Summary

  Subject:

Join a Linux machine to Active Directory Domain with LDAP Secure and NFS Permissions

   Updated:

2023-06-13

   Author:

Tim Hammond ([email protected])

Derek Pasnick ([email protected])

   Operating Systems:

Rocky 8

Rocky 9

Ubuntru 20.04

   Background:

This guide was written to join the supported operating sytems to a Windows Active Directory domain.

CentOS 7 was removed from this guide to keep things simple. A lot of the referance links talk about CentOS version 7 or 8. All of those notes should still apply to Rocky 8 as it is a direct port of CentOS 8.

  

Table of Contents

VM Config

All Distributions

VM Specifications:

  • CPU: 1vCPU (2 cores)
  • RAM: 2 GB
  • HD: 100 GB

Rocky

Change the hostname:

sudo hostnamectl set-hostname newName.domain.local

Rocky 8 - Verify and/or Update the IP

sudo sed -i 's/192.168.30.199/192.168.30.150/g' /etc/sysconfig/network-scripts/ifcfg-ens192 sudo cat /etc/sysconfig/network-scripts/ifcfg-ens192

Rocky 9 - Verify and/or Update the IP

sudo cat /etc/NetworkManager/system-connections/ens192.nmconnection | grep -i address sudo sed -i 's/192.168.30.198/192.168.30.108/g' /etc/NetworkManager/system-connections/ens192.nmconnection

Verify DNS is setup correctly.

sudo cat /etc/resolv.conf

The output should look something like:

search domain.local nameserver 192.168.30.100 nameserver 192.168.30.101

Verify NTP is setup correctly.

sudo cat /etc/chrony.conf | grep -i "server t"

The output should look something like:

server tock.domain.local iburst server tick.domain.local iburst

Ubuntu

Change the hostname:

sudo hostnamectl set-hostname newName.domain.local

Verify and/or Update the IP

sudo cat /etc/netplan/00-installer-config.yaml sudo sed -i 's/192.168.30.199/192.168.30.150/g' /etc/netplan/00-installer-config.yaml

No DNS changes are required. Ubuntu uses a dynamic resolv.conf file for connecting local clients to the internal DNS stub resolver of systemd-resolved.

Verify NTP is setup correctly.

sudo cat /etc/chrony/chrony.conf | grep -i "server t"

The output should look something like:

server tock.domain.local iburst server tick.domain.local iburst

Install

All Distributions

Package Descriptions

  • adcli: tools for joining and managing AD domains
  • oddjob-mkhomedir: creates home dir for AD accounts
  • oddjob: a D-bus service that runs odd jobs for clients
  • realmd: This manages enrolment and membership to AD
  • samba-common: shared tools for servers and clients
  • samba: This denotes the Samba services
  • sssd: used to divert client authentication as required

Rocky

Update the system:

sudo dnf -y update

Install the pre-reqs:

sudo dnf -y install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python-utils sssd-tools

Ubuntu

In the sanatize guide, we used the apt-get command. This is the older standard command which is a subset of apt. Going forward, we will use the "apt" command instead of "apt-get.

Update the system:

sudo apt update sudo apt -y upgrade

Install the pre-reqs:

sudo apt -y install adcli krb5-user ldap-utils libnss-sss libpam-sss oddjob-mkhomedir packagekit policycoreutils-python-utils realmd samba-common-bin sssd sssd-tools

SSL Chain Install

All Distributions

The PEM format is the most common format used for certificates. Extensions used for PEM certificates are: cer, crt, and pem. They are Base64 encoded ASCII files that contain human readable content between --BEGIN CERTIFICATE-- and --END CERTIFICATE--. The DER format is the binary form of the certificate. DER formatted certificates do not contain the "BEGIN CERTIFICATE/END CERTIFICATE" statements. DER formatted certificates most often use the '.der' extension.

