Utilising Kerberos/AD auth in Ubuntu 14.04 with realmd | Blah, Cloud

[mylesagray]

Written on 12/08/2014 01:00:41

URL: https://blah.cloud/infrastructure/utilising-kerberosad-auth-ubuntu-14-04-realmd/

[mylesagray]

Comment written by Stefan Midjich on 12/08/2014 13:54:49

How does ID mapping work with realmd? I ask because the optimal solution is to use UID and GID from the AD server like with SFU or rfc2307.

[mylesagray]

Comment written by Myles Gray on 12/08/2014 19:25:54

@Stefan - realmd is technically a front-end for SSSD/Winbind (whichever you choose, SSSD is the default though) as such any ID mapping is done through SSSD in this case.

It uses UID and GID by default unless you use the ldap_id_mapping and ldap_schema in the sssd.conf as I understand it:

https://access.redhat.com/d...

[mylesagray]

Comment written by Patrick Nomblot on 01/22/2015 16:22:58

congratulation , Great and very usefull doc !

I'm highly interested in SSO/password-less ssh login and in fact do not understand why it does not work straight on. SSH/krb5 conf for that is still a mistery for me.

Would appreciate your help to make sso working too :-)

[mylesagray]

Comment written by KUL on 02/11/2015 16:02:00

I followed the instructions without any error. But when running the command 'id' the systems says : 'no such user'

[mylesagray]

Comment written by Dimarc67 on 02/26/2015 19:01:59

Getting the same result as KUL.

Entering "id " returns "id: : no such user". Tried entering the domain username as "domain/username", "domain\username", and username@domain. Also tried with "//", "\\", "/\", and "\/".

Is this an indication of an issue? Ok to proceed past this without addressing?

Thanks.

[mylesagray]

Comment written by Myles Gray on 03/02/2015 18:50:28

@Dimarc67 - No that means lookups aren't working, you will need to fix that before proceeding, I am investigating this on 14.10 at the moment (they seem to have STILL not fixed the realmd dependency problem).

[mylesagray]

Comment written by alex on 03/05/2015 05:24:15

does anyone have any updates on this issue
Entering "id " returns "id: : no such user". i'm stuck at this point unable to authenticate to ssh

[mylesagray]

Comment written by Mark Snelling on 03/05/2015 14:48:13

I also have this problem, did you solve it?

[mylesagray]

Comment written by Myles Gray on 03/05/2015 15:08:49

Working in it Mark, seems 14.10 broke this!

[mylesagray]

Comment written by Mark Snelling on 03/05/2015 15:12:05

Ok, but I'm using 14.04.2

[mylesagray]

Comment written by alex on 03/06/2015 00:45:26

I found a solution that worked to resolved the id:: no such user error.
1 - use the realm --verbose leave -U user your-domain to leave the domain
2 - to the /etc/sssd/sssd.conf file add
[your.domain.fqdn]
fully-qualified-names=no
save the file, then service sssd restart
4 - get atoken again . kinit -V username
5 join again realm --verbose join -U user yourdomain.

test the id command id domain_user, this worked for me. hope it helps.

[mylesagray]

Comment written by Mark Snelling on 03/06/2015 13:55:18

@alex, this didn't work for me sorry.

[mylesagray]

Comment written by Adam Ellis on 03/08/2015 15:01:25

http://funwithlinux.net/201...

this worked for me, adcli wasnt installed and my sssd.conf was missing

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[mylesagray]

Comment written by Alex on 03/10/2015 03:04:52

Hi Mark,
Sorry to hear it didn't work, after many installs and some minimal changes, to the steps above, this process seems to be working for me. I've tested over and over now and it seems to work. give it a try.

apt-get update

apt-get install realmd sssd samba-common-bin samba-libs sssd-tools krb5-user adcli

when Prompted by krb5-user enter y our Domain FQDN in upper case

Add the following to the realm.dconf file.
vi /etc/realmd.conf
[service]
automatic-install = no

[your.FQDN.Here]
fully-qualified-names=no

create the sssd.conf file and add the following
vi /etc/sssd/sssd.conf
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[sssd]
domains =
config_file_version = 2
services = nss, pam

set permissions on file
chmod 0600 /etc/sssd/sssd.conf

this will prompt for your password and get a token at the same time.
realm --verbose join -U domainAccount my.domain.com

now test the id command

hope it works for you.

