Ubuntu – Configure SSSD with Realmd for Sudo and dyndns_update

active-directorysssdUbuntu

I'm trying to join a Ubuntu 16.04 to a Windows domain (active directory) using realmd + sssd. Basically I was following this post which worked pretty well and I was able to join my server and could successfully authenticate as AD user. However there are two pieces missing in the integration:

Register server's hostname in DNS
Use sssd-sudo for user authorization

Register server's hostname in DNS

As mentioned I successfully join the AD by using
realm join --user=dpr MYDOMAIN.INT --install=/:

root@ip-172-28-5-174 ~ # realm list
mydomain.int
  type: kerberos
  realm-name: MYDOMAIN.INT
  domain-name: mydomain.int
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %U@mydomain.int
  login-policy: allow-realm-logins

However, dispite the successful join, my server is not known to the other machines in the domain using its hostname ip-172-28-5-174.mydomain.int. I found this documentation that mentions a dyndns_update setting in the sssd.conf file.

As I'm using realm. The sssd configuration is generated automatically by issuing the join command. The generated config file looks like this:

[sssd]
domains = mydomain.int
config_file_version = 2
services = nss, pam

[domain/mydomain.int]
ad_domain = mydomain.int
krb5_realm = MYDOMAIN.INT
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

That is I somehow need to add dyndns_update = True to this generated file. But how?

Use sssd-sudo for user authorization

Additionally I want to make sssd to read my sudo configuration from AD. I think this can be achieved using sssd-sudo but this needs to be enabled/configured in the sssd.conf file as well by adding sudo to the sssd services and use sudo_provider = ldap for my domain. Again I'm not able to figure out how to do this with realm.

Basically I want my generated config file to look like this:

[sssd]
domains = mydomain.int
config_file_version = 2
services = nss, pam, sudo

[domain/mydomain.int]
id_provider = ad
access_provider = ad
sudo_provider = ldap
ad_domain = mydomain.int
krb5_realm = MYDOMAIN.INT
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d

Any ideas on how this can be achieved?

Best Answer

If you want Active Directory to manage sudoers, you have to load a specialized schema into AD and then create your rules using a tool like ADSI Edit. This walkthrough worked for me on Ubuntu 14.04. The highlights are:

Import schema.ActiveDirectory
Create rules following the sudoers-ldap manpage
Update etc/nsswitch.conf to include sss among the entries on the sudoers = line
Update etc/sssd/sssd.conf to include:
- sudo among the entries on the services = line
- an empty [sudo] section (no configs are required, but Redhat asserts that this triggers the proper configuration of sudo support)
- a line like sudo_provider = ad (sssd docs on pagure.org claim sudo provider is enabled by default for ldap, ad and ipa so this may be optional)

When I repeat this process for 16.04 (i.e. same AD rules as 14.04), I'm actually having other issues. Apparently, this is not uncommon. It's possible that there's a bug in the version of sudo included in 16.04.

In principle, manually upgrading to the latest should resolve this issue.
The regular sudo package (not sudo-ldap) is the right package if you want SSSD (and not sudo) to manage the ldap connection. Specifically, installing sudo-ldap produced no logs in sssd_sudo.log while the regular sudo package did.
While sssd_sudo is now showing Returning 2 rules for [<user>@<domain>], sudo -l is still responding with Sorry, user <user>@<domain> may not run sudo on <host> so there may be other issues needing resolved.

My situation may not be typical, however, as I'm having additional issues that don't appear to be common. For example, I had issues running realm join that were resolved using workarounds from this Server Fault question.

If you found your way here due to realmd/sssd/sudo issues in 16.04, here are some other reported problems that may be helpful (not necessarily directly related to the OP's issue):

IPA host netgroup issue (more info on the free-ipa users list)
There's a known issue with realmd dependency resolution. As mentioned in the discussion, installing packagekit resolves for many (including us). There may be a separate issue with the version in 16.04.

We're evaluating 16.04 for upgrade so we may put this on the back burner, but hopefully our legwork helps others.

Related Solutions

Sudo and sssd not working with user groups

user waynea need to logout and login again

sudo -ll print like this:

[WanJie@svr-master root]$ sudo -ll
Matching Defaults entries for WanJie on this host:
    !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
    LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !visiblepw,
    always_set_home, env_reset, requiretty

User WanJie may run the following commands on this host:

SSSD Role: %admin
    RunAsUsers: ALL
    Options: !authenticate
    Commands:
        /root/aaa.sh

SSSD Role: WanJie
    RunAsUsers: ALL
    Options: !authenticate
    Commands:
        /root/sudo.sh

Linux – Connecting to Active Directory with Winbind

Undo all of your changes and delete the computer account from AD. Remove the winbind package.

Install a suitable selection of packages. On Debian-based systems you can use apt-get install samba smbclient sssd realmd dnsutils policykit-1 packagekit sssd-tools sssd libnss-sss libpam-sss adcli.

Don't worry at this point if sssd fails to start. It needs to be configured with the realm command, which we're going to address in a moment.

Make sure your local Linux-based system has your DC at its DNS server. Do not add any additional DNS server unless it is part of your Active Directory environment. If you simply edit /etc/resolv.conf and ignore the "do not edit this file" warning, your changes will probably get overwritten. At this point your system will fail to authenticate anyone and may even eventually fall off the domain. (Users tend to get unhappy at this point.)

Make sure your local time matches the time in Active Directory, since Kerberos won't work with a skew of greater than about 5 minutes (300 seconds).

For your local domain contoso.com run these three commands as root:

domain=contoso.com          # The FQDN itself. Not machine.FQDN
realm discover "$domain"    # If this fails, stop and recheck everything
realm join "$domain"        # [--user <ad_username>] [--computer-ou <ou>]

If you need to provide an AD account name for the realm join, do so with realm join --user <ad_username> "$domain", where <ad_username> represents an unqualified sAMAccountName. Your own AD account should work for a minimum of ten clients even if it is not a domain administrator, although administrator is a useful choice if you know its password. The --computer-ou option allows you to specify the initial OU for the account. Leave this blank unless you know its correct value (don't guess it).

Fix up the sssd.conf file. The ad_hostname is necessary for some versions to work around a bug. The LDAP group nesting level allows sssd to handle membership of nested groups.

sed -i "/^ad_domain /s/$/\nad_hostname = $(hostname).$domain/" /etc/sssd/sssd.conf
( echo; echo 'ldap_group_nesting_level = 5'; echo 'ldap_use_tokengroups = false' ) >>/etc/sssd/sssd.conf
service sssd restart

Best Answer

Related Solutions

Sudo and sssd not working with user groups

Linux – Connecting to Active Directory with Winbind

Related Question