Campus Active Directory - Linux Integration for NetID Authentication

This document explains how to configure System Security Services Daemon (SSSD) for Campus Active Directory Services (CADS) so that users can login to linux computers with their NetID credentials.

SSSD provides NSS and PAM modules that can either provide kerberos authentication for NetID passwords with local users and groups or full Active Directory integration for authentication, authorization, user, and group information by joining a linux host to CADS

Campus AD Kerberos Authentication for CentOS or Red Hat linux

Under this SSSD configuration option users and groups are managed locally on the linux computer but NetID passwords are used for kerberos authentication. It does not require a Campus Active Directory OU or admin account.

  1. Use yum upgrade to install package updates.
    $ sudo yum upgrade
  2. Install SSSD and related packages.
    $ sudo yum install sssd ntpdate ntp krb5-user
  3. Configure the linux computer to use DoIT NTP Servers .
    $ systemctl enable ntpd.service ; systemctl stop ntpd.service ; ntpdate 144.92.9.22 ; systemctl start ntpd.service
  4. Verify hostnames are properly set in /etc/hosts
    $ sudo vi /etc/hosts
  5. Edit the SSSD /etc/sssd/sssd.conf config file and restart the service
    $ sudo vi /etc/sssd/sssd.conf
    [sssd]
    services = nss, pam
    domains = AD.WISC.EDU
    debug_level=3
    
    [domain/AD.WISC.EDU]
    id_provider = files
    auth_provider = krb5
    krb5_realm = AD.WISC.EDU
    krb5_server = ad.wisc.edu
    ldap_krb5_init_creds = True
    debug_level=3
    $ sudo rm -f /var/lib/sss/db/*
    $ sudo systemctl restart sssd
  6. Edit the Kerberos /etc/krb5.conf config file
    $ sudo vi /etc/krb5.conf
    [logging]
      default = FILE:/var/log/krb5libs.log
      kdc = FILE:/var/log/krb5kdc.log
      admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
      dns_lookup_realm = false
      ticket_lifetime = 10h
      renew_lifetime = 7d
      forwardable = true
      rdns = false
      pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
      spake_preauth_groups = edwards25519
      default_realm = AD.WISC.EDU
      default_ccache_name = KEYRING:persistent:%{uid}
    
    [realms]
    AD.WISC.EDU = {
      kdc = ad.wisc.edu
      admin_server = ad.wisc.edu
    }
    
    [domain_realm]
    .ad.wisc.edu = AD.WISC.EDU
    ad.wisc.edu = AD.WISC.EDU
  7. Use the kinit command to get a Kerberos ticket for your NetID from Campus AD.
    $ kinit mplayde
    Password for mplayde@AD.WISC.EDU: 
    
  8. Use the klist command to verify the Kerberos ticket.
    $ klist
    Ticket cache: KCM:1000:3900
    Default principal: mplayde@AD.WISC.EDU
    
    Valid starting     Expires            Service principal
    06/17/21 14:23:23  06/18/21 00:23:17  krbtgt/AD.WISC.EDU@AD.WISC.EDU
    renew until 06/24/21 14:23:17
  9. Provision a local user object with a username matching the NetID of each user authorized access to the host
    $ sudo useradd mplayde
    $ sudo passwd -d mplayde
  10. Test connectivity to the computer via ssh.
  11. Refer to vendor documentation RHEL 7/CentOS 7 AD Kerberos Authentication Provider or RHEL 8/CentOS 8 AD Kerberos Authentication Provider for configuration options.

Joining a CentOS or Red Hat linux computer to Campus AD

Under this SSSD configuration option the linux computer is joined to Campus Active Directory and users, groups, and policies are managed in AD. It requires a Campus Active Directory OU or admin account.

