Friday, September 11, 2015

Linux AD Authentication without joining the domain

If you want to authenticate to your Linux machine using your Microsoft AD accounts you can achieve that without having to join the domain.

Here's how you set it up on Ubuntu 14.04.

Install SSSD:
apt-get install sssd

Note: On Ubuntu the above command automatically edits /etc/nsswitch.conf as well as the appropriate PAM configuration files; you might have to do this yourself if you're installing on other Linux distros

Setup SSSD by putting this in: /etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss, pam
domains = MY_AD_DOMAIN.COM

[nss]
# the following 2 lines allow you to overwrite the "Unix Attributes" set on your AD (if any) and effectively eliminates the need to change anything on the AD server
default_shell = /bin/bash
override_homedir = /home/%u
filter_users = root
filter_groups = root
reconnection_retries = 3

[pam]

[domain/MY_AD_DOMAIN.COM]
#debug_level = 7
enumerate = False
case_sensitive = False
# always check with the AD server if the credentials are valid
cache_credentials = False
min_id = 100

# Providers
id_provider = ldap
auth_provider = ldap
access_provider = ldap
ldap_access_order = filter, expire
ldap_account_expire_policy = ad
# allow only users in a particular AD security group
ldap_access_filter = memberOf=CN=Admins,OU=Groups,DC=MY_AD_DOMAIN,DC=com
chpass_provider = ldap

# figure out the UID and GID for a linux user from the AD objectSID
ldap_id_mapping = True
# depending on how big the objectSID is on your AD server you might need to tweak the 3 lines below to avoid collisions
ldap_idmap_range_min = 100000
ldap_idmap_range_max = 2000100000
ldap_idmap_range_size = 800000

ldap_id_use_start_tls = True
# don't verify the certificate, unless you can obtain it from your AD server and install it on your Linux machine
ldap_tls_reqcert = never
ldap_schema = ad
ldap_tls_cacertdir = /etc/openldap/certs

ldap_search_base = OU=Users,OU=Objects,DC=MY_AD_DOMAIN,DC=com

# LDAP Class settings
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_principal = userPrincipalName

# LDAP connection settings
ldap_uri = ldaps://MY_AD_SERVER:MY_AD_PORT
# use a service account to bind
ldap_default_bind_dn = CN=MY_SERVICE_ACCOUNT,OU=Users,OU=Objects,DC=MY_AD_DOMAIN,DC=com
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = MY_OBFUSCATED_PASSWORD
###

For some reason SSSD will refuse to start if the permissions on the config file are not set to 600 so:
chmod 600 /etc/sssd/sssd.conf 

No comments: