I'm trying to join a Ubuntu 16.04 to a Windows domain (active directory) using realmd + sssd. Basically I was following this post which worked pretty well and I was able to join my server and could successfully authenticate as AD user. However there are two pieces missing in the integration:
- Register server's hostname in DNS
- Use sssd-sudo for user authorization
Register server's hostname in DNS
As mentioned I successfully join the AD by using
realm join --user=dpr MYDOMAIN.INT --install=/
:
root@ip-172-28-5-174 ~ # realm list
mydomain.int
type: kerberos
realm-name: MYDOMAIN.INT
domain-name: mydomain.int
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U@mydomain.int
login-policy: allow-realm-logins
However, dispite the successful join, my server is not known to the other machines in the domain using its hostname ip-172-28-5-174.mydomain.int
. I found this documentation that mentions a dyndns_update
setting in the sssd.conf file.
As I'm using realm. The sssd configuration is generated automatically by issuing the join command. The generated config file looks like this:
[sssd]
domains = mydomain.int
config_file_version = 2
services = nss, pam
[domain/mydomain.int]
ad_domain = mydomain.int
krb5_realm = MYDOMAIN.INT
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
That is I somehow need to add dyndns_update = True
to this generated file. But how?
Use sssd-sudo for user authorization
Additionally I want to make sssd to read my sudo configuration from AD. I think this can be achieved using sssd-sudo but this needs to be enabled/configured in the sssd.conf file as well by adding sudo
to the sssd services and use sudo_provider = ldap
for my domain. Again I'm not able to figure out how to do this with realm.
Basically I want my generated config file to look like this:
[sssd]
domains = mydomain.int
config_file_version = 2
services = nss, pam, sudo
[domain/mydomain.int]
id_provider = ad
access_provider = ad
sudo_provider = ldap
ad_domain = mydomain.int
krb5_realm = MYDOMAIN.INT
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
Any ideas on how this can be achieved?
Best Answer
If you want Active Directory to manage
sudoers
, you have to load a specialized schema into AD and then create your rules using a tool like ADSI Edit. This walkthrough worked for me on Ubuntu 14.04. The highlights are:schema.ActiveDirectory
etc/nsswitch.conf
to includesss
among the entries on thesudoers =
lineetc/sssd/sssd.conf
to include:sudo
among the entries on theservices =
line[sudo]
section (no configs are required, but Redhat asserts that this triggers the proper configuration of sudo support)sudo_provider = ad
(sssd docs on pagure.org claim sudo provider is enabled by default for ldap, ad and ipa so this may be optional)When I repeat this process for 16.04 (i.e. same AD rules as 14.04), I'm actually having other issues. Apparently, this is not uncommon. It's possible that there's a bug in the version of sudo included in 16.04.
sudo
package (notsudo-ldap
) is the right package if you want SSSD (and notsudo
) to manage the ldap connection. Specifically, installingsudo-ldap
produced no logs insssd_sudo.log
while the regularsudo
package did.sssd_sudo
is now showingReturning 2 rules for [<user>@<domain>]
,sudo -l
is still responding withSorry, user <user>@<domain> may not run sudo on <host>
so there may be other issues needing resolved.My situation may not be typical, however, as I'm having additional issues that don't appear to be common. For example, I had issues running
realm join
that were resolved using workarounds from this Server Fault question.If you found your way here due to realmd/sssd/sudo issues in 16.04, here are some other reported problems that may be helpful (not necessarily directly related to the OP's issue):
We're evaluating 16.04 for upgrade so we may put this on the back burner, but hopefully our legwork helps others.