Ubuntu Server Guide

Merge lp:~markthomas/serverguide/serverguide-review-7.5 into lp:serverguide/trunk

  1. serverguide-review-7.5
  2. Merge into trunk
Proposed by Mark Thomas
Status: Merged
Merged at revision: 243
Proposed branch: lp:~markthomas/serverguide/serverguide-review-7.5
Merge into: lp:serverguide/trunk
Diff against target: 223 lines (+215/-0)
1 file modified
serverguide/C/network-auth.xml (+215/-0)
To merge this branch: bzr merge lp:~markthomas/serverguide/serverguide-review-7.5
Reviewer Review Type Date Requested Status
Peter Matulis Approve
Review via email: mp+249727@code.launchpad.net

Description of the change

This is a new section describing how to configure Trusty to authenticate against Active Directory with sssd. It did not fit into any previously-existing section (i.e. no section for sssd existed).

To post a comment you must log in.
Revision history for this message
Doug Smythies (dsmythies) wrote :

Peter: Do you want to try to include this one in our pending point release, for which string freeze is tomorrow? It looks pretty good to me.

Revision history for this message
Peter Matulis (petermatulis) wrote :

A wonderful contribution! Thank you Mark. A few comments below.

1. wording

(a)
"This section covers the use of sssd to authenticate user logins against an Active Directory via sssd and PAM using sssd's "ad" provider."

Maybe:

"This section describes the use of sssd and PAM for authenticating users against Microsoft Active Directory."

(b)
"This guide assumes that a working Active Directory domain already configured."

Maybe:

"This guide assumes that a working Active Directory domain is already configured.

(c)
"The domain and kerberos realm used in this example is myubuntu.example.com ."

Maybe the realm should be in all caps. You mention both domain and realm so not sure.

(d)
"Add an alias /etc/hosts specifying the FQDN."

Maybe:

"Add an entry to /etc/hosts for specifying the FQDN."

(e)
"kerberos" should be capitalized everywhere: Kerberos.

2. format

(a) All commands should be formatted like so:

<screen>
<command>command_goes_here</command>
</screen>

(b) All filenames should be formatted like so:

<filename>file_goes_here</filename>

(c) References should be hyperlinks. See end of this page as an exemplar:

https://help.ubuntu.com/14.04/serverguide/openldap-server.html

Long ugly URLs should also not be exposed to the reader.

review: Needs Fixing
Revision history for this message
Doug Smythies (dsmythies) wrote :

Mark: Are you going to get to this today or tomorrow? We are wanting to do a point release of the serverguide, and had originally intended string freeze for yesterday. String freeze will be pushed at least until tomorrow now. If you cannot get to this, I will fix it.

Revision history for this message
Doug Smythies (dsmythies) wrote :

Mark: What is the status of this?

Revision history for this message
Mark Thomas (markthomas) wrote :

I never received a notification on this for some reason. I will be addressing this ASAP.

lp:~markthomas/serverguide/serverguide-review-7.5 updated
238. By Mark Thomas

Changes based on feedback in LP

Revision history for this message
Mark Thomas (markthomas) wrote :

Content changes:

(a) I implemented a variation of that change. It is important to highlight that the “ad” provider is what is being covered—the use of the “ldap” provider in sssd for AD authentication is quite different, older, and more difficult. I did omit the name “Microsoft”, as it is also possible to use Samba4 as an AD domain controller. Do you think it is needed?

(b) Fixed

(c) Modified for clarification. I am not trying to specify formatting—that is covered soon after. I am providing the value used rather than have it just “show up” as I’ve seen in other documentation.

One thing I did here was to use a “subdomain” for the Active Directory domain. So often, I see just “example.com”. If someone wants to implement the AD domain as a subdomain, as is often done, I didn’t want it left an an exercise for the reader to figure out what the realm should be by “trial and error” as I’ve had to do.

(d) Modified for clarification.

(e) Fixed

2. format

(a) Fixed
(b) Fixed
(c) Fixed

Revision history for this message
Peter Matulis (petermatulis) wrote :

Looks good!

review: Approve
Revision history for this message
Doug Smythies (dsmythies) wrote :

Mark, Thanks very much.