[mylesagray]

Comment written by Alex on 03/10/2015 03:24:50

for got to add this, at the end

if unable to join or id test is not working.

unjoin the domain
realm --verbose leave -U domainAccount my.domain.com

reboot system

join domain again.

realm --verbose join -U domainAccount my.domain.com
service sssd restart
test id

[mylesagray]

Comment written by Mark Snelling on 03/10/2015 11:04:46

This worked thanks, I think it was the missing realmd.conf file.

[mylesagray]

Comment written by Mark Snelling on 03/10/2015 12:43:18

One thing that I have noticed is that when joining the domain, if in the file /etc/sssd/sssd.conf the access_provider is set to 'ad' instead of 'simple' it won't work. Fixing this line seems to help my installations.

[mylesagray]

Comment written by Myles Gray on 03/10/2015 13:42:40

Thanks Mark and Alex, i'm testing these solutions with 14.04.2 and 14.10 and will update the article based on what works best across both versions.

EDIT: Just tested with 14.04.2 and updated the article, working okay there now too.

[mylesagray]

Comment written by Myles Gray on 03/10/2015 15:57:45

Your sssd.conf is generated upon domain join.

[mylesagray]

Comment written by Alex on 03/11/2015 14:15:57

Thanks for the update, I'll have to test it just to see how it behaves.

[mylesagray]

Comment written by ⒢ⓐⓑⓡ&# on 03/30/2015 20:53:37

I'm having two issues now:
1) I'm not able to remove the user either via gnome or via sss_userdel
2) Once I change the password via AD I can't use the new password but I have to continue using the first password (the one I used the first time I logged in through gdm)

[mylesagray]

Comment written by Tina on 04/13/2015 21:37:32

I am very new here. Trying to follow the instructions however first, it doesn't prompt me to put in my domain name during the install. Then when editing the sssd file, does it save when you close the terminal.

[mylesagray]

Comment written by putt1ck on 04/22/2015 06:30:49

Using 14.04.2 and following instructions in the article and fixes noted in comments I'm stuck at

# id myuser
id: myuser no such user

Where kinit -V myuser correctly authenticates. Any ideas?

[mylesagray]

Comment written by putt1ck on 04/26/2015 14:04:03

A clean rebuild and careful ordering of steps did it. Maybe something conflicting in the configs from other work on the VM in question.

[mylesagray]

Comment written by Thales on 05/04/2015 13:45:11

To solve the problem, "id: myuser no such user". Tracking solution:

$ sudo apt-get install libnss-winbind
...
$ sudo service winbind restart
winbind stop / waiting
winbind start / running, process 3399
$ id My.User
uid = 10006 (My.User) gid = 10002 (domain user) groups = ...

My Linux: Ubuntu 15.04

Source:
http://falstaff.agner.ch/20...

[mylesagray]

Comment written by Mico on 06/28/2015 05:26:44

Myles, is it possible to obtain uid,gid and homedir mapping from a seperate OpenLDAP database? I want to use your kerberos authentication and sssd's auth provider. However, I really need to map custom attributes.

[mylesagray]

Comment written by Myles Gray on 07/08/2015 18:46:53

Mico, I can't answer with any great degree of technicality, I think this isn't a "thing" i'm sure it can be done with some hacking however, what about using OpenLDAP against AD as auth provider and pulling the needed attributes through OpenLDAP which having AD as backend auth for OpenLDAP?

Myles

[mylesagray]

Comment written by Bob Henderson on 10/21/2015 18:48:07

It's still happening as of 10/21/2015