Using SSSD with Kerberos and Active Directory to Terminal into an OCI Linux Machine

June 21, 2018 | 8 minute read
Tim Melander
A-Team Cloud Solution Architect
Text Size 100%:

Introduction

OCI or Oracle Cloud Infrastructure, is Oracle’s latest cloud infrastructure that is replacing the older Oracle Cloud Infrastructure Classic. One feature it has is built-in Identity Management Governance. For example, you can add and manage users to grant who can access OCI resources among other features, please refer to this link for more information https://cloud.oracle.com/governance. This article is focused on  customers who want to use their existing identity management services such as Active Directory. I previously wrote a four part series on SSSD starting with Part 1 of 4 – SSSD Linux Authentication: Introduction and Architecture, that includes a lot of detail from how SSSD works to the final setup, but I only covered LDAP and not Kerberos.  This article is going to show how easy it is to install and configure SSSD (System Security Services Daemon) that uses Kerberos with Active Directory to provide a slick way for a customer to use their existing Active Directory users and groups to terminal into a Linux machine. It is important to know that for this to work the Linux machine must join the Active Directory domain controller, so if this is not allowed in your scenario you should refer to my SSSD Linux Authentication series that uses pure LDAP.

Basic Requirements

1. You have root access or minimally can run root commands as sudo on the Linux machine.
2. You have an Active Directory account that can join a machine to the domain.
3. You have the Active Directory account password that joins the machine to the domain.
4. You have specific ports and protocols open for communication to work.
5. DNS should be able to reverse lookup the Linux machine so that the domain matches Active Directory.

 

Network and Firewall Considerations -

When joining a Linux machine to a KDC along with doing Kerberos, both UDP and TCP protocols are used. It is very important to know what ports and protocols are used by the destination and source when setting up SSSD and routine Kerberos authentication. Below is a table that summarizes the services, ports, and protocols used that will need to be open in order for SSSD to be setup and used successfully. Be sure to verify that these ports and protocols will have communication between the Linux machine and the Active Directory KDC.  If you have multiple KDCs, make sure the ports and protocols are open for all.

Table 1: Requirements for Integration of Linux Systems with AD using SSSD

   Service    Port    Protocol
   DNS    53    UDP and TCP
   LDAP    389    UDP and TCP
   LDAP    636    UDP and TCP (optional if used)
   Kerberos    88    UDP and TCP
   Kerberos    445 or 464    UDP and TCP
   LDAP Global Catalog    3268    TCP (if id_provider = ad)
   NTP    123    UCP (optional if used)

 

DNS and Principal Names Requirements -

It is important that the Linux machine’s fully qualified hostname match what Active Directory is expecting. If it does not match, the “realm join” command will fail and give a less than helpful error.  Take the following example in Graphic 1, it shows an error when running the realm join command as it attempted to complete the registration of the Linux machine caused by trying to modify the Linux machine object in Active Directory using a hostname that did not match the same domain.

Graphic 1: Wireshark Capture from the local Linux machine

A quick check is to run the command “hostname -f” on the local Linux machine before running the realm join command. If the fully qualified hostname contains a domain name that matches the Active Directory you are joining you should be good; e.g. Active Directory “acme.com” <--- ---> “linux1.acme.com” Linux Machine. If this is not the case it needs to be fixed.

If running the Linux machine in OCI (Oracle Infrastructure Cloud) its DNS servers will always return a default domain something like linux1.vcn0913118014.oraclevcn.com, which is not going to work. One way to correct this is to update the /etc/hosts and add the Linux machine IP address, fully qualified hostname (a domain name that matches the Active Directory domain name), and shortname. Be aware in OCI the /etc/hosts will be overwritten after a reboot unless the /etc/oci-hostname.conf parameter PRESERVE_HOSTINFO = 2 is set to 2, the default is 0. This is well documented in Oracle Support --- How to Permanently Change Hostname in Oracle Cloud Infrastructure (OCI) Compute Environment on Oracle Linux (Doc ID 2325469.1).