Peter: O.K. we will now call 12.04 and trunk (14.04) serverguides as in string freeze until the point release is done.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'serverguide/C/network-auth.xml'
--- serverguide/C/network-auth.xml 2015-02-25 16:19:47 +0000
+++ serverguide/C/network-auth.xml 2015-02-26 19:58:31 +0000
@@ -3969,4 +3969,219 @@
39693969
3970 </sect2>3970 </sect2>
3971 </sect1>3971 </sect1>
3972 <sect1 id="sssd-ad" status="review">
3973 <title>SSSD and Active Directory</title>
3974 <para>
3975 This section describes the use of sssd to authenticate user logins against an Active Directory via using sssd's "ad" provider. In previous versions of sssd, it was possible to authenticate using the "ldap" provider. However, when authenticating against a Microsoft Windows AD Domain Controller, it was generally necessary to install the POSIX AD extensions on the Domain Controller. The "ad" provider simplifies the configuration and requires no modifications to the AD structure.
3976 </para>
3977 <sect2 id="sssd-ad-requirements" status="review">
3978 <title>Prerequisites, Assumptions, and Requirements</title>
3979 <itemizedlist>
3980 <listitem>
3981 <para>This guide does not explain Active Directory, how it works, how to set one up, or how to maintain it. It may not provide “best practices” for your environment.</para></listitem>
3982 <listitem>
3983 <para>This guide assumes that a working Active Directory domain is already configured.</para></listitem>
3984 <listitem>
3985 <para>The domain controller is acting as an authoritative DNS server for the domain.</para></listitem>
3986 <listitem>
3987 <para>The domain controller is the primary DNS resolver as specified in <filename>/etc/resolv.conf</filename>.</para>
3988 </listitem>
3989 <listitem>
3990 <para>The appropriate <emphasis>_kerberos</emphasis>, <emphasis>_ldap</emphasis>, <emphasis>_kpasswd</emphasis>, etc. entries are configured in the DNS zone (see Resources section for external links).</para></listitem>
3991 <listitem>
3992 <para>System time is synchronized on the domain controller (necessary for Kerberos).</para></listitem>
3993 <listitem>
3994 <para>The domain used in this example is <emphasis>myubuntu.example.com</emphasis> .</para></listitem>
3995 </itemizedlist>
3996 </sect2>
3997 <sect2 id="sssd-ad-installation" status="review">
3998 <title>Software Installation</title>
3999 <para>The following packages are needed: <emphasis>krb5-user</emphasis>, <emphasis>samba</emphasis>, <emphasis>sssd</emphasis>, and <emphasis>ntp</emphasis>. Samba needs to be installed, even if the system is not exporting shares. The Kerberos realm and FQDN or IP of the domain controllers are needed for this step.</para>
4000 <para>Install these packages now.
4001 </para>
4002 <screen><command>sudo apt-get install krb5-user samba sssd ntp</command></screen>
4003 <para>See the next section for the answers to the questions asked by the <emphasis>krb5-user</emphasis> postinstall script.</para>
4004 </sect2>
4005 <sect2 id="sssd-ad-kerberos" status="review">
4006 <title>Kerberos Configuration</title>
4007 <para>The installation of <emphasis>krb5-user</emphasis> will prompt for the realm name (in ALL UPPERCASE), the kdc server (i.e. domain controller) and admin server (also the domain controller in this example.) This will write the [realm] and [domain_realm] sections in <filename>/etc/krb5.conf</filename>. These sections may not be necessary if domain autodiscovery is working. If not, then both are needed.</para>
4008 <para>If the domain is <emphasis>myubuntu.example.com</emphasis>, enter the realm as <emphasis>MYUBUNTU.EXAMPLE.COM</emphasis>
4009 </para>
4010
4011 <para>Optionally, edit <emphasis>/etc/krb5.conf</emphasis> with a few additional settings to specify Kerberos ticket lifetime (these values are safe to use as defaults):</para>
4012 <programlisting>
4013[libdefaults]
4014
4015default_realm = MYUBUNTU.EXAMPLE.COM
4016ticket_lifetime = 24h #
4017renew_lifetime = 7d
4018 </programlisting>
4019
4020 <para>If default_realm is not specified, it may be necessary to log in with “username@domain” instead of “username”.</para>
4021
4022 <para>The system time on the Active Directory member needs to be consistent with that of the domain controller, or Kerberos authentication may fail. Ideally, the domain controller server itself will provide the NTP service. Edit <filename>/etc/ntp.conf</filename>:</para>
