Using SSSD with Kerberos and Active Directory to Terminal into an OCI Linux Machine

Introduction

OCI or Oracle Cloud Infrastructure, is Oracle’s latest cloud infrastructure that is replacing the older Oracle Cloud Infrastructure Classic. One feature it has is built-in Identity Management Governance. For example, you can add and manage users to grant who can access OCI resources among other features, please refer to this link for more information https://cloud.oracle.com/governance. This article is focused on  customers who want to use their existing identity management services such as Active Directory. I previously wrote a four part series on SSSD starting with Part 1 of 4 – SSSD Linux Authentication: Introduction and Architecture, that includes a lot of detail from how SSSD works to the final setup, but I only covered LDAP and not Kerberos.  This article is going to show how easy it is to install and configure SSSD (System Security Services Daemon) that uses Kerberos with Active Directory to provide a slick way for a customer to use their existing Active Directory users and groups to terminal into a Linux machine. It is important to know that for this to work the Linux machine must join the Active Directory domain controller, so if this is not allowed in your scenario you should refer to my SSSD Linux Authentication series that uses pure LDAP.

Basic Requirements

1. You have root access or minimally can run root commands as sudo on the Linux machine.
2. You have an Active Directory account that can join a machine to the domain.
3. You have the Active Directory account password that joins the machine to the domain.

 

How To on Linux 6.x –

A couple of the key packages to setup SSSD with Kerberos and AD on Linux 6.x are “adcli” and “authconfig”.  These two packages work similar to “realm”, which is a package only available on Linux 7.x.  The only addition is that you have to create a new sssd.conf file, but other than that it provides a simple way to setup SSSD on Linux 6.

The following steps use these example variables, please change anything in red as needed.

  • acme.com — AD Domain
  • ACME.COM — AD REALM
  • acmeSSSD — AD Service Account allowed to join a machine to the domain
  • myP@ssw0rd — acmeJoinAD service account password
  • ol6.acme.com — Linux 6.x machine

Steps:

1. Run the following command to install the required packages.
sudo yum -y install sssd authconfig adcli krb5-workstation

2. If required update /etc/resolv.conf to point your Linux machine to DNS; this is critical.
sudo vim /etc/resolv.conf

3. Run the adcli command to join the Linux machine to Active Directory, this will also automatically create the necessary keytab and update the /etc/krb5.conf file with the correct domain and realm.
(echo -n ‘myP@ssw0rd) | sudo adcli join —-stdin-password -U acmeSSSD amce.com

4. Run the adcli command with the info parameter to return information about the domain you joined, this validates that the join happened.
sudo adcli info realm.com

5. Run authconfig command, this will automatically configure sssd and make sure when you authenticate using SSH it will automatically create your home directory based on your Active Directory username and domain.
sudo authconfig —-enablesssd —-enablesssdauth —-krb5kdc=acme.com —-krb5realm=ACME.COM —-enablemkhomedir —-update

6. Unfortunately the sssd.conf file is not automatically created, so use vi or vim to create /etc/sssd/sssd.conf as follows; be sure to update all the sections highlighted in red; i.e. your domain and REALM with yours, and access_provider from ad to simple.
[sssd]
domains = realm.com
services = nss, pam
config_file_version = 2

[domain/realm.com]
ad_domain = realm.com
krb5_realm = REALM.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = simple

7. Change the permissions of /etc/sssd/sssd.conf otherwise the sssd service will not start.
sudo chmod 600 /etc/sssd/sssd.com

8. Start or restart the sssd service.
sudo service sssd restart

9. Test logging in using ssh using an Active Directory account. If you are logged in already you can try “id <username>” where <username> is an account in Active Directory and it should return the id and group number values.  If you get a response “id: razl.dazzle: No such user” then SSSD is not working correctly, then check DNS and my troubleshooting blog.
id razl.dazzle

10. To remove the Linux machine from the domain run the following command.
(echo -n ‘myP@ssw0rd) | adcli delete-computer —-stdin-password -U acmeSSSD —-domain=acme.com ol6.acme.com

 

How To on Linux 7.x –

One of the key packages to setup SSSD with Kerberos with Active Directory on Linux 7.x is called “realm”.  This package makes life very easy, so easy that it pretty much does everything.  The only addition is some manual tweaks to the sssd.conf file.