The certs should have already been converted from the a "base-64 encoded x.509 (.cer)" Windows encoding to a Unix encoding. If this has not already happened:

Run the following OpenSSL commands:

openssl x509 -inform PEM -in chain-root.cer -out chain-root.crt openssl x509 -inform PEM -in chain-inter.cer -out chain-inter.crt

Combine the files (if needed):

cat chain-inter.crt chain-root.crt >> chain-both.crt

Download the certs to the local system. In the respective distro cert install commands, adding a combined chain would be redundant. So we only use the root and intermediate, not cert chain.

/tmp/chain-inter.crt /tmp/chain-root.crt

Set permissions

sudo chmod 644 /tmp/chain-inter.crt sudo chmod 644 /tmp/chain-root.crt

Change ownsership

sudo chown root:root /tmp/chain-inter.crt sudo chown root:root /tmp/chain-root.crt

Certificate Creation

Certificate creation is out of scope of this document.

SSL Cert Install

Rocky

Move the files to their home for the import.

sudo mv /tmp/chain-inter.crt /etc/pki/ca-trust/source/anchors/chain-inter.crt sudo mv /tmp/chain-root.crt /etc/pki/ca-trust/source/anchors/chain-root.crt

Install the certs.

After you run the "update-ca-trust" command, the certs are moved to: /etc/pki/ca-trust/extracted. Applications that look to this directory to verify certificates can use any of the formats provided. The update command handles the copies, conversions, and consolidation for the different formats.

sudo update-ca-trust

To verify if the cert installed successfully:

cd /etc/pki/tls/certs/ # Rocky Cert Path sudo cat /etc/pki/tls/certs/ca-bundle.crt | grep -i MIIFJDCCAw # First 10 char of intermediate cert sudo cat /etc/pki/tls/certs/ca-bundle.crt | grep -i MIIFAzCCAu # First 10 char of root cert sudo cat /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem | grep -i cs02

Test the cert and AD connectivity:

sudo openssl verify ca-bundle.crt sudo openssl s_client -connect domain.local:636 -showcerts sudo openssl s_client -connect domain.local:636 -CAfile ca-bundle.crt

Ubuntu

Move the files to their home for the import. Make sure that the filename ends with .crt.

sudo mv /tmp/chain-inter.crt /usr/local/share/ca-certificates/chain-inter.crt sudo mv /tmp/chain-root.crt /usr/local/share/ca-certificates/chain-root.crt

Install the certs.

The expected output from the update-ca-certificates command is: "3 added, 0 removed; done."

sudo update-ca-certificates -v

To verify if the cert installed successfully:

cd /etc/ssl/certs/ # Ubuntu Cert Path sudo ls -lah /etc/ssl/certs/chain*.pem sudo cat /etc/ssl/certs/ca-certificates.crt | grep -i MIIFJDCCAw # First 10 char of intermediate cert sudo cat /etc/ssl/certs/ca-certificates.crt | grep -i MIIFAzCCAu # First 10 char of root cert

Test the cert and AD connectivity:

sudo openssl verify ca-certificates.crt sudo openssl s_client -connect domain.local:636 -showcerts sudo openssl s_client -connect domain.local:636 -CAfile ca-certificates.crt

Join to Active Directory

All Distributions

Verify the machine is not already part of AD.

sudo realm list

Test connectivity to Active Directory.

sudo realm discover domain.local --verbose

To set the OS info and AD OU:

sudo tee -a /etc/realmd.conf >/dev/null <<EOF [active-directory] os-name = Rocky Linux os-version = 8 [domain.local] computer-ou = OU=Linux,OU=Domain Servers,DC=domain,DC=local EOF

If you are using a distro or version other than Rocky 8, update the OS information for Active Directory.

Rocky 9

sudo sed -i 's/os-version = 8/os-version = 9/g' /etc/realmd.conf

Ubuntu 20.04

sudo sed -i 's/os-name = Rocky Linux/os-name = Ubuntu Linux/g' /etc/realmd.conf sudo sed -i 's/os-version = 8/os-version = 20.04/g' /etc/realmd.conf

If you are joing a machine other than a server to Active Directory, correct the OU where the object is to reside.

sudo sed -i 's/computer-ou = OU=Linux,OU=Domain Servers,DC=domain,DC=local/computer-ou = OU=Linux,OU=Desktop,OU=Domain Computers,DC=domain,DC=local/g' /etc/realmd.conf

Restart realmd.

sudo systemctl restart realmd

Join to the domain.

