Setting up Active Directory based authentication on linux servers

Authenticate users coming in over SSH against Active Directory and local auth. sudo and su access requires that users be part of the local wheel group, or the linuxadmins group in AD. linuxadmins should also be added to the sudoers file so that users in that group can successfully use sudo

Considerations on the Windows Active Directory side

It seems that from the linux side, you absolutely must be able to get a valid answer to this dns query in order to successfully join the domain and authenticate against Active Directory. Without this working, you will not be able to pull any user, or group info:

host -t srv has SRV record 0 0 88 adserver.home. has SRV record 0 100 88

Required packages

WIP - Will be refined

sambasamba-winbind-devel samba4-dc-libs samba-winbind-krb5-locator samba-winbind-clients samba-winbind samba-common samba-client pam_ldap pam-devel pam_krb5 pam krb5-devel krb5-libs krb5-server krb5-server-ldap krb5-workstation


AD.HOME is the hostname for my test Active Directory server. I have internal DNS setup so that ad.home and adserver.home resolve to an IP

# cat /etc/krb5.conf
    ticket_lifetime = 24000
 default_realm = AD.HOME
    default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts arcfour-hmac-md5 des3-hmac-sha1
    default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts arcfour-hmac-md5 des3-hmac-sha1
 dns_lookup_realm = true
 dns_lookup_kdc = true

 AD.HOME = {
  kdc = AD.HOME
  admin_server = AD.HOME
    default_domain = AD.HOME

    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log

    .ad.home = AD.HOME
    ad.home = AD.HOME


   workgroup = AD
   realm = AD.HOME
   security = ads
   winbind refresh tickets = yes
   idmap config * : range = 16777216-33554431
   template homedir = /home/%U
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = yes

/etc/pam.d/sshd conf

auth       required
account    sufficient user ingroup wheel
account    sufficient user ingroup linuxusers
auth       include      password-auth
account    required
#account    include      password-auth
password   include      password-auth
# close should be the first session rule
session    required close
session    required
# open should only be followed by sessions to be executed in the user context
session    required open env_params
session    optional force revoke
#session    include      password-auth

/etc/pam.d/su conf

auth    sufficient
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth   sufficient trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
account [default=ignore success=2] quiet uid < 16777216 debug
account [default=ignore success=1] user ingroup linuxadmins debug
account [default=bad success=ignore] user ingroup wheel debug
account include system-auth debug
auth    required use_uid  debug
auth    include   system-auth debug
account   sufficient uid = 0 use_uid quiet debug
account   include   system-auth debug
password  include   system-auth debug
session   include   system-auth debug
session   optional debug

/etc/pam.d/sudo conf

account [default=ignore success=1] user ingroup linuxadmins debug
account [default=bad success=ignore] user ingroup wheel debug
account include system-auth debug
#auth    required use_uid
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional revoke
session    required


passwd:     files winbind
shadow:     files winbind
group:      files winbind
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files
publickey:  nisplus
automount:  files
aliases:    files nisplus

Joining the AD Domain

An AD Domain Administrator account is required to get a machine to join the domain.
kinit Administrator
Password for Administrator@AD.HOME:
net ads join -U Administrator
Enter Administrator's password:

Successful join

# wbinfo -p
Ping to winbindd succeeded

# wbinfo -m
# wbinfo -t
checking the trust secret for domain AD via RPC calls succeeded

# wbinfo -u

# wbinfo -g
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
enterprise read-only domain controllers
# wbinfo --online-status
BUILTIN : online
LEARN : online
AD : online

Things to consider

If you do not allow local user login, and your cached login config is not working correctly, no one will be able to ssh to the server if connectivity to the AD host is lost.