Integrate Linux and Active Directory with SSSD + LDAPS

1 Contents
1 Lab Environment ..................................................................................................................... 2
1.1 Active Directory ............................................................................................................... 2
1.2 Linux OS .......................................................................................................................... 2
2 Configurations on Active Directory ........................................................................................ 3
2.1 Install Active Directory Certificate Service on AD host to enable LDAPS .................... 3
2.2 Download CA certificate from AD host .......................................................................... 5
2.3 Create LDAP bind user and test user on AD host ............................................................ 6
3 Configurations on Linux .......................................................................................................... 7
3.1 Common Steps ................................................................................................................. 7
3.2 Setup on Ubuntu 1604.2 x64 Desktop ............................................................................. 9
3.3 Setup on CentOS 6.9/7.3 x64 ......................................................................................... 10
3.4 Setup on SLED 12 SP2 x64 ........................................................................................... 11
4 References ............................................................................................................................. 12
1 Lab Environment
1.1 Active Directory
 OS: Windows 2012 R2
 IP: 10.117.45.99
 FQDN: test-ad-host.testad.org
 Domain Name: testad.org
 Hostname: test-ad-host
1.2 Linux OS
 CentOS 6.9 x64
 CentOS 7.3 x64
 Ubuntu 1604.2 x64 Desktop
 SLED 12 SP2 x64
2 Configurations on Active Directory
2.1 Install Active Directory Certificate Service on AD host to enable LDAPS
 Install Active Directory Certificate Service role

 Configure Certification Authority role with default setting, and set Common Name to
TestAD-CA
2.2 Download CA certificate from AD host
 Run mmc and add Snap-ins Certificates with Computer account selected

 Navigate to “Certificates (Local Computer -> Trusted Root Certification Authorities

-> Certificates”, and right-click on CA certificate TestAD-CA to export it

 Select Base-64 encoded X.509 (.CER) for file format and ca_cert.cer for file name

You will get a file named ca_cert.cer, and rename it to ca-cert.pem

2.3 Create LDAP bind user and test user on AD host
 Create an OU named TestOU
 Create LDAP bind user ldapsearch under TestOU:
Set Full name to ldapsearch
Set User logon name to [email protected]
Set User logon name (pre-Windows 2000) to TestAD\ldapsearch
Set Password to Password1

 Create test user Test User under TestOU:

Set First name to Test, Last name to User, Full name to Test User
Set User logon name to [email protected]
Set User logon name (pre-Windows 2000) to TestAD\tuser
Set Password to Password2

You will get two users created under TestOU:

3 Configurations on Linux
3.1 Common Steps
 Map AD’s FQDN
Add below line in /etc/hosts
10.117.45.99 test-ad-host.testad.org

 Install CA cert
Copy ca-cert.pem to Linux machine to /etc/ldap-ca/ca-cert.pem
sudo mkdir /etc/ldap-ca
sudo cp ca-cert.pem /etc/ldap-ca/ca-cert.pem

 Test FQDN mapping and CA cert

Run below command, and you should get “Verify return code: 0 (ok)”
openssl s_client -connect test-ad-host.testad.org:636 -CAfile /etc/ldap-ca/ca-
cert.pem

 Test ldap to AD
Install ldap tool
Ubuntu: sudo apt install ldap-utils
CentOS: yum install openldap-clients

Run below ldapsearch command, which is using ldap protocol to do the search:
ldapsearch -v -x -H ldap://test-ad-host.testad.org/ -b dc=testad,dc=org -D
'CN=ldapsearch,OU=TestOU,dc=testad,dc=org' -W -s sub 'cn=Test User' cn
distinguishedName
When asked, type Password1 for password, and should get the search result

 Test ldaps to AD
Before test ldaps to AD, need set ldap.conf to specify the CA cert file for ldap. Edit
configuration file ldap.conf (Ubuntu: /etc/ldap/ldap.conf, SUSE/CentOS:
/etc/openldap/ldap.conf) to set below line:
TLS_CACERT /etc/ldap-ca/ca-cert.pem

Run below ldapsearch command, which is using ldaps protocol to do the search:
ldapsearch -v -ZZ -H ldap://test-ad-host.testad.org/ -b dc=testad,dc=org -D
'CN=ldapsearch,OU=TestOU,dc=testad,dc=org' -W -s sub 'cn=Test User' cn
distinguishedName
When asked, type Password1 for password, and should get the search result

 Prepare sssd configuration file

New a configuration file named sssd.conf, and enter below configuration lines.
[sssd]
config_file_version = 2
domains = testad.org
services = nss, pam
[pam]

