Linux SSH + PAM + LDAP + SSSD+ 2008 R2 AD Deployment

As an update to my previous post “Linux SSH + PAM + LDAP + 2003 R2 AD Deployment“, SSSD is now part of the base RHEL6 repository (soon CentOS6 as well) which makes it much faster and easier to implement LDAP/AD authentication.  In regards to configuring Active Directory, not too much has changed since my previous post so you’ll need to hit up the previous guide for a complete guide.  So lets get to it..

Installing and Configuring PAM/LDAP/SSSD (tested on RHEL6):

Get some base packages:

# yum install openldap pam pam_ldap pam_krb5 ntp sssd

Configure /etc/sssd/sssd.conf (make sure you update ldap_default_authtok to your LDAP/AD user password).  If you recreate sssd.conf be sure to  chmod 600 or the service will fail to start:

# vi /etc/sssd/sssd.conf
 
[sssd]
domains = LDAP
services = nss, pam
config_file_version = 2
sbus_timeout = 30
 
[nss]
filter_groups = root
filter_users = root
 
[pam]
offline_credentials_expiration = 0
 
[domain/LDAP]
description = LDAP domain with AD server
debug_level = 9
enumerate = false
min_id = 1000
 
access_provider = ldap
# Restrict access to a certain group, update or comment this out
ldap_access_filter = memberOf=cn=LinuxUsers,ou=Groups,dc=domain,dc=com
 
id_provider = ldap
chpass_provider = krb5
 
ldap_uri = ldap://dc1.domain.com, ldap://dc2.domain.com
ldap_search_base = dc=domain,dc=com
 
tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
ldap_tls_cacertdir = /etc/pki/tls/certs
 
# User that can read from AD, any normal user should work.  Update as necessary
ldap_default_bind_dn = cn=ldapuser,ou=Users,dc=domain,dc=com
 
# Leave this as password
ldap_default_authtok_type = password
 
# The ldap users actual password, update as necessary
ldap_default_authtok = ldapusers_password
 
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
ldap_tls_cacertdir = /etc/pki/tls/certs
ldap_schema = rfc2307bis
ldap_user_principal = userPrincipalName
ldap_user_fullname = displayName
ldap_user_name = sAMAccountName
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = msSFU30LoginShell
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_force_upper_case_realm = True
 
# kerberos config
auth_provider = krb5
krb5_server = dc1.domain.com, dc2.domain.com
krb5_realm = DOMAIN.COM
krb5_changepw_principle = kadmin/changepw
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX
krb5_auth_timeout = 15
cache_credentials = True

Configure /etc/krb5.conf:

# vi /etc/krb5.conf
 
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
 default_realm = DOMAIN.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes
 
[realms]
 KEMPERVALVE.COM = {
  kdc = dc1.domain.com
  kdc = dc2.domain.com
 }
 
[domain_realm]
 .DOMAIN.COM = DOMAIN.COM
 DOMAIN.COM = DOMAIN.COM
 
 domain.com = DOMAIN.COM
 .domain.com = DOMAIN.COM
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Update authentication methods (if authconfig is unavailable you’ll have to manual edit the order in /etc/pam.d/password-auth):

# authconfig --enablemkhomedir --enablesssdauth --updateall

Verify nsswitch.conf was updated with sss:

# vi /etc/nsswitch.conf
 
passwd:     files sss
shadow:     files sss
group:      files sss

Enable SSSD on boot, start if necessary (should be running already):

# chkconfig sssd on
# /etc/rc.d/init.d/sssd start

Giving SUDO permissions (Optional) Add the group you configured in AD to your sudoers file using %groupname (case sensitive). Example:

# vi /etc/sudoers
 
# Give our Windows Group linuxusers (system admins), ALL commands.
%LinuxUsers     ALL=(ALL)       ALL

Test AD authentication and that the users home directory was created (/home/username).  Be sure to add ntpdate to a cron job to keep the time in sync with your domain controller.

