Campus Active Directory - Linux Integration for NetID Authentication

This document explains how to integrate a linux computer with Campus Active Directory Services (CADS) in order to support NetID authentication.

These instructions require a Campus Active Directory Services (CADS) Organizational Unit (OU) and root or sudo privledges so you will likely need to contact your system administrator or departmental IT person for assistance.

Adding a CentOS or Red Hat linux computer to Campus Active Directory

  1. Use yum upgrade to install package updates.
    user@host:~ sudo yum upgrade
  2. Install SSSD and related packages.
    user@host:~ sudo yum install realmd sssd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools ntpdate ntp krb5-user
  3. Configure the linux computer to use the DoIT NTP Servers by editing /etc/ntp.conf.
    user@host:~ sudo vi /etc/ntp.conf
    add the following servers and disable non-campus NTP servers
    server 128.104.30.17
    server 144.92.104.20
    server 144.92.20.100
    server 144.92.9.22
    user@host:~ sudo systemctl enable ntpd.service
    user@host:~ sudo systemctl stop ntpd.service
    user@host:~ sudo ntpdate 144.92.9.22
    user@host:~ sudo systemctl start ntpd.service
  4. Join the machine to Campus AD with your AD-OU account and place the computer object in your Organizational Unit (OU). Please refer to Campus Active Directory - Requesting an Organizational Unit (OU) Administrator and " with your AD-OU account and replace references to "ou=computers,ou=orgUnits,dc=ad,dc=wisc,dc=edu" with your OU or see Active Directory - Moving a Newly Joined Machine to Your Organizational Unit.
    user@host:~ sudo realm join ad.wisc.edu -U  --computer-ou=computers,ou=orgUnits,dc=ad,dc=wisc,dc=edu
  5. Edit SSSD config file and restart the service
    user@host:~ sudo vi /etc/sssd/sssd.conf

    Add the following lines to the bottom of sssd.conf

    ldap_group_search_base = dc=ad,dc=wisc,dc=edu?subtree?(!( OU=groups,OU=wisc))
    ad_gpo_ignore_unreadable = True
    user@host:~ sudo rm -f /var/lib/sss/db/*
    user@host:~ sudo systemctl restart sssd
  6. Add AD groups allowed for ssh to /etc/ssh/sshd_config. See Campus Active Directory - Security Group Management Recommendation and optionally Manifest and Active Directory Group Guidelines if you would like to use a Manifest group to control access.
    user@host:~ sudo vi /etc/ssh/sshd_config

    Add your desired Campus AD groups to the "AllowGroups" line in sshd_config. Replace "group1@ad.wisc.edu" and "group2@ad.wisc.edu" with your AD group names.

    AllowGroups root wheel group1@ad.wisc.edu group2@ad.wisc.edu
    user@host:~ sudo systemctl restart sshd
  7. Test connectivity to the computer via ssh.

Adding an Ubuntu or Debian linux computer to Campus Active Directory

  1. Use apt-get to install package updates.
    user@host:~ sudo apt-get update
    user@host:~ sudo apt-get dist-upgrade
    
  2. Install SSSD and related packages.
    user@host:~ sudo apt install sssd sssd-ad sssd-tools realmd adcli ntpdate krb5-user oddjob oddjob-mkhomedir samba-common libnss-sss libpam-sss
  3. Configure the linux computer to use the DoIT NTP Servers by editing /etc/ntp.conf.
    user@host:~ sudo vi /etc/ntp.conf
    add the following servers and disable non-campus NTP servers
    server 128.104.30.17 iburst
    server 144.92.104.20 iburst
    server 144.92.20.100 iburst
    server 144.92.9.22 iburst
    user@host:~ sudo service ntp stop
    user@host:~ sudo ntpdate 144.92.9.22
    user@host:~ sudo service ntp start
  4. Edit /etc/krb5 to add Campus Active Directory domain information.
    user@host:~ sudo vi /etc/krb5
    Add the following lines:
    [libdefaults]
      default_realm = AD.WISC.EDU
      dns_lookup_realm = false
      rdns = false
      forwardable = true
     
    [realms]
      AD.WISC.EDU = {
    }
    
    [domain_realm]
     ad.wisc.ed = AD.WISC.EDU
     .ad.wisc.edu = AD.WISC.EDU
  5. Join the machine to Campus AD with your AD-OU account and place the computer object in your Organizational Unit (OU). Please refer to Campus Active Directory - Requesting an Organizational Unit (OU) Administrator and " with your AD-OU account and replace references to "ou=computers,ou=orgUnits,dc=ad,dc=wisc,dc=edu" with your OU or see Active Directory - Moving a Newly Joined Machine to Your Organizational Unit.
    user@host:~ sudo realm join ad.wisc.edu -U  --computer-ou=computers,ou=orgUnits,dc=ad,dc=wisc,dc=edu --install=/
  6. Edit SSSD config file and restart the service
    user@host:~ sudo vi /etc/sssd/sssd.conf

    Add the following lines to the bottom of sssd.conf

    ldap_group_search_base = dc=ad,dc=wisc,dc=edu?subtree?(!( OU=groups,OU=wisc))
    ad_gpo_ignore_unreadable = True
    user@host:~ sudo rm -f /var/lib/sss/db/*
    user@host:~ sudo systemctl restart sssd
  7. Add AD groups allowed for ssh to /etc/ssh/sshd_config. See Campus Active Directory - Security Group Management Recommendation and optionally Manifest and Active Directory Group Guidelines if you would like to use a Manifest group to control access.
    user@host:~ sudo vi /etc/ssh/sshd_config

    Add your desired Campus AD groups to the "AllowGroups" line in sshd_config. Replace "group1@ad.wisc.edu" and "group2@ad.wisc.edu" with your AD group names.

    AllowGroups root group1@ad.wisc.edu group2@ad.wisc.edu
    user@host:~ sudo systemctl restart sshd
  8. Test connectivity to the computer via ssh.




Keywords:sssd bind realm ad cads auth logon login password windows server   Doc ID:103893
Owner:Marc T.Group:UW-Madison Research Data
Created:2020-07-13 07:28 CDTUpdated:2020-07-14 09:23 CDT
Sites:Identity and Access Management, UW-Madison Research Data
Feedback:  0   0