  1. Use yum upgrade to install package updates.
    $ sudo yum upgrade
  2. Install SSSD and related packages.
    $ sudo yum install realmd sssd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools ntpdate ntp krb5-user
  3. Configure the linux computer to use DoIT NTP Servers .
    $ systemctl enable ntpd.service ; systemctl stop ntpd.service ; ntpdate 144.92.9.22 ; systemctl start ntpd.service
  4. Verify hostnames are properly set in /etc/hosts
    $ sudo vi /etc/hosts
  5. Join the machine to Campus AD with your AD-OU account and place the computer object in your Organizational Unit (OU). Please refer to Campus Active Directory - Requesting an Organizational Unit (OU) Administrator and Campus Active Directory - Naming Convention before joining the computer to AD. Replace references to AD-OU account name with your AD-OU account and replace references to ou=computers,ou=orgUnits,dc=ad,dc=wisc,dc=edu with your OU or see Active Directory - Moving a Newly Joined Machine to Your Organizational Unit.
    $ sudo realm join ad.wisc.edu -U AD-OU account name --computer-ou=computers,ou=orgUnits,dc=ad,dc=wisc,dc=edu
  6. Edit the SSSD /etc/sssd/sssd.conf config file and restart the service
    $ sudo vi /etc/sssd/sssd.conf
    [sssd]
    domains = ad.wisc.edu
    config_file_version = 2
    services = nss, pam
    
    [domain/ad.wisc.edu]
    ad_domain = ad.wisc.edu
    krb5_realm = AD.WISC.EDU
    realmd_tags = manages-system joined-with-adcli
    cache_credentials = True
    id_provider = ad
    krb5_store_password_if_offline = True
    default_shell = /bin/bash
    ldap_id_mapping = True
    use_fully_qualified_names = True
    fallback_homedir = /home/%u@%d
    access_provider = ad
    ldap_group_search_base = dc=ad,dc=wisc,dc=edu?subtree?(!( OU=groups,OU=wisc))
    ad_gpo_ignore_unreadable = True
    $ sudo rm -f /var/lib/sss/db/*
    $ sudo systemctl restart sssd
  7. Edit the Kerberos /etc/krb5.conf config file
    $ sudo vi /etc/krb5.conf
    [logging]
      default = FILE:/var/log/krb5libs.log
      kdc = FILE:/var/log/krb5kdc.log
      admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
      dns_lookup_realm = false
      ticket_lifetime = 10h
      renew_lifetime = 7d
      forwardable = true
      rdns = false
      pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
      spake_preauth_groups = edwards25519
      default_realm = AD.WISC.EDU
      default_ccache_name = KEYRING:persistent:%{uid}
    
    [realms]
    AD.WISC.EDU = {
      kdc = ad.wisc.edu
      admin_server = ad.wisc.edu
    }
    
    [domain_realm]
    .ad.wisc.edu = AD.WISC.EDU
    ad.wisc.edu = AD.WISC.EDU
  8. Add AD groups allowed for ssh to /etc/ssh/sshd_config. See Campus Active Directory - Security Group Management Recommendation and optionally Manifest and Active Directory Group Guidelines if you would like to use a Manifest group to control access.
    $ sudo vi /etc/ssh/sshd_config

    Add your desired Campus AD groups to the "AllowGroups" line in sshd_config. Replace "group1@ad.wisc.edu" and "group2@ad.wisc.edu" with your AD group names.

    AllowGroups root wheel group1@ad.wisc.edu group2@ad.wisc.edu
    $ sudo systemctl restart sshd
  9. Use the kinit command to get a Kerberos ticket for your NetID from Campus AD.
    $ kinit mplayde
    Password for mplayde@AD.WISC.EDU: 
    
  10. Use the klist command to verify the Kerberos ticket.
    $ klist
    Ticket cache: KCM:1000:3900
    Default principal: mplayde@AD.WISC.EDU
    
    Valid starting     Expires            Service principal
    06/17/21 14:23:23  06/18/21 00:23:17  krbtgt/AD.WISC.EDU@AD.WISC.EDU
    renew until 06/24/21 14:23:17
  11. Test connectivity to the computer via ssh.
  12. Refer to vendor documentation RHEL 7/CentOS 7 AD Integration or RHEL 8/CentOS 8 AD Integration for configuration options.