After AD join, /etc/sssd/sssd.conf, /etc/krb.conf, and /etc/krb5.keytab will be automatically created. If you get "realm: Couldn't join realm: Joining the domain domain.local failed", restart realmd and retry. If this fails, add -v for verbose to the end of the command.

sudo realm join --user=syseng domain.local -v

To verify the system was successfully joined to AD:

sudo realm list

Verify that you can perform a AD user lookup. The IDs are the numbers that will need to be changed in Active Directory. See the "AD Server - Configure NFS ID Mapping" section for more.

sudo id administrator sudo id [email protected]

Test the AD connectivity:

ldapsearch -x -b DC=domain,DC=local -H 'ldaps://domain.local' ldapsearch -D "[email protected]" -W -p 636 -h ldaps://domain.local -b DC=domain,DC=local -s Sub -x -ZZ "(objectclass=*)" -d1 ldapsearch -x -H ldaps://domain.local -b DC=domain,DC=local -D "CN=Timothy B. Hammond,OU=Users,OU=Domain Users,DC=domain,DC=local" -W "mail=*" mail ldapsearch -x -h ldaps://domain.local -p 636 -D "[email protected]" -W -b "DC=domain,DC=local" cn

SSSD Config

All Distributions

SSSD stands for: System Security Services Daemon.

Make a backup of the respective conf file.

sudo cp /etc/sssd/sssd.conf /etc/sssd/sssd.conf.bak

The differances between the Rocky 8 and Ubuntu 20.04 sssd.conf file were minimal. We opted to combine the required settings into a single config file. We are clearing the config file and rewriting it.

Be aware that if you are using the AD provider, your communication across port 389 is encrypted using GSSAPI (Kerberos). It uses the host keytab to encrypt that communication. Using SSL atop that would be a waste of resources (and unsupported by Microsoft).

If you have GSSAPI encryption available (you do) then SSSD ignores the "ldap_id_use_start_tls" argument because you don't need both encryption streams. `ldap_id_use_start_tls` tells the LDAP provider to use the STARTTLS command on port 389 to wrap communication in a secure layer.

At one point, we had "ldap_id_use_start_tls = True." This broke the AD lookup. After a lot of reading, we found a few articles that said to change it to False if you are using SSL certs. False, is the default setting.

To customize login information and restrict access, add FQDN in logon username and from home dir. Below are the defaults for the logn credentials.

  • use_fully_qualified_names = True
  • fallback_homedir = /home/%u@%d

The next several lines are parts of the config for the [domain/domain.local] section. I had them in the config but they caused trouble. I wanted to keep the commands for a record as I did a fair amount of research on them.

  • # ldap_id_use_start_tls = True
  • # dyndns_update = True
  • # dyndns_refresh_interval = 3600
  • # dyndns_update_ptr = True
  • # dyndns_ttl = 3600
  • # dyndns_auth = GSS-TSIG

Clear the contents of the existing config file.

sudo su -c "cat /dev/null > /etc/sssd/sssd.conf"

Write the new contents of the existing config file.

sudo tee -a /etc/sssd/sssd.conf >/dev/null <<EOF [sssd] config_file_version = 2 domains = domain.local reconnection_retries = 3 services = nss, pam [domain/domain.local] debug_level = 2 description = Active Directory 2019 ad_domain = domain.local access_provider = ad auth_provider = ad chpass_provider = ad id_provider = ad ad_access_filter = (|(memberOf=CN=ac-Linux-admins,OU=Access Control,OU=Domain Groups,DC=domain,DC=local)(memberOf=CN=ac-Linux-users,OU=Access Control,OU=Domain Groups,DC=domain,DC=local)) krb5_realm = domain.local krb5_store_password_if_offline = True krb5_validate = True ldap_id_mapping = True ldap_schema = ad ldap_search_base = DC=domain,DC=local ldap_service_port = 636 # ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt # Rocky cert home # ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt # Ubuntu cert home ldap_tls_reqcert = hard ldap_uri = ldaps://domain.local:636 cache_credentials = True default_shell = /bin/bash fallback_homedir = /home/%u realmd_tags = manages-system joined-with-adcli use_fully_qualified_names = False [nss] debug_level = 2 reconnection_retries = 3 [pam] debug_level = 2 reconnection_retries = 3 EOF

