.EDU krb5_server = ad.wisc.edu ldap_krb5_init_creds = True debug_level=3
$ sudo rm -f /var/lib/sss/db/* $ sudo systemctl restart sssd
- Edit the Kerberos /etc/krb5.conf config file
$ sudo vi /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 10h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt spake_preauth_groups = edwards25519 default_realm = AD.WISC.EDU default_ccache_name = KEYRING:persistent:%{uid} [realms] AD.WISC.EDU = { kdc = ad.wisc.edu admin_server = ad.wisc.edu } [domain_realm] .ad.wisc.edu = AD.WISC.EDU ad.wisc.edu = AD.WISC.EDU
- Use the kinit command to get a Kerberos ticket for your NetID from Campus AD.
$ kinit mplayde Password for mplayde@AD.WISC.EDU:
- Use the klist command to verify the Kerberos ticket.
$ klist Ticket cache: KCM:1000:3900 Default principal: mplayde@AD.WISC.EDU Valid starting Expires Service principal 06/17/21 14:23:23 06/18/21 00:23:17 krbtgt/AD.WISC.EDU@AD.WISC.EDU renew until 06/24/21 14:23:17
- Provision a local user object with a username matching the NetID of each user authorized access to the host
$ sudo useradd mplayde $ sudo passwd -d mplayde
- Test connectivity to the computer via ssh.
- Refer to vendor documentation Ubuntu Active Directory Integration for configuration options.
Joining an Ubuntu linux computer to Campus AD
Under this SSSD configuration option the linux computer is joined to Campus Active Directory and users, groups, and policies are managed in AD. It requires a Campus Active Directory OU or admin account.
- Use apt-get to install package updates.
$ sudo apt-get update $ sudo apt-get dist-upgrade
- Install SSSD and related packages.
$ sudo apt install sssd sssd-ad sssd-tools realmd adcli ntpdate ntp krb5-user oddjob oddjob-mkhomedir samba-common libnss-sss libpam-sss
- Configure the linux computer to use DoIT NTP Servers .
$ systemctl enable ntpd.service ; systemctl stop ntpd.service ; ntpdate 144.92.9.22 ; systemctl start ntpd.service
- Verify hostnames are properly set in /etc/hosts
$ sudo vi /etc/hosts
- Join the machine to Campus AD with your AD-OU account and place the computer object in your Organizational Unit (OU). Please refer to Campus Active Directory - Requesting an Organizational Unit (OU) Administrator and Campus Active Directory - Naming Convention before joining the computer to AD. Replace references to AD-OU account name with your AD-OU account and replace references to ou=computers,ou=orgUnits,dc=ad,dc=wisc,dc=edu with your OU or see Active Directory - Moving a Newly Joined Machine to Your Organizational Unit.
$ sudo realm join ad.wisc.edu -U AD-OU account name --computer-ou=computers,ou=orgUnits,dc=ad,dc=wisc,dc=edu
- Edit the SSSD /etc/sssd/sssd.conf config file and restart the service
$ sudo vi /etc/sssd/sssd.conf [sssd] domains = ad.wisc.edu config_file_version = 2 services = nss, pam [domain/ad.wisc.edu] ad_domain = ad.wisc.edu krb5_realm = AD.WISC.EDU realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad ldap_group_search_base = dc=ad,dc=wisc,dc=edu?subtree?(!( OU=groups,OU=wisc)) ad_gpo_ignore_unreadable = True
$ sudo rm -f /var/lib/sss/db/* $ sudo systemctl restart sssd
- Edit the Kerberos /etc/krb5.conf config file
$ vi /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 10h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt spake_preauth_groups = edwards25519 default_realm = AD.WISC.EDU default_ccache_name = KEYRING:persistent:%{uid} [realms] AD.WISC.EDU = { kdc = ad.wisc.edu admin_server = ad.wisc.edu } [domain_realm] .ad.wisc.edu = AD.WISC.EDU ad.wisc.edu = AD.WISC.EDU
- Add AD groups allowed for ssh to /etc/ssh/sshd_config. See Campus Active Directory - Security Group Management Recommendation and optionally Manifest and Active Directory Group Guidelines if you would like to use a Manifest group to control access.
$ sudo vi /etc/ssh/sshd_config
Add your desired Campus AD groups to the "AllowGroups" line in sshd_config. Replace "group1@ad.wisc.edu" and "group2@ad.wisc.edu" with your AD group names.
AllowGroups root wheel group1@ad.wisc.edu group2@ad.wisc.edu
$ sudo systemctl restart sshd
- Use the kinit command to get a Kerberos ticket for your NetID from Campus AD.
$ kinit mplayde Password for mplayde@AD.WISC.EDU:
- Use the klist command to verify the Kerberos ticket.
$ klist Ticket cache: KCM:1000:3900 Default principal: mplayde@AD.WISC.EDU Valid starting Expires Service principal 06/17/21 14:23:23 06/18/21 00:23:17 krbtgt/AD.WISC.EDU@AD.WISC.EDU renew until 06/24/21 14:23:17
- Test connectivity to the computer via ssh.
- Refer to vendor documentation Ubuntu Active Directory Integration for configuration options.