Campus AD Kerberos Authentication for Ubuntu linux

Under this SSSD configuration option users and groups are managed locally on the linux computer but NetID passwords are used for kerberos authentication. It does not require a Campus Active Directory OU or admin account.

  1. Use apt-get to install package updates.
    $ sudo apt-get update
    $ sudo apt-get dist-upgrade
    
  2. Install SSSD and related packages.
    $ sudo apt install sssd sssd-ad sssd-tools ntpdate krb5-user libnss-sss libpam-sss
  3. Configure the linux computer to use DoIT NTP Servers .
    $ systemctl enable ntpd.service ; systemctl stop ntpd.service ; ntpdate 144.92.9.22 ; systemctl start ntpd.service
  4. Verify hostnames are properly set in /etc/hosts
    $ sudo vi /etc/hosts
  5. Edit the SSSD /etc/sssd/sssd.conf config file and restart the service
    $ sudo vi /etc/sssd/sssd.conf
    [sssd]
    services = nss, pam
    domains = AD.WISC.EDU
    debug_level=3
    
    [domain/AD.WISC.EDU]
    id_provider = files
    auth_provider = krb5
    krb5_realm = AD.WISC.EDU
    krb5_server = ad.wisc.edu
    ldap_krb5_init_creds = True
    debug_level=3
    $ sudo rm -f /var/lib/sss/db/*
    $ sudo systemctl restart sssd
  6. Edit the Kerberos /etc/krb5.conf config file
    $ sudo vi /etc/krb5.conf
    [logging]
      default = FILE:/var/log/krb5libs.log
      kdc = FILE:/var/log/krb5kdc.log
      admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
      dns_lookup_realm = false
      ticket_lifetime = 10h
      renew_lifetime = 7d
      forwardable = true
      rdns = false
      pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
      spake_preauth_groups = edwards25519
      default_realm = AD.WISC.EDU
      default_ccache_name = KEYRING:persistent:%{uid}
    
    [realms]
    AD.WISC.EDU = {
      kdc = ad.wisc.edu
      admin_server = ad.wisc.edu
    }
    
    [domain_realm]
    .ad.wisc.edu = AD.WISC.EDU
    ad.wisc.edu = AD.WISC.EDU
  7. Use the kinit command to get a Kerberos ticket for your NetID from Campus AD.
    $ kinit mplayde
    Password for mplayde@AD.WISC.EDU: 
    
  8. Use the klist command to verify the Kerberos ticket.
    $ klist
    Ticket cache: KCM:1000:3900
    Default principal: mplayde@AD.WISC.EDU
    
    Valid starting     Expires            Service principal
    06/17/21 14:23:23  06/18/21 00:23:17  krbtgt/AD.WISC.EDU@AD.WISC.EDU
    renew until 06/24/21 14:23:17
  9. Provision a local user object with a username matching the NetID of each user authorized access to the host
    $ sudo useradd mplayde
    $ sudo passwd -d mplayde
  10. Test connectivity to the computer via ssh.
  11. Refer to vendor documentation Ubuntu Active Directory Integration for configuration options.

Joining an Ubuntu linux computer to Campus AD

Under this SSSD configuration option the linux computer is joined to Campus Active Directory and users, groups, and policies are managed in AD. It requires a Campus Active Directory OU or admin account.