Rocky - remove the cert path for Ubuntu.

sudo sed -i '/# Ubuntu cert home/d' /etc/sssd/sssd.conf

Ubuntu - remove the cert path for Rocky.

sudo sed -i '/# Rocky cert home/d' /etc/sssd/sssd.conf

Remove the comment for the cert path and verify.

sudo sed -i '/ldap_tls_cacert/s/^#*\s*//g' /etc/sssd/sssd.conf sudo cat /etc/sssd/sssd.conf | grep -i ldap_tls_cacert

Kerberos Config

All Distributions

Make a backup of the respective conf file.

sudo cp /etc/krb5.conf /etc/krb5.conf.bak

The differeances between Rocky and Ubuntu were goofy. I opted to go through each setting and consolidate them into a single file.

Clear the contents of the existing config file.

sudo su -c "cat /dev/null > /etc/krb5.conf"

Write the new contents of the existing config file.

sudo tee -a /etc/krb5.conf >/dev/null <<EOF # A backup of the orginal is located: /etc/krb5.conf.bak includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = domain.local dns_lookup_kdc = True dns_lookup_realm = False ticket_lifetime = 24h renew_lifetime = 7d forwardable = True rdns = False # pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt # Rocky cert home # pkinit_anchors = FILE:/etc/ssl/certs/ca-certificates.crt # Ubuntu cert home spake_preauth_groups = edwards25519 default_ccache_name = KEYRING:persistent:%{uid} udp_preference_limit = 0 [realms] domain.local = { kdc = domain.local } [domain_realm] domain.local = DOMAIN.LOCAL .domain.local = DOMAIN.LOCAL EOF

Rocky - Remove the cert path for Ubuntu.

sudo sed -i '/# Ubuntu cert home/d' /etc/krb5.conf

Ubuntu - Remove the cert path for Rocky.

Remove the includedir. Ubuntu will boot loop otherwise.

sudo sed -i '/# Rocky cert home/d' /etc/krb5.conf sudo sed -i '/includedir \/etc\/krb5.conf.d\//d' /etc/krb5.conf

Remove the comment for the cert path and verify.

sudo sed -i 's/ # pkinit_anchors/ pkinit_anchors/g' /etc/krb5.conf sudo cat /etc/krb5.conf | grep -i pkinit_anchors

LDAPS Setup Client

Both distros use different LDAP paths for the config.

Rocky

Make a backup of the respective conf file.

sudo cp /etc/openldap/ldap.conf /etc/openldap/ldap.conf.bak

Configure the LDAP config file:

Make sure the following items are not commented and/or configured. When the cert is installed into the system, it is added to a master list of certs. The cert order within the master list does not matter.

  • BASE DC=domain,DC=local
  • URI ldaps://domain.local:636
  • TLS_REQCERT hard (default)
  • TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
sudo sed -i 's/#BASE.*/BASE dc=domain.local,dc=com/g' /etc/openldap/ldap.conf sudo sed -i 's/#URI.*/URI ldaps:\/\/domain.local:636/g' /etc/openldap/ldap.conf

Add the cert locations:

sudo tee -a /etc/openldap/ldap.conf >/dev/null <<EOF TLS_REQCERT hard TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt EOF

Ubuntu

Make a backup of the respective conf file.

sudo cp /etc/ldap/ldap.conf /etc/ldap/ldap.conf.bak

Configure the LDAP config file:

Make sure the following items are not commented and/or configured. When the cert is installed into the system, it is added to a master list of certs. The cert order within the master list does not matter.

