Ubuntu and AD

By /

TL;DR: Setting Ubuntu up to authenticate SSH to AD and using AD groups to control access

Historically, I’ve never been in the position where I’d have to set up a linux machine to authenticate to Active Directory, or wanted to.
Decided to test this in my LAB today though.

Basic idea/constraint:

  • Be able to authenticate to AD via SSH using user&pass
    • User should not have to be pre-configured on the linux machine.
  • Be able to use SSH keys after first successful AD auth.
  • Be able to use security groups in AD to specify which user(s) should be able to SSH to the machine
  • Be able to use security groups in AD to specify which user(s) should be granted sudo privileges
    • (Additional steps needed and I decided to look into this later)
  • I don’t want to use UPNs (username@domain), I just want to be able to use username during logon.

My environment:

  • Active Directory: “ad.escort.is”, DC is 172.31.30.16
  • Linux machine: “ns1” with ip 172.31.30.26
  • AD user to test: jimc
  • AD security group: Linux_Users

Reference for AD authentication: https://ubuntu.com/server/docs/service-sssd-ad
Reference for AD Group matching: https://www.suse.com/support/kb/doc/?id=000019549

sudo apt install sssd-ad sssd-tools realmd adcli
sudo realm -v discover ad1.example.com
sudo realm join ad1.example.com
sudo pam-auth-update --enable mkhomedir

root@ns1:~# apt install -y sssd-ad sssd-tools realmd adcli
<snipped>
root@ns1:~# realm discover -v ad.escort.is
 * Resolving: _ldap._tcp.ad.escort.is
 * Performing LDAP DSE lookup on: 172.31.30.16
 * Successfully discovered: ad.escort.is
ad.escort.is
  type: kerberos
  realm-name: AD.ESCORT.IS
  domain-name: ad.escort.is
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
root@ns1:~# realm join -v ad.escort.is
 * Resolving: _ldap._tcp.ad.escort.is
 * Performing LDAP DSE lookup on: 172.31.30.16
 * Successfully discovered: ad.escort.is
Password for Administrator: 
 * Unconditionally checking packages
 * Resolving required packages
 * LANG=C /usr/sbin/adcli join --verbose --domain ad.escort.is --domain-realm AD.ESCORT.IS --domain-controller 172.31.30.16 --login-type user --login-user Administrator --stdin-password
 * Using domain name: ad.escort.is
 * Calculated computer account name from fqdn: NS1
 * Using domain realm: ad.escort.is
 * Sending NetLogon ping to domain controller: 172.31.30.16
 * Received NetLogon info from: escort-dc-01.ad.escort.is
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-H2zApE/krb5.d/adcli-krb5-conf-CKeUDE
 * Authenticated as user: Administrator@AD.ESCORT.IS
 * Using GSS-SPNEGO for SASL bind
 * Looked up short domain name: ESCORT
 * Looked up domain SID: S-1-5-21-4137996446-3137464020-3132550888
 * Using fully qualified name: ns1
 * Using domain name: ad.escort.is
 * Using computer account name: NS1
 * Using domain realm: ad.escort.is
 * Calculated computer account name from fqdn: NS1
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Computer account for NS1$ does not exist
 * Found well known computer container at: CN=Computers,DC=ad,DC=escort,DC=is
 * Calculated computer account: CN=NS1,CN=Computers,DC=ad,DC=escort,DC=is
 * Encryption type [3] not permitted.
 * Encryption type [1] not permitted.
 * Created computer account: CN=NS1,CN=Computers,DC=ad,DC=escort,DC=is
 * Sending NetLogon ping to domain controller: 172.31.30.16
 * Received NetLogon info from: escort-dc-01.ad.escort.is
 * Set computer password
 * Retrieved kvno '2' for computer account in directory: CN=NS1,CN=Computers,DC=ad,DC=escort,DC=is
 * Checking RestrictedKrbHost/NS1
 *    Added RestrictedKrbHost/NS1
 * Checking host/NS1
 *    Added host/NS1
 * Discovered which keytab salt to use
 * Added the entries to the keytab: NS1$@AD.ESCORT.IS: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/NS1@AD.ESCORT.IS: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/NS1@AD.ESCORT.IS: FILE:/etc/krb5.keytab
 * /usr/sbin/update-rc.d sssd enable
 * /usr/sbin/service sssd restart
 * Successfully enrolled machine in realm
root@ns1:~#

At this point in time, I can SSH into the linux machine using any AD username (in the format username@ad.escort.is

natti@proxy1:~$ ssh -l jimc@ad.escort.is 172.31.30.26
jimc@ad.escort.is@172.31.30.26's password: 
Creating directory '/home/jimc@ad.escort.is'.
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-110-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri 13 May 2022 10:56:35 PM UTC

  System load:                      0.01
  Usage of /:                       85.6% of 19.56GB
  Memory usage:                     13%
  Swap usage:                       0%
  Processes:                        286
  Users logged in:                  1
  IPv4 address for br-7ec74ee89820: 172.18.0.1
  IPv4 address for br-a625d11b070a: 172.19.0.1
  IPv4 address for docker0:         172.17.0.1
  IPv4 address for ens160:          172.31.30.26

  => / is using 85.6% of 19.56GB

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

0 updates can be applied immediately.



The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

jimc@ad.escort.is@ns1:~$ exit

I changed the following items in /etc/sssd/sssd.conf:

  • use_fully_qualified_names
  • fallback_homedir
  • simple_allow_groups
  • access_provider
[sssd]
domains = ad.escort.is
config_file_version = 2
services = nss, pam

[domain/ad.escort.is]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = AD.ESCORT.IS
realmd_tags = manages-system joined-with-adcli 
id_provider = ad
fallback_homedir = /home/%u
ad_domain = ad.escort.is
use_fully_qualified_names = False
ldap_id_mapping = True
access_provider = ad
simple_allow_groups = Linux_Users@AD.ESCORT.IS
access_provider = simple

And now I’m able to ssh in as jimc, and end up in my home directory of /home/jimc

natti@proxy1:~$ ssh -l jimc 172.31.30.26
jimc@172.31.30.26's password: 
Creating directory '/home/jimc'.
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-110-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri 13 May 2022 11:00:11 PM UTC

  System load:                      0.5
  Usage of /:                       85.7% of 19.56GB
  Memory usage:                     13%
  Swap usage:                       0%
  Processes:                        287
  Users logged in:                  1
  IPv4 address for br-7ec74ee89820: 172.18.0.1
  IPv4 address for br-a625d11b070a: 172.19.0.1
  IPv4 address for docker0:         172.17.0.1
  IPv4 address for ens160:          172.31.30.26

  => / is using 85.7% of 19.56GB

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

0 updates can be applied immediately.



The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Fri May 13 22:59:46 2022 from 10.208.28.101
jimc@ns1:~$

And after generating SSH keys, adding to my /home/jimc/.ssh/authorized_keys I can SSH in using SSH keys as well

natti@proxy1:~$ ssh -l jimc 172.31.30.26
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-110-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat 14 May 2022 01:13:49 PM UTC

  System load:                      0.18
  Usage of /:                       83.7% of 19.56GB
  Memory usage:                     14%
  Swap usage:                       0%
  Processes:                        289
  Users logged in:                  1
  IPv4 address for br-7ec74ee89820: 172.18.0.1
  IPv4 address for br-a625d11b070a: 172.19.0.1
  IPv4 address for docker0:         172.17.0.1
  IPv4 address for ens160:          172.31.30.26

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

0 updates can be applied immediately.


Last login: Sat May 14 13:13:29 2022 from 10.208.28.101
jimc@ns1:~$