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 3
entry_cache_nowait_percentage = 75
debug_level = 8
account_cache_expiration = 1

[domain/testad.org]
debug_level = 8
id_provider = ldap
auth_provider = ldap
access_provider = simple
cache_credentials = false
min_id = 1000
ldap_uri = ldaps://test-ad-host.testad.org
ldap_schema = ad
# for SID-UID mapping
ldap_id_mapping = true
# caching credentials
cache_credentials = false
entry_cache_timeout = 3
# performance
ldap_referrals = false
ldap_default_bind_dn = CN=ldapsearch,OU=TestOU,DC=testad,DC=org
ldap_default_authtok_type = password
ldap_default_authtok = Password1
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ldap-ca/ca-cert.pem
fallback_homedir = /home/%u
ldap_user_home_directory = sAMAccountName
override_homedir = /home/%u
default_shell = /bin/bash
3.2 Setup on Ubuntu 1604.2 x64 Desktop
 Install sssd packages
sudo apt-get install sssd libpam-sss libnss-sss

 Install sssd configuration file

sudo cp sssd.conf /etc/sssd
sudo chmod 600 /etc/sssd/sssd.conf

 Restart sssd service

sudo service sssd restart

 Edit /etc/pam.d/common-session
Edit /etc/pam.d/common-session to insert below line after line of pam_sss.so
session optional pam_mkhomedir.so skel=/etc/skel/ mask=0077

 Test Configuration
Run blow command:
getent passwd tuser
You should get result like below:
tuser:*:567801106:567800513:Test User:/home/tuser:/bin/bash
Run below command:
id tuser
You should get result like below:
uid=567801106(tuser) gid=567800513(Domain Users)
groups=567800513(Domain Users)

 Edit greeter Configuration File

By default, Ubuntu does not allow user to enter user name. Need edit greeter
configuration file /etc/lightdm/lightdm.conf (new it if does not exist) to add:
[SeatDefaults]
greeter-show-manual-login=true
greeter-hide-users=true
 Login with AD Test User
Reboot and login with AD Test User:
Username: tuser
Password: Password2
3.3 Setup on CentOS 6.9/7.3 x64
 Install sssd packages
sudo yum install sssd

 Install sssd configuration file

sudo cp sssd.conf /etc/sssd
sudo chmod 600 /etc/sssd/sssd.conf

 Install oddjob-mkhomedir
yum install oddjob-mkhomedir

 Enable SSSD in PAM for user authentication

Run below command to update /etc/pam.d
authconfig --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir --
update

 Start Services
sudo service sssd start
sudo service oddjobd start

 Test Configuration
Run below command:
getent passwd tuser
You should get result like below:
tuser:*:567801106:567800513:Test User:/home/tuser:/bin/bash

Run below command:

id tuser
You should get result like below:
uid=567801106(tuser) gid=567800513(Domain Users)
groups=567800513(Domain Users)

 Login with AD Test User

Reboot and login with AD Test User:
Username: tuser
Password: Password2
3.4 Setup on SLED 12 SP2 x64
 Install sssd packages
sudo zypper install sssd

 Install sssd configuration file

sudo cp sssd.conf /etc/sssd
sudo chmod 600 /etc/sssd/sssd.conf

 Disable NSCD Service

sudo service nscd stop
sudo chkconfig nscd off

 Update PAM
sudo pam-config --add --sss
sudo pam-config --add --mkhomedir --mkhomedir-umask=0077

 Update /etc/nsswitch.conf
Update /etc/nsswitch.conf to set:
passwd: files sss
shadow: files sss
group: files sss

 Start SSSD Service

chkconfig sssd on
service sssd start

 Test Configuration
Run below command:
getent passwd tuser
You should get result like below:
tuser:*:567801106:567800513:Test User:/home/tuser:/bin/bash

Run below command:

id tuser
You should get result like below:
uid=567801106(tuser) gid=567800513(Domain Users)
groups=567800513(Domain Users)

 Login with AD Test User

Reboot and login with AD Test User:
Username: tuser
Password: Password2
4 References
 https://www.ossramblings.com/Ubuntu-14.04-SSSD-and-OpenLDAP-Authentication
 https://wiki.ubuntu.com/Enterprise/Authentication/sssd
 http://techuniqe.blogspot.co.uk/2015/04/using-sssd-for-active-directory.html
 https://serverfault.com/questions/734422/enable-ldap-client-in-sles-12-from-command-
line