  • BASE DC=domain,DC=local
  • URI ldaps://domain.local:636
  • TLS_REQCERT hard (default)
  • TLS_CACERT /etc/ssl/certs/ca-certificates.crt (default)
sudo sed -i 's/#BASE.*/BASE dc=domain.local,dc=com/g' /etc/ldap/ldap.conf sudo sed -i 's/#URI.*/URI ldaps:\/\/domain.local:636/g' /etc/ldap/ldap.conf sudo echo "TLS_REQCERT hard" | sudo tee -a /etc/ldap/ldap.conf

NSS Config

Fedora

At one time, I was using Fedora. This is a artifact left for historical purposes.

Fedora uses a different path than Rocky for the nsswitch.conf file.

I made changes to the equivalent of the Rocky user-nsswitch.conf file in Fedora, but the changes were not persistent after applying the policy. After testing, I do not beleive these changes are required for a client machine. They are more for file sharing permissions enforcement.

Rocky

Make a backup of the respective conf file.

sudo cp /etc/authselect/user-nsswitch.conf /etc/authselect/user-nsswitch.conf.bak sudo cp /etc/nsswitch.conf /etc/nsswitch.conf.bak

In the nsswitch.conf, a comment states not to edit the nsswitch.conf because it takes lower presedance than /etc/authselect/user-nsswitch.conf. The comment also says to run an extra command to commit the changes. The command is in the "Final Touches" section.

Show the config file without comments.

sudo cat /etc/authselect/user-nsswitch.conf | egrep -v "^\s*(#|$)"

Modify the config file so that each entity has "sss."

  • passwd: sss files systemd (default)
  • shadow: files sss (default)
  • group: sss files systemd (default)
  • services: files sss (default)
  • netgroup: sss (default)
  • automount: files sss (default)
  • # initgroups: files (remove comment / add sss)

Set initgroups to files as a performance optimization to prevent group information from being fetched from Active Directory. You can omit that line. If you do, though, you may see delays when you list files or perform other actions that try to look up UID and GID information.

sudo sed -i 's/shadow: files/shadow: sss files/g' /etc/authselect/user-nsswitch.conf sudo sed -i 's/# initgroups: files/initgroups: files sss/g' /etc/authselect/user-nsswitch.conf

Show the config file without comments.

sudo cat /etc/authselect/user-nsswitch.conf | egrep -v "^\s*(#|$)"

Ubuntu

Make a backup of the respective conf file.

sudo cp /etc/nsswitch.conf /etc/nsswitch.conf.bak

Ubuntu does not have the silly message about modifying a different config file. So we can carry on our normal rounds.

Show the config file without comments.

sudo cat /etc/nsswitch.conf | egrep -v "^\s*(#|$)"

Modify the config file so that each entity has "sss."

  • passwd: files systemd sss (default)
  • group: files systemd sss (default)
  • shadow: files sss (default)
  • services: db files sss (default)
  • netgroup: nis sss (default)
  • automount: sss (default)
  • initgroups: files sss (added to config / add sss)

Set initgroups to files as a performance optimization to prevent group information from being fetched from Active Directory. You can omit that line. If you do, though, you may see delays when you list files or perform other actions that try to look up UID and GID information.

sudo echo "initgroups: files sss" | sudo tee -a /etc/nsswitch.conf

Show the config file without comments.

sudo cat /etc/nsswitch.conf | egrep -v "^\s*(#|$)"

Configure NFS ID Mapping

Rocky

Make a backup of the respective conf file.

sudo cp /etc/idmapd.conf /etc/idmapd.conf.bak

The ID Mapping dameon is used for translating ID numbers to usernames. This is something that gets installed by default with Rocky.

This file does not exist by default in Ubuntu until the nfs-kernel-server package is installed. So, do not worry that the file does not exist in the basic Ubuntu setup.

There is conflicting info on the [mapping] section. Some people use nobody vs nfsnobody. nfsnobody does not exist in either distro. The user "nobody" DOES exist in Ubuntu but a group "nobody" does not. So use "nogroup" instead. The nfsnobody user and the nfsnobody group map to the same ID that nobody and nobody/nogroup would.