  1. Use apt-get to install package updates.
    $ sudo apt-get update
    $ sudo apt-get dist-upgrade
    
  2. Install SSSD and related packages.
    $ sudo apt install sssd sssd-ad sssd-tools realmd adcli ntpdate ntp krb5-user oddjob oddjob-mkhomedir samba-common libnss-sss libpam-sss
  3. Configure the linux computer to use DoIT NTP Servers .
    $ systemctl enable ntpd.service ; systemctl stop ntpd.service ; ntpdate 144.92.9.22 ; systemctl start ntpd.service
  4. Verify hostnames are properly set in /etc/hosts
    $ sudo vi /etc/hosts
  5. Join the machine to Campus AD with your AD-OU account and place the computer object in your Organizational Unit (OU). Please refer to Campus Active Directory - Requesting an Organizational Unit (OU) Administrator and Campus Active Directory - Naming Convention before joining the computer to AD. Replace references to AD-OU account name with your AD-OU account and replace references to ou=computers,ou=orgUnits,dc=ad,dc=wisc,dc=edu with your OU or see Active Directory - Moving a Newly Joined Machine to Your Organizational Unit.
    $ sudo realm join ad.wisc.edu -U AD-OU account name --computer-ou=computers,ou=orgUnits,dc=ad,dc=wisc,dc=edu
  6. Edit the SSSD /etc/sssd/sssd.conf config file and restart the service
    $ sudo vi /etc/sssd/sssd.conf
    [sssd]
    domains = ad.wisc.edu
    config_file_version = 2
    services = nss, pam
    
    [domain/ad.wisc.edu]
    ad_domain = ad.wisc.edu
    krb5_realm = AD.WISC.EDU
    realmd_tags = manages-system joined-with-adcli
    cache_credentials = True
    id_provider = ad
    krb5_store_password_if_offline = True
    default_shell = /bin/bash
    ldap_id_mapping = True
    use_fully_qualified_names = True
    fallback_homedir = /home/%u@%d
    access_provider = ad
    ldap_group_search_base = dc=ad,dc=wisc,dc=edu?subtree?(!( OU=groups,OU=wisc))
    ad_gpo_ignore_unreadable = True
    $ sudo rm -f /var/lib/sss/db/*
    $ sudo systemctl restart sssd
  7. Edit the Kerberos /etc/krb5.conf config file
    $ vi /etc/krb5.conf
    [logging]
      default = FILE:/var/log/krb5libs.log
      kdc = FILE:/var/log/krb5kdc.log
      admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
      dns_lookup_realm = false
      ticket_lifetime = 10h
      renew_lifetime = 7d
      forwardable = true
      rdns = false
      pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
      spake_preauth_groups = edwards25519
      default_realm = AD.WISC.EDU
      default_ccache_name = KEYRING:persistent:%{uid}
    
    [realms]
    AD.WISC.EDU = {
      kdc = ad.wisc.edu
      admin_server = ad.wisc.edu
    }
    
    [domain_realm]
    .ad.wisc.edu = AD.WISC.EDU
    ad.wisc.edu = AD.WISC.EDU
  8. Add AD groups allowed for ssh to /etc/ssh/sshd_config. See Campus Active Directory - Security Group Management Recommendation and optionally Manifest and Active Directory Group Guidelines if you would like to use a Manifest group to control access.
    $ sudo vi /etc/ssh/sshd_config

    Add your desired Campus AD groups to the "AllowGroups" line in sshd_config. Replace "group1@ad.wisc.edu" and "group2@ad.wisc.edu" with your AD group names.

    AllowGroups root wheel group1@ad.wisc.edu group2@ad.wisc.edu
    $ sudo systemctl restart sshd
  9. Use the kinit command to get a Kerberos ticket for your NetID from Campus AD.
    $ kinit mplayde
    Password for mplayde@AD.WISC.EDU: 
    
  10. Use the klist command to verify the Kerberos ticket.
    $ klist
    Ticket cache: KCM:1000:3900
    Default principal: mplayde@AD.WISC.EDU
    
    Valid starting     Expires            Service principal
    06/17/21 14:23:23  06/18/21 00:23:17  krbtgt/AD.WISC.EDU@AD.WISC.EDU
    renew until 06/24/21 14:23:17
  11. Test connectivity to the computer via ssh.
  12. Refer to vendor documentation Ubuntu Active Directory Integration for configuration options.


Keywordssssd bind realm ad cads auth logon login password windows server   Doc ID103893
OwnerMarc T.GroupUW-Madison Research Data
Created2020-07-13 07:28:19Updated2023-09-20 10:05:39
SitesUW-Madison Research Data
Feedback  0   0