The following steps use these example variables, please change anything in red as needed.

  • acme.com — AD Domain
  • ACME.COM — AD REALM
  • acmeSSSD — AD Service Account allowed to join a machine to the domain
  • myP@ssw0rd — acmeJoinAD service account password
  • ol7.acme.com — Linux 7.x machine

Steps:

1. Run the following command to install the required packages.
sudo yum -y install sssd realmd oddjob oddjob-mkhomedir adcli krb5-workstation samba-common-tools

2. If required update /etc/resolv.conf to point your Linux machine to DNS; this is critical.
sudo vim /etc/resolv.conf

3. Run the realm command to join the Linux machine to Active Directory, this will also automatically create the necessary keytab, update the /etc/krb5.conf file with the correct domain and realm, and generate the /etc/sssd/sssd.conf file.
(echo -n ‘myP@ssw0rd) | sudo realm join -U acmeSSSD amce.com

4. Run the realm command with the discover parameter to return information about the domain you joined, this validates that the join happened.
sudo realm discover realm.com

5. Though “realm join” automatically generates the /etc/sssd/sssd.conf file it needs to be updated with some changes as follows.
Change access_provider from “ad” to “simple”; e.g. “access_provider = simple”
Change fully_qualified_names from “True” to “False”; e.g. “fully_qualified_names = False”

6. Start or restart the sssd service.
sudo /bin/systemctl restart sssd.service

7. Test logging in using ssh using an Active Directory account. If you are logged in already you can try “id <username>” where <username> is an account in Active Directory and it should return the id and group number values.  If you get a response “id: razl.dazzle: No such user” then SSSD is not working correctly, then check DNS and my troubleshooting blog.
id razl.dazzle

8. To remove the Linux machine from the domain run the following command.
(echo -n ‘myP@ssw0rd) | sudo realm leave -U acmeSSSD —-domain=acme.com ol7.acme.com

 

Bonus Tips

Sometimes you may want to control who can access your Linux machines and SSSD provides a way to do it. The following are just a couple of tips that allows you to grant access based on groups or user accounts that exist in Active Directory.

Control SSH Terminal Authentication based on Active Directory Groups

1. Add the following to /etc/sssd/sssd.conf under the [domain/acme.com] section, the following groups are examples.
simple_allow_groups = Administrator, Linux-Admin

2. Restart the sssd service.
OL6: sudo service sssd restart
OL7: sudo /bin/systemctl restart sssd.service

Control SSH Terminal Authentication based on Active Directory User Accounts

1. Add the following to /etc/sssd/sssd.conf under the [domain/acme.com] section, the following users are examples.
simple_allow_users = Administrator, razl.dazzle

2. Restart the sssd service.
OL6: sudo service sssd restart
OL7: sudo /bin/systemctl restart sssd.service

Authentication Failed with error “disconnected: no supported authentication methods available (server sent: publickey, gssapi-with-mic)”

1. Update /etc/ssh/sshd_config as follows with “yes” instead of “no”; normally yes is the default.
# GSSAPI options
GSSAPIAuthentication yes

2. Restart the sssd service
OL6: sudo service sshd restart
OL7: sudo /bin/systemctl restart sshd.service

Summary

If you run into issues I would say 9/10 times it is DNS and how the Linux machine resolves the Active Directory domain and vice versa.  I have some additional troubleshooting tips in my part 4 of my SSSD series you can check out Part 4 of 4 – SSSD Authentication: Known Problems and Troubleshooting Tips.  If you follow these steps it should be pretty simple and you can even automate the setup using something as simple as a shell script or go a step further and incorporate this into a Chef recipe.  Note this solution only works for terminally into a Linux machine and not the OCI console itself. In summary the benefits of using SSSD with Kerberos and Active Directory are providing a customer to access their Linux machines in OCI using existing user accounts along with control using groups, which means users don’t have to remember yet another password and if they leave as long as their account is provisioned to be disabled you control the full life cycle to accounts accessing OCI resources.

Comments

  1. Chris P. says:

    In the last Bonus tip section before the Summary; You want to restart ssh not sssd as you made the change in the /etc/ssh/sshd_config file. So number 2 should read:
    2. Restart the ssh service
    OL6: sudo service sshd restart
    OL7: sudo systemctl restart sshd.service

Add Your Comment