Cat the file without comments:

sudo cat /etc/idmapd.conf | egrep -v "^\s*(#|$)"

Make the following sed changes.

sudo sed -i 's/#Domain = local.domain.edu/Domain = domain.local/g' /etc/idmapd.conf sudo sed -i 's/#Local-Realms =/Local-Realms = domain.local/g' /etc/idmapd.conf sudo sed -i 's/#Nobody-User = nobody/Nobody-User = nobody/g' /etc/idmapd.conf sudo sed -i 's/#Nobody-Group = nobody/Nobody-Group = nobody/g' /etc/idmapd.conf sudo sed -i 's/#Method = nsswitch/Method = static,nsswitch/g' /etc/idmapd.conf sudo sed -i 's/#GSS-Methods =.*/GSS-Methods = static,nsswitch/g' /etc/idmapd.conf sudo sed -i 's/LDAP_server = ldap-server.local.domain.edu/#LDAP_server = ldap-server.local.domain.edu/g' /etc/idmapd.conf sudo sed -i 's/LDAP_base = dc=local,dc=domain,dc=edu/#LDAP_base = dc=local,dc=domain,dc=edu/g' /etc/idmapd.conf

Ubutnu

See the comments above for Rocky.

Home Directory Setup

Rocky

No changes are required for Rocky.

Ubuntu

realm does not enable pam_mkhomedir after the install. pam_mkhomedir creates home directories for network users after their intial login. To enable it, an extra command must be run which is documented in the "Final Touches" section.

After a new user logins in from AD, the default permissions allow for other users to read/write to otehr users home directories. Looking at multiple forums, we found several different methods for controlling this behavior.

Set the home directory permisssions for NEW logins:

Method 01

This method did NOT work.

Looking at the Rocky config, there is a option called "HOME_MODE" that we can add to the Ubuntu config. The following sed will accomplish this. The number sequeance at the end of the sed is a chmod and NOT a umask.

  • sudo cat /etc/login.defs | grep -i HOME_MODE
  • sudo cp /etc/login.defs /etc/login.defs.bak
  • sudo sed -i '/^UMASK.*022/a\\n# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new\n# home directories.\n# If HOME_MODE is not set, the value of UMASK is used to create the mode.\nHOME_MODE 0700' /etc/login.defs

Method 02

This method did NOT work.

On another fourm, it was recommend to change a oddjob conf file. The following sed will accomplish this. The number at the end of the string is a UMASK number. It also must be a total of four digits.

  • sudo cat /etc/oddjobd.conf.d/oddjobd-mkhomedir.conf | grep "oddjob/mkhomedir"
  • sudo cp /etc/oddjobd.conf.d/oddjobd-mkhomedir.conf /etc/oddjobd.conf.d/oddjobd-mkhomedir.conf.bak
  • sudo sed -i '/.*oddjob\/mkhomedir"/s/"$/ -u 0077"/' /etc/oddjobd.conf.d/oddjobd-mkhomedir.conf

Method 03

This method did NOT work.

The most popular responce on the forums was to modify dameon config file. We had a really hard time doing sed on this file until we figured out the file was using tabs all over the place. When applying the command in the "Final Section," there were warnings that system files were manually over-written and you would have to make all changes manually going forward unless you used --force to over-write the files back to defaults. It was gross. Method 04 works without any issues.

  • sudo cat /etc/pam.d/common-session
  • sudo cp /etc/pam.d/common-session /etc/pam.d/common-session.bak
  • sudo sed -i '/session\trequired\tpam_unix.so .*/a session\trequired\tpam_mkhomedir.so skel=\/etc\/skel\/ umask=0077' /etc/pam.d/common-session

Method 04

This method DID work.