7 thoughts on “Linux SSH + PAM + LDAP + SSSD+ 2008 R2 AD Deployment

  1. Diego

    Hey, its works, but I get some erros in secure log:

    Feb 2 11:31:41 server01 sshd[21412]: pam_krb5[21412]: authentication fails for ‘my_user’ (my_user@DOMAIN.COM): Authentication failure (Cannot read password)
    Feb 2 11:31:41 server01 sshd[21412]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1 user=my_user
    Feb 2 11:31:41 server01 sshd[21412]: pam_krb5[21412]: error guessing name of local host principal
    Feb 2 11:31:41 server01 sshd[21412]: pam_krb5[21412]: TGT failed verification using keytab: Hostname cannot be canonicalized
    Feb 2 11:31:41 server01 sshd[21412]: pam_krb5[21412]: authentication fails for ‘my_user’ (my_user@DOMAIN.COM): Authentication failure (Success)
    Feb 2 11:31:41 server01 sshd[21412]: pam_winbind(sshd:auth): getting password (0x00000010)
    Feb 2 11:31:41 server01 sshd[21412]: pam_winbind(sshd:auth): pam_get_item returned a password
    Feb 2 11:31:41 server01 sshd[21412]: pam_winbind(sshd:auth): user ‘my_user’ granted access
    Feb 2 11:31:42 server01 sshd[21412]: pam_winbind(sshd:account): user ‘my_user’ granted access
    Feb 2 11:31:42 server01 sshd[21412]: Accepted password for my_user from 192.168.1.1 port 58368 ssh2
    Feb 2 11:31:42 server01 sshd[21412]: pam_unix(sshd:session): session opened for user my_user by (uid=0)

    Can you help me with this messages?

  2. Mark

    Hi,

    Found this very helpful! I got AD auth to work with RHEL 5 without issue, but RHEL 6 is killing me!

    When I attempt SSH I got the following error:

    pam_sss (sshd:auth): received for user mark: 10 (User not known to the underlying authentication module)
    pam_krb5: error resolving user name ‘mark’ to uid/gid
    pam_krb5: error getting information about ‘mark’

    All my conf files look right, but I’m not sure about /etc/pam.d/password-auth. Any tips for this file would be greatly appreciated!

    -Mark

  3. Pingback: RHEL 6 and 7 Active Directory Integration | Richard's Thoughts

  4. chrisB915

    I broke my backup server following procedures/configurations in other blogs, this blog fixed it. lessons learned along the way . . ..
    If you put ntpdate into a cron, you need to stop ntpd before and start again after. If it isn’t obvious, in an AD environment use the DC’s as time servers. If you are using vm’s on vmware see their info about time keeping for Linux guests. google distribution specific vmtools. Before attempting this keep a copy of /etc/pam.d/system-auth and /etc/nsswitch.conf. if you can’t login, restart in single mode and restore those 2 to get back in.

  5. Saqib Ali

    We are thinking of using LDAP based IAM setup with VMware vCloud and OpenStack Nova Compute VMs.

    VMware vCloud and OpenStack Nova Compute VMs are self-serve in that the end-users (non Admins) can create the VMs as needed.

    Currently we have ldap_access_filter as ((memberOf=cn=System Adminstrators,ou=Groups,dc=example,dc=com)) that will allow access to a LINUX / UNIX machine to whoever is in that group.

    Since the end-user is not part of this group, he/she is not able to login. We would like to automatically add the end-user who created the VM to the ldap_access_filter.

    Also since we manage the Sudo Rules in LDAP, we would like the automatically create a Sudo Rule for that VM and the user to the Rule.

    Any thoughts on how to best design this? Maybe we are over-thinking this, and there is a simpler solution.

    The end-goal is that the end-user who creates the VM should have full access to that VM in addition to System Adminstrators LDAP Group.

Leave a Reply

Your email address will not be published. Required fields are marked *