4023
4024<programlisting>
4025server dc.myubuntu.example.com
4026</programlisting>
4027
4028 </sect2>
4029 <sect2 id="sssd-ad-samba" status="review">
4030 <title>Samba Configuration</title>
4031<para>Samba will be used to perform netbios/nmbd services related to Active Directory authentication, even if no file shares are exported. Edit the file /etc/samba/smb.conf and add the following to the <emphasis>[global]</emphasis> section:</para>
4032
4033<programlisting>
4034[global]
4035
4036workgroup = MYUBUNTU
4037client signing = yes
4038client use spnego = yes
4039kerberos method = secrets and keytab
4040realm = MYUBUNTU.EXAMPLE.COM
4041security = ads
4042</programlisting>
4043
4044<note><para>Some guides specify that "password server" should be specified and pointed to the domain controller. This is only necessary if DNS is not properly set up to find the DC. By default, Samba will display a warning if "password server" is specified with "security = ads".</para></note>
4045
4046</sect2>
4047
4048<sect2 id="sssd-ad-sssdconfig" status="review">
4049 <title>SSSD Configuration</title>
4050
4051<para>There is no default/example config file for <filename>/etc/sssd/sssd.conf</filename> included in the sssd package. It is necessary to create one. This is a minimal working config file:</para>
4052
4053<programlisting>
4054[sssd]
4055services = nss, pam
4056config_file_version = 2
4057domains = MYUBUNTU.EXAMPLE.COM
4058
4059[domain/MYUBUNTU.EXAMPLE.COM]
4060id_provider = ad
4061access_provider = ad
4062
4063# Use this if users are being logged in at /.
4064# This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
4065override_homedir = /home/%d/%u
4066
4067# Uncomment if the client machine hostname doesn't match the computer object on the DC.
4068# ad_hostname = mymachine.myubuntu.example.com
4069
4070# Uncomment if DNS SRV resolution is not working
4071# ad_server = dc.mydomain.example.com
4072
4073# Uncomment if the AD domain is named differently than the Samba domain
4074# ad_domain = MYUBUNTU.EXAMPLE.COM
4075
4076# Enumeration is discouraged for performance reasons.
4077# enumerate = true
4078</programlisting>
4079
4080<para>After saving this file, set the ownership to root and the file permissions to 600:</para>
4081<screen><command>sudo chown root:root /etc/sssd/sssd.conf</command></screen>
4082<screen><command>sudo chmod 600 /etc/sssd/sssd.conf</command></screen>
4083
4084<para>If the ownership or permissions are not correct, sssd will refuse to start.</para>
4085</sect2>
4086
4087<sect2 id="sssd-ad-nsswitch" status="review">
4088 <title>Verify nsswitch.conf Configuration</title>
4089 <para>The post-install script for the sssd package makes some modifications to /etc/nsswitch.conf automatically. It should look something like this:</para>
4090
4091<programlisting>
4092passwd: compat sss
4093group: compat sss
4094...
4095netgroup: nis sss
4096sudoers: files sss
4097</programlisting>
4098</sect2>
4099
4100<sect2 id="sssd-ad-hosts" status="review">
4101 <title>Modify /etc/hosts</title>
4102<para>Add an alias to the localhost entry in /etc/hosts specifying the FQDN. For example:</para>
4103<programlisting>192.168.1.10 myserver myserver.myubuntu.example.com</programlisting>
4104
4105<para>This is useful in conjunction with dynamic DNS updates.</para>
4106</sect2>
4107
4108<sect2 id="sssd-ad-join" status="review">
4109 <title>Join the Active Directory</title>
4110<para>Now, restart ntp and samba and start sssd.</para>
4111<screen><command>sudo service ntp restart</command>
4112<command>sudo restart smbd</command>
4113<command>sudo restart nmbd</command>
4114<command>sudo start sssd</command></screen>
4115
4116<para>Test the configuration by obtaining a Kerberos ticket:</para>
4117
4118<screen><command>sudo kinit Administrator</command></screen>
4119
4120<para>Verify the ticket with:</para>
4121<screen><command>sudo klist</command></screen>
4122
4123<para>If there is a ticket with an expiration date listed, then it is time to join the domain:</para>
4124
4125<screen><command>sudo net ads join -k</command></screen>
4126
4127<para>A warning about "No DNS domain configured. Unable to perform DNS Update." probably means that there is no (correct) alias in <filename>/etc/hosts</filename>, and the system could not provide its own FQDN as part of the Active Directory update. This is needed for dynamic DNS updates. Verify the alias in <filename>/etc/hosts</filename> described in "Modify /etc/hosts" above.</para>