 

How To on Linux 6.x -

A couple of the key packages to setup SSSD with Kerberos and AD on Linux 6.x are "adcli" and "authconfig".  These two packages work similar to "realm", which is a package only available on Linux 7.x.  The only addition is that you have to create a new sssd.conf file, but other than that it provides a simple way to setup SSSD on Linux 6.

The following steps use these example variables, please change anything in red as needed.

  • acme.com --- AD Domain
  • ACME.COM --- AD REALM
  • acmeSSSD --- AD Service Account allowed to join a machine to the domain
  • myP@ssw0rd --- acmeJoinAD service account password
  • ol6.acme.com --- Linux 6.x machine

Steps:

1. Run the following command to install the required packages.
sudo yum -y install sssd authconfig adcli krb5-workstation

2. If required update /etc/resolv.conf to point your Linux machine to DNS; this is critical.
sudo vim /etc/resolv.conf

3. Run the adcli command to join the Linux machine to Active Directory, this will also automatically create the necessary keytab and update the /etc/krb5.conf file with the correct domain and realm. For security reasons you can optionally remove (echo -n 'myP@ssw0rd') | and be prompted for a password instead.
(echo -n 'myP@ssw0rd') | sudo adcli join ----stdin-password -U acmeSSSD@acme.com acme.com

4. Run the adcli command with the info parameter to return information about the domain you joined, this validates that the join happened.
sudo adcli info realm.com

5. Run authconfig command, this will automatically configure sssd and make sure when you authenticate using SSH it will automatically create your home directory based on your Active Directory username and domain.
sudo authconfig ----enablesssd ----enablesssdauth ----krb5kdc=acme.com ----krb5realm=ACME.COM ----enablemkhomedir ----update

6. Unfortunately the sssd.conf file is not automatically created, so use vi or vim to create /etc/sssd/sssd.conf as follows; be sure to update all the sections highlighted in red; i.e. your domain and REALM with yours, and access_provider from ad to simple.
[sssd]
domains = realm.com
services = nss, pam
config_file_version = 2

[domain/realm.com]
ad_domain = realm.com
krb5_realm = REALM.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = simple

7. Change the permissions of /etc/sssd/sssd.conf otherwise the sssd service will not start.
sudo chmod 600 /etc/sssd/sssd.conf

8. Start or restart the sssd service.
sudo service sssd restart

9. Test logging in using ssh using an Active Directory account. If you are logged in already you can try “id <username>” where <username> is an account in Active Directory and it should return the id and group number values.  If you get a response "id: razl.dazzle: No such user" then SSSD is not working correctly, then check DNS and my troubleshooting blog.
id razl.dazzle

10. To remove the Linux machine from the domain run the following command. For security reasons you can optionally remove (echo -n 'myP@ssw0rd') | and be prompted for a password instead.
(echo -n 'myP@ssw0rd') | adcli delete-computer ----stdin-password -U acmeSSSD@acme.com ----domain=acme.com ol6.acme.com

 

How To on Linux 7.x -

One of the key packages to setup SSSD with Kerberos with Active Directory on Linux 7.x is called "realm".  This package makes life very easy, so easy that it pretty much does everything.  The only addition is some manual tweaks to the sssd.conf file.

The following steps use these example variables, please change anything in red as needed.

  • acme.com --- AD Domain
  • ACME.COM --- AD REALM
  • acmeSSSD --- AD Service Account allowed to join a machine to the domain
  • myP@ssw0rd --- acmeJoinAD service account password
  • ol7.acme.com --- Linux 7.x machine

Steps:

1. Run the following command to install the required packages.
sudo yum -y install sssd realmd oddjob oddjob-mkhomedir adcli krb5-workstation samba-common-tools

2. If required update /etc/resolv.conf to point your Linux machine to DNS; this is critical.
sudo vim /etc/resolv.conf

3. Run the realm command to join the Linux machine to Active Directory, this will also automatically create the necessary keytab, update the /etc/krb5.conf file with the correct domain and realm, and generate the /etc/sssd/sssd.conf file. For security reasons you can optionally remove (echo -n 'myP@ssw0rd') | and be prompted for a password instead.
(echo -n 'myP@ssw0rd') | sudo realm join -U acmeSSSD@acme.com acme.com