Create this file and run the command in "Final Touches" section." There will not be any issues.

sudo tee -a /usr/share/pam-configs/mkhomedir >/dev/null <<EOF Name: mkhomedir chmod 700 Default: yes Priority: 900 Session-Type: Additional Session: required pam_mkhomedir.so umask=0077 skel=/etc/skel EOF

Set the home directory permisssions for OLD logins:

localadmin's home directory was created during the intial OS install and is using default permissions. To make everything consistent, change the permission for the localadmin home directory.

sudo chmod 700 /home/localadmin

Access Control

All Distributions

Restrict console access: Use the sssd.conf config to set restrictions based on Active Directory groups. Use the following setting: "ad_access_filter."

Restrict SSH access: Use the sssd.conf config to set restrictions based on Active Directory groups. Use the following setting: "ad_access_filter."

All of the important SSH server settings were set in the original template.

Even though you did not configure SSSD for authentication by including pam in the services list, end users may still be able to log in to the netboot server over SSH using PubkeyAuthentication or GSSAPIAuthentication methods. You may want to set an explicit limit for who can log in to your netboot server over SSH. DenyGroups users sudo echo "DenyGroups users" | sudo tee -a /etc/ssh/sshd_config

Restrict sudo access:

DO NOT edit /etc/sudoers.d/sudoers.

To restrict sudo access to a AD group, use one of the following methods:

Members of a group may gain root privileges: %ac-Linux-admins ALL=(ALL) ALL

Allows members of a group to execute any command: %ac-Linux-admins ALL=(ALL:ALL) ALL

Run the visudo command and append the following to the end of the file. Rocky seems to like tab formatting.

sudo visudo ## Allow members of the ac-Linux-admins group in the ## domain.local domain to run all commands. %ac-Linux-admins ALL=(ALL) ALL

Final Touches

CentOS 7

Run the following command to set up NSS and PAM stacks. This will enable sssd and pam authentication on the required entries. CentOS 7's authconfig was replaced with authselect. The CentOS 7 command is below for posterity:
sudo authconfig --enablesssd --enablesssdauth --enablemkhomedir --update

Rocky

Display the current profile in use. The authselect select and apply-changes commands are self-explanatory. Verify that the changes have been applied to nsswitch.

sudo authselect current sudo authselect select sssd with-mkhomedir --force sudo authselect apply-changes sudo cat /etc/nsswitch.conf | egrep -v "^\s*(#|$)"

Ubuntu

sudo pam-auth-update --enable sss mkhomedir

All Distros

Set permissions on the following files.

sudo chmod 600 /etc/krb5.keytab sudo chmod 600 /etc/ldap/ldap.conf # Ubuntu LDAP config path sudo chmod 600 /etc/openldap/ldap.conf # Rocky LDAP config path sudo chmod 600 /etc/sssd/sssd.conf

Set ownership on the following files.

sudo chown root:root /etc/krb5.keytab sudo chown root:root /etc/ldap/ldap.conf # Ubuntu LDAP config path sudo chown root:root /etc/openldap/ldap.conf # Rocky LDAP config path sudo chown root:root /etc/sssd/sssd.conf

Reboot the machine.

sudo reboot

How To Login

Start SSH session as you normally would. For the username, do not use the domain name.

Username: adUserName Password: adPassword

To verify who is logged in:

whoami

Leaving the domain

This will delete the computer object in AD and remove the local keytab file. This will also set the sssd.conf and krb5.conf files back to defaults.

sudo realm leave --user=syseng domain.local --remove

NFS Server - NFS Install (Windows 2019)

If you want to install NFS on a Windows 2019 server, follow these instructions. That can be done to make CIFS shares also NFS shares.

A good use case for this would be to share a software or a ISO directory.

Install NFS server role:

  1. Open Server Manager.
  2. Click on Tools > Add Role and Features.
  3. Select Role-based or feature-based installation.
  4. Select the desigred server.
  5. Expand File and Storage Services > File and iSCSI Services.
  6. Select Server for NFS checkbox.
  7. Click next until you are done.

NFS Server Export (Windows 2019)

When you are managing NFS exports on a Windows 2019 server, you can use groups for machines. The following commands will create the group and the memebers so that the group can be used while setting up the permissions. AD is not used for this, rather local Powershell cmds.

