Campus Active Directory - Linux Binding and Authentication

Adding a Linux system to Active Directory is a simple process. The packages that need to be installed differ depending on the flavor and version of Linux you are using. However the underlying steps and structure are the same. This document aims to provide instructions for the easiest method of configuring a Linux client to authenticate against Campus Active Directory (CADS). In this document we will be using Ubuntu 22.04 and Centos 8.

Campus Active Directory - Linux Authentication (Updated)

***DISCLAIMER: This document assumes the reader has a general understanding of Linux, networking, and Active Directory authentication. This document also assumes that the reader has completed IP and hostname configurations prior to the steps outlined below.

***If you are looking at this document you should already have a departmental OU and an -ou account in CADS. If you are part of a departmental or divisional IT group please check with them before requesting either an OU or -ou account. Requests for either are fulfilled through by filling out the form linked in this document: Campus Active Directory - Requesting an Organizational Unit (OU) (wisc.edu)

***Just as with Windows clients, network communication to CADS is restricted to the campus network, which includes WiscVPN and UWNet. If you manage your own firewall you may need to modify your configuration to allow traffic for LDAPS.

Before joining the Linux box to the AD domain, we need to install a few packages and set the Timezone and NTP Client settings:

Set Timezone
Change your server/workstation’s timezone by running the following command.

timedatectl set-timezone America/Chicago

Set NTP

Because Kerberos authentication is used, NTP must be set properly for synchronized clocks. For mission critical devices, we recommend configuring your flavor of Linux to use DoIT's NTP servers.There are multiple ways to do this depending on distribution and version. Chrony is a popular NTP client and its man page can be found here.

Nameserver configuration

Add ad.wisc.edu as a nameserver on your server/workstation. Again there are multiple ways to do this depending on distro and version. We will not explain how to complete this configuration.

Install Prerequisite Packages
Install the necessary packages per your specific distribution

Ubuntu 22.04

sudo apt update && sudo apt install realmd sssd samba-common-bin samba-libs adcli krb5-user packagekit

Centos8

dnf -y install realmd sssd oddjob oddjob-mkhomedir adcli samba-common-tools krb5-workstation

Realm Discover

Run the following command to discover the realm.

realm discover AD.WISC.EDU

Domain Join

Join the Linux client to ad.wisc.edu with your -ou account. During the domain join realmd will use adcli to create a computer object in CADS. Unless specified in the /etc/realmd.conf file, the computer object will be created in the default location of CADS, i.e. OU=computers,OU=orgUnits,DC=ad,DC=wisc,DC=edu. Run the following command to add your linux machine to CADS:

realm join AD.WISC.EDU -U netid-ou

Join Verification

To verify that the Linux box has successfully joined the AD domain, run the following command:

realm list

This should show the AD domain as a trusted realm. Additionally, you can check the logs under /var/log/auth.log for any errors or issues during the join process.

You can also execute the id command against a NetID to verify the computer is pulling authentication information from AD:

id netid@AD.WISC.EDU

SSSD configuration

The System Security Services Daemon (SSSD) is the service that is being used to communicate to different authentication methods and directory services. The sssd.conf file defines those methods and configurations for authentication. For more information on SSSD click here.

Edit the sssd.conf file located /etc/sssd/sssd.conf. This file is auto generated when you join the domain, an example of this file is below. The automatically generated sssd.conf file should be good enough to get connected to the domain however see step <#> for additional recommendations. The sssd.conf man page can be found here. After the configuration has been edited, restart the SSSD service.

[sssd]

domains = ad.wisc.edu

config_file_version = 2

services = nss, pam

[domain/ad.wisc.edu]

default_shell = /bin/bash

krb5_store_password_if_offline = True

cache_credentials = True

krb5_realm = AD.WISC.EDU

realmd_tags = manages-system joined-with-adcli

id_provider = ad

fallback_homedir = /home/%u@%d

ad_domain = ad.wisc.edu

use_fully_qualified_names = True

ldap_id_mapping = True

ldap_referrals = False

access_provider = ad

Useful recommendations

Below are some quality-of-life recommendation settings for SSSD authentication.

Add the following line to specify the SASL authorization ID to use with Active Directory and Kerberos.

ldap_sasl_authid = PrincipalName$

To help speed up the login process, add the following lines.

ldap_referrals = False

ignore_group_members = True

Using GID and UID with Active Directory

To use assigned GIDnumber and UIDnumber attributes from Active Directory, follow these steps:
Change "ldap_id_mapping" from True to False, then add the following line.
auto_private_groups = True

You may need to assign GID/UID to groups/users that are manually created. To do this your department will need to have an assigned to you by the Active Directory Team. See the following KB for more information: https://kb.wisc.edu/iam/internal/133077

Kerberos Configuration

Edit the krb5.conf file located /etc/krb5.conf. Some suggested settings are below. The Krb5.conf man page can be found here for additional configuration suggestions. After the configuration has been edited, restart the SSSD service.
NOTE: it may be helpful to remove the existing krb5.conf file, recreate it and paste these settings in.

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

dns_lookup_realm = true

dns_lookup_kdc = true

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

rdns = false

default_realm = AD.WISC.EDU

udp_preference_limit = 0

default_ccache_name = KEYRING:persistent:%{uid}

[realms]

AD.WISC.EDU = {

kdc = AD.WISC.EDU

admin_server = AD.WISC.EDU

}

[domain_realm]

.ad.wisc.edu = AD.WISC.EDU

ad.wisc.edu = AD.WISC.EDU

Authorize home directory creation

in Ubuntu or Debian based systems, a line must be added to /etc/pam.d/common-session. Use your favorite text editor and add the following line.

session optional pam_mkhomedir.so skel=/etc/skel umask=077

On Centos8 or RHEL8 run the following command

authselect select sssd with-mkhomedir

Login Authorization

To better secure the machine, you can add an ldap filter to the SSSD configuration file and add the distinguished name of your group of choice. Add/edit the following lines. Restart sssd after every configuration change.

access_provider = ad

Ldap_access_filter = (memberOf=CN=GroupDN)

Alternatively you could use simple allow.

Access_provider = simple

Simple_allow_users = userid1,userid2

Simple_allow_groups = group1,group2

Sudoers Config File

Best practices suggest setting up a user as a privileged account on the system in order to limit the use of the root user as a last resort or a “break glass” account. To add a user or a group to the sudoer’s file, edit /etc/sudoers.

User Assignment

ADUser ALL=(ALL:ALL)ALL

Group Assignment

Depending on distribution/version syntax may vary, here are a couple of examples.

“%ADGroupName” ALL=(ALL:ALL)ALL

%AD\\ADUsername ALL=(ALL:ALL)ALL

Keywords	"add linux to campus ad", "campus active directory", CADS, "Linux Authentication", "Linux Auth", "sssd", "Ubuntu", "Centos", Suggest keywords	Doc ID	124525
Owner	Richie M.	Group	Identity and Access Management
Created	2023-03-02 09:39:27	Updated	2024-01-05 09:01:07
Sites	Identity and Access Management
CleanURL	https://kb.wisc.edu/campus-active-directory-linux-binding-and-authentication
Feedback	1 0 Comment Suggest a new document