4128
4129<para>(The message "NT_STATUS_UNSUCCESSFUL" indicates the domain join failed and something is incorrect. Review the prior steps before proceeding).</para>
4130
4131<para>Here are a couple of (optional) checks to verify that the domain join was successful. Note that if the domain was successfully joined but one or both of these steps fail, it may be necessary to wait 1-2 minutes and try again. Some of the changes appear to be asynchronous.</para>
4132
4133<para>Verification option #1:</para>
4134<para>Check the default Organizational Unit for computer accounts in the Active Directory to verify that the computer account was created. (Organizational Units in Active Directory is a topic outside the scope of this guide).</para>
4135
4136<para>Verification option #2</para>
4137<para>Execute this command for a specific AD user (e.g. administrator)</para>
4138<screen><command>getent passwd username</command></screen>
4139
4140<note><para>If <emphasis>enumerate = true</emphasis> is set in <filename>sssd.conf</filename>, <emphasis>getent passwd</emphasis> with no username argument will list all domain users. This may be useful for testing, but is slow and not recommended for production.</para></note>
4141</sect2>
4142
4143<sect2 id="sssd-ad-test" status="review">
4144 <title>Test Authentication</title>
4145 <para>It should now be possible to authenticate using an Active Directory User's credentials:</para>
4146
4147<screen><command>su - username</command></screen>
4148
4149<para>If this works, then other login methods (getty, ssh) should also work.</para>
4150
4151<para>If the computer account was created, indicating that the system was "joined" to the domain, but authentication is unsuccessful, it may be helpful to review <filename>/etc/pam.d</filename> and <filename>nssswitch.conf</filename> as well as the file changes described earlier in this guide.</para>
4152</sect2>
4153
4154<sect2 id="sssd-ad-mkhomedir" status="review">
4155 <title>Home directories with pam_mkhomedir (optional)</title>
4156 <para>When logging in using an Active Directory user account, it is likely that user has no home directory. This can be fixed with pam_mkdhomedir.so, which will create the user’s home directory on login. Edit <filename>/etc/pam.d/common-session</filename>, and add this line directly after <emphasis>session required pam_unix.so:</emphasis></para>
4157<programlisting>
4158session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
4159</programlisting>
4160
4161<note><para>This may also need <emphasis>override_homedir</emphasis> in <filename>sssd.conf</filename> to function correctly, so make sure that’s set.</para></note>
4162</sect2>
4163
4164<sect2 id="sssd-ad-desktop" status="review">
4165 <title>Desktop Ubuntu Authentication</title>
4166 <para>It is possible to also authenticate logins to Ubuntu Desktop using Active Directory accounts. The AD accounts will not show up in the pick list with local users, so lightdm will need to be modified. Edit the file <filename>/etc/lightdm/lightdm.conf.d/50-unity-greeter.conf</filename> and append the following two lines:</para>
4167
4168<programlisting>
4169greeter-show-manual-login=true
4170greeter-hide-users=true
4171</programlisting>
4172
4173<para>Reboot to restart lightdm. It should now be possible to log in using a domain account using either <emphasis>username</emphasis> or <emphasis>username/username@domain</emphasis> format.</para>
4174</sect2>
4175
4176<sect2 id="sssd-ad-resources" status="review">
4177 <title>Resources</title>
4178 <itemizedlist>
4179 <listitem><para><ulink url="https://fedorahosted.org/sssd">SSSD Project</ulink></para></listitem>
4180<listitem><para><ulink url="http://www.ucs.cam.ac.uk/support/windows-support/winsuptech/activedir/dnsconfig">DNS Server Configuration guidelines</ulink></para></listitem>
4181<listitem><para><ulink url="https://technet.microsoft.com/en-us/library/cc759550%28v=ws.10%29.aspx">Active Directory DNS Zone Entries</ulink></para></listitem>
4182<listitem><para><ulink url="http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html">Kerberos config options</ulink></para></listitem>
4183 </itemizedlist>
4184
4185</sect2>
4186</sect1>
3972</chapter>4187</chapter>

Subscribers

People subscribed via source and target branches