Ubuntu Authentication with Active Directory, This Time with Kerberos

Following my previous blog I looked for solutions for the outstanding issues I was having. As it turns out, AD does come with Kerberos. What's more, it is enabled by default and automagically works. Amazing. Well that also means all the work I did previously was for nothing.

While digging around I found a useful guide which I mostly followed, aside from some issues I had to work around.

But first, let's undo the mess I previously made.

$> mv /etc/sssd/sssd.conf /etc/sssd/sssd.old
$> apt install krb5-user realmd adcli samba-common-bin policykit-1
$> nano /etc/realmd.conf
[service]
automatic-install = no

[users]
default-home = /home/%U
default-shell = /bin/bash

[ldap.example.com]
computer-ou = OU=Linux,DC=ldap,DC=example,DC=com
automatic-id-mapping = yes
fully-qualified-names = no
$> realm join ldap.example.com

I ran into some bogus issue where the realm join command would fail with an error message indicating my dependencies were not installed which was completely false. This thread suggested using the --install=/ parameter. Or installing packagekit. I just stopped reading too soon.

Well that still didn't work for me. Checking the port requirements for AD and Kerberos provided the solution: open up a bunch of ports.

Then, another issue I ran into were DNS related, so I had to add a _kerberos TXT entry, some rDNS entries, a _ldap._tcp SRV entry. Since DNS propagation takes time I'm not sure which one worked, but I'm pretty sure all are necessary at some point. Also, I added rdns = false in /etc/krb5.conf for good measure.

Joining the AD automatically creates relevant entries in /etc/sssd/sssd.conf, but in my case some tweaks were needed to get getent passwd working.

lookup_family_order = ipv6_first
ldap_uri = ldap://address.of.ldap.server.com

For some reason SSSD was throwing a bunch of GSSAPI errors saying something along the lines of no server being found in Kerberos database so explicitly specifying the LDAP uri seemed to do the trick.

If home directories are not automatically created for AD users (they were in my case) you can edit /etc/pam.d/common-session and add session optional pam_mkhomedir.so. Or required but mine had optional and worked just fine so I won't complain.

One last issue I was still having is that passwords weren't working. After messing around with /etc/pam.d and accidentally locking myself out, only a simple tweak was needed in /etc.pam.d/common-auth:

...
auth    [success=3 default=ignore]      pam_unix.so nullok_secure
#auth   [success=2 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth    sufficient                      pam_sss.so use_first_pass
...

Turns out pam_winbind.so was causing some issues and commenting it out and putting auth sufficient pam_sss.so instead worked for me. I still haven't been able to get SSH public keys automatically imported, but that is a minor inconvenience.