Following my previous blog I looked for solutions for the outstanding issues I was having. As it turns out, AD does come with Kerberos. What's more, it is enabled by default and automagically works. Amazing. Well that also means all the work I did previously was for nothing.
While digging around I found a useful guide which I mostly followed, aside from some issues I had to work around.
But first, let's undo the mess I previously made.
$> mv /etc/sssd/sssd.conf /etc/sssd/sssd.old
$> apt install krb5-user realmd adcli samba-common-bin policykit-1 $> nano /etc/realmd.conf
[service] automatic-install = no [users] default-home = /home/%U default-shell = /bin/bash [ldap.example.com] computer-ou = OU=Linux,DC=ldap,DC=example,DC=com automatic-id-mapping = yes fully-qualified-names = no
$> realm join ldap.example.com
I ran into some bogus issue where the
realm join command would fail with an error message indicating my dependencies were not installed which was completely false. This thread suggested using the
--install=/ parameter. Or installing packagekit. I just stopped reading too soon.
Well that still didn't work for me. Checking the port requirements for AD and Kerberos provided the solution: open up a bunch of ports.
Then, another issue I ran into were DNS related, so I had to add a kerberos TXT entry, some rDNS entries, a _ldap.tcp SRV entry. Since DNS propagation takes time I'm not sure which one worked, but I'm pretty sure all are necessary at some point. Also, I added
rdns = false in
/etc/krb5.conf for good measure.
Joining the AD automatically creates relevant entries in
/etc/sssd/sssd.conf, but in my case some tweaks were needed to get
getent passwd working.
lookup_family_order = ipv6_first ldap_uri = ldap://address.of.ldap.server.com
For some reason SSSD was throwing a bunch of GSSAPI errors saying something along the lines of no server being found in Kerberos database so explicitly specifying the LDAP uri seemed to do the trick.
If home directories are not automatically created for AD users (they were in my case) you can edit
/etc/pam.d/common-session and add
session optional pam_mkhomedir.so. Or
required but mine had
optional and worked just fine so I won't complain.
One last issue I was still having is that passwords weren't working. After messing around with
/etc/pam.d and accidentally locking myself out, only a simple tweak was needed in
... auth [success=3 default=ignore] pam_unix.so nullok_secure #auth [success=2 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass auth sufficient pam_sss.so use_first_pass ...
pam_winbind.so was causing some issues and commenting it out and putting
auth sufficient pam_sss.so instead worked for me. I still haven't been able to get SSH public keys automatically imported, but that is a minor inconvenience.