Topics Map > Active Directory
Campus Active Directory - Linux Binding and Authentication
Campus Active Directory - Linux Authentication (Updated)
***DISCLAIMER: This document assumes the reader has a general understanding of Linux, networking, and Active Directory authentication. This document also assumes that the reader has completed IP and hostname configurations prior to the steps outlined below.
***If you are looking at this document you should already have a departmental OU and an -ou account in CADS. If you are part of a departmental or divisional IT group please check with them before requesting either an OU or -ou account. Requests for either are fulfilled through by filling out the form linked in this document: Campus Active Directory - Requesting an Organizational Unit (OU) (wisc.edu)
***Just as with Windows clients, network communication to CADS is restricted to the campus network, which includes WiscVPN and UWNet. If you manage your own firewall you may need to modify your configuration to allow traffic for LDAPS.
Before joining the Linux box to the AD domain, we need to install a few packages and set the Timezone and NTP Client settings:
Set Timezone
Change your server/workstation’s timezone by running the following command.
timedatectl set-timezone America/Chicago
Set NTP
Because Kerberos authentication is used, NTP must be set properly for synchronized clocks. For mission critical devices, we recommend configuring your flavor of Linux to use DoIT's NTP servers.There are multiple ways to do this depending on distribution and version. Chrony is a popular NTP client and its man page can be found here.
Nameserver configuration
Add ad.wisc.edu as a nameserver on your server/workstation. Again there are multiple ways to do this depending on distro and version. We will not explain how to complete this configuration.
Install Prerequisite Packages
Install the necessary packages per your specific distribution
Ubuntu 22.04
sudo apt update && sudo apt install realmd sssd samba-common-bin samba-libs adcli krb5-user packagekit
Centos8
dnf -y install realmd sssd oddjob oddjob-mkhomedir adcli samba-common-tools krb5-workstation
Realm Discover
Run the following command to discover the realm.
realm discover AD.WISC.EDU
Domain Join
Join the Linux client to ad.wisc.edu with your -ou account. During the domain join realmd will use adcli to create a computer object in CADS. Unless specified in the /etc/realmd.conf file, the computer object will be created in the default location of CADS, i.e. OU=computers,OU=orgUnits,DC=ad,DC=wisc,DC=edu. Run the following command to add your linux machine to CADS:
realm join AD.WISC.EDU -U netid-ou
Join Verification
To verify that the Linux box has successfully joined the AD domain, run the following command:
realm list
This should show the AD domain as a trusted realm. Additionally, you can check the logs under /var/log/auth.log for any errors or issues during the join process.
You can also execute the id command against a NetID to verify the computer is pulling authentication information from AD:
id netid@AD.WISC.EDU
SSSD configuration
The System Security Services Daemon (SSSD) is the service that is being used to communicate to different authentication methods and directory services. The sssd.conf file defines those methods and configurations for authentication. For more information on SSSD click here.
Edit the sssd.conf file located /etc/sssd/sssd.conf. This file is auto generated when you join the domain, an example of this file is below. The automatically generated sssd.conf file should be good enough to get connected to the domain however see step <#> for additional recommendations. The sssd.conf man page can be found here. After the configuration has been edited, restart the SSSD service.
[sssd]
domains = ad.wisc.edu
config_file_version = 2
services = nss, pam
[domain/ad.wisc.edu]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = AD.WISC.EDU
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = ad.wisc.edu
use_fully_qualified_names = True
ldap_id_mapping = True
ldap_referrals = False
access_provider = ad
Useful recommendations
Below are some quality-of-life recommendation settings for SSSD authentication.
Add the following line to specify the SASL authorization ID to use with Active Directory and Kerberos.
ldap_sasl_authid = PrincipalName$
To help speed up the login process, add the following lines.
ldap_referrals = False
ignore_group_members = True
Using GID and UID with Active Directory
To use assigned GIDnumber and UIDnumber attributes from Active Directory, follow these steps:
Change "ldap_id_mapping" from True to False, then add the following line.
auto_private_groups = True
You may need to assign GID/UID to groups/users that are manually created. To do this your department will need to have an assigned to you by the Active Directory Team. See the following KB for more information: https://kb.wisc.edu/iam/internal/133077
Kerberos Configuration
Edit the krb5.conf file located /etc/krb5.conf. Some suggested settings are below. The Krb5.conf man page can be found here for additional configuration suggestions. After the configuration has been edited, restart the SSSD service.
NOTE: it may be helpful to remove the existing krb5.conf file, recreate it and paste these settings in.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = AD.WISC.EDU
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
AD.WISC.EDU = {
kdc = AD.WISC.EDU
admin_server = AD.WISC.EDU
}
[domain_realm]
.ad.wisc.edu = AD.WISC.EDU
ad.wisc.edu = AD.WISC.EDU
Authorize home directory creation
in Ubuntu or Debian based systems, a line must be added to /etc/pam.d/common-session. Use your favorite text editor and add the following line.
session optional pam_mkhomedir.so skel=/etc/skel umask=077
On Centos8 or RHEL8 run the following command
authselect select sssd with-mkhomedir
Login Authorization
To better secure the machine, you can add an ldap filter to the SSSD configuration file and add the distinguished name of your group of choice. Add/edit the following lines. Restart sssd after every configuration change.
access_provider = ad
Ldap_access_filter = (memberOf=CN=GroupDN)
Alternatively you could use simple allow.
Access_provider = simple
Simple_allow_users = userid1,userid2
Simple_allow_groups = group1,group2
Sudoers Config File
Best practices suggest setting up a user as a privileged account on the system in order to limit the use of the root user as a last resort or a “break glass” account. To add a user or a group to the sudoer’s file, edit /etc/sudoers.
User Assignment
ADUser ALL=(ALL:ALL)ALL
Group Assignment
Depending on distribution/version syntax may vary, here are a couple of examples.
“%ADGroupName” ALL=(ALL:ALL)ALL
%AD\\ADUsername ALL=(ALL:ALL)ALL