4. Run the realm command with the discover parameter to return information about the domain you joined, this validates that the join happened.
sudo realm discover realm.com

5. Though “realm join” automatically generates the /etc/sssd/sssd.conf file it needs to be updated with some changes as follows.
Change access_provider from “ad” to “simple”; e.g. “access_provider = simple”
Change fully_qualified_names from “True” to “False”; e.g. “fully_qualified_names = False”

6. Start or restart the sssd service.
sudo /bin/systemctl restart sssd.service

7. Test logging in using ssh using an Active Directory account. If you are logged in already you can try “id <username>” where <username> is an account in Active Directory and it should return the id and group number values.  If you get a response "id: razl.dazzle: No such user" then SSSD is not working correctly, then check DNS and my troubleshooting blog.
id razl.dazzle

8. To remove the Linux machine from the domain run the following command. For security reasons you can optionally remove (echo -n 'myP@ssw0rd') | and be prompted for a password instead.
(echo -n 'myP@ssw0rd') | sudo realm leave -U acmeSSSD@acme.com ----domain=acme.com ol7.acme.com

 

Bonus Tips

Sometimes you may want to control who can access your Linux machines and SSSD provides a way to do it. The following are just a couple of tips that allows you to grant access based on groups or user accounts that exist in Active Directory.

Control SSH Terminal Authentication based on Active Directory Groups

1. Add the following to /etc/sssd/sssd.conf under the [domain/acme.com] section, the following groups are examples.
simple_allow_groups = Administrator, Linux-Admin

2. Restart the sssd service.
OL6: sudo service sssd restart
OL7: sudo /bin/systemctl restart sssd.service

Control SSH Terminal Authentication based on Active Directory User Accounts

1. Add the following to /etc/sssd/sssd.conf under the [domain/acme.com] section, the following users are examples.
simple_allow_users = Administrator, razl.dazzle

2. Restart the sssd service.
OL6: sudo service sssd restart
OL7: sudo /bin/systemctl restart sssd.service

Authentication Failed with error "disconnected: no supported authentication methods available (server sent: publickey, gssapi-with-mic)"

1. Update /etc/ssh/sshd_config as follows with "yes" instead of "no"; normally yes is the default.
# GSSAPI options
GSSAPIAuthentication yes

2. Restart the sssd service
OL6: sudo service sshd restart
OL7: sudo /bin/systemctl restart sshd.service

Summary

If you run into issues I would say 9/10 times it is DNS and how the Linux machine resolves the Active Directory domain and vice versa.  I have some additional troubleshooting tips in my part 4 of my SSSD series you can check out Part 4 of 4 – SSSD Authentication: Known Problems and Troubleshooting Tips.  If you follow these steps it should be pretty simple and you can even automate the setup using something as simple as a shell script or go a step further and incorporate this into a Chef recipe.  Note this solution only works to terminal into a Linux machine and not the OCI console itself. In summary the benefits of using SSSD with Kerberos and Active Directory are providing a customer to access their Linux machines in OCI using existing user accounts along with control using groups, which means users don't have to remember yet another password and if they leave as long as their account is provisioned to be disabled you control the full life cycle to accounts accessing OCI resources.

Tim Melander

A-Team Cloud Solution Architect

I started with Oracle in 2005 and been a member of the Oracle A-Team since 2012 though have worked in Identity and Access Management since 1999.  My journey with security continues the cloud that heavily includes Oracle Infrastructure Cloud (OCI).  I enjoy writing articles built on real life use cases to help in areas where a standard document may not provide. I am a strong believer in learning by example to which I try to incorporate as many helpful tips, excellent diagrams, and instructional steps as I can.


Previous Post

Integration Cloud - File Handling Primer

Shreenidhi Raghuram | 18 min read

Next Post


A production pattern for frequent updates with PGX

Michael J. Sullivan | 3 min read