To create a group of machines, open Powershell as admin and type:

New-NfsClientgroup -ClientGroupName <String> Set-NfsClientgroup -ClientGroupName <String> -AddMember <String[]> Set-NfsClientgroup -ClientGroupName <String> -RemoveMember <String[]> Remove-NfsClientgroup -ClientGroupName <String[]>

AD Server - Configure NFS ID Mapping

The user ID and group ID must be set and be the same in the Linux AD joined machine and the Windows file server See "To verify AD users" section above for info on how to get the IDs.

  1. Open Active Directory and go to Users and Computers
  2. Go to: View > Check Advanced Features

Go to the User you need to add the ID to. Go to "Attribute Editor" tab and make sure the Filter: "Show only attributes that have values" and the "Show only writeable attributes" are not checked. Scroll through the list and change the following variables so they are the same between the Linux machine's id and AD:

  • gidNumber
  • uidNumber

Alertnaitviely, you can use the following commands to add the IDs to AD. The only catch is that the commands must be run in Powershell on a Windows server that is joined to the domain and that has the NFS server role installed. So editing the objects in AD may be easier.

New-NfsMappedIdentity -MappingStore "AD" -Server "domain" -UserName "stduser" -UserIdentifier 1483801107 -GroupIdentifier 1483800513 New-NfsMappedIdentity -MappingStore "AD" -Server "domain" -UserName "syseng" -UserIdentifier 1483802619 -GroupIdentifier 1483800513

Use the following Powershell command to verify the user IDs. This must be run from a Windows NFS server that is joined to the same AD domain.

PS C:\> Get-NfsMappedIdentity -MappingStore Ad -AccountType User

Use the following Powershell command to verify the group IDs. This must be run from a Windows NFS server that is joined to the same AD domain.

PS C:\> Get-NfsMappedIdentity -MappingStore Ad -AccountType Group

You can also add the default shell and home directory values using these attributes. Some articles said they are required.

loginShell: /bin/bash unixHomeDirectory: /home/syseng

NFS client setup (Windows 2019)

If you want to mount the Linux NFS exports on a Windows 2019 server, the NFS Server must be installed. Type the following command in powershell. This will map the IDs you entered earlier in AD to the Linux IDs.

Set-NfsMappingStore -EnableADLookup $true

NFS client setup (Windows 10)

Go to the Classic Control Panel > Programs and Features Turn Windows features on or off. Check Services for BOTH NFS Administrative Tools AND Client for NFS must be checked a reboot may be required.

Alternatively, you can install Windows 10 NFS Client using Powershell in admin mode.

Enable-WindowsOptionalFeature -FeatureName ServicesForNFS-ClientOnly, ClientForNFS-Infrastructure, NFS-Administration -Online -NoRestart

The following is what will force the ID mappings to use Active Directory. Open the Windows 10 app "Services for Network File System." Right click on "Services for NFS." Check the box for: "Active Directory domain name:" and type: domain.local

This can also be achieved by Powershell in admin mode:

Set-NfsMappingStore -EnableADLookup $True -ADDomainName "domain.local"

To show a list of current settings, open a Powershell prompt in admin mode:

Get-NfsMappingStore

OPTIONAL: Set the UID and GID.
The username/group cannot be set during the mounting of an export. You have to use Powershell in admin mode. None of the docs referenced a HKCU key, only HKLM. A reboot is required for these changes to take effect.

New-ItemProperty HKLM:\SOFTWARE\Microsoft\ClientForNFS\CurrentVersion\Default -Name AnonymousUID -Value <unix_export_owner_uid> -PropertyType "DWord" New-ItemProperty HKLM:\SOFTWARE\Microsoft\ClientForNFS\CurrentVersion\Default -Name AnonymousGID -Value <unix_export_owner_gid> -PropertyType "DWord" shutdown -f -r -t 5

Some documentation said that to add "-o anon nolock" to the Windows mount command. During testing, this did not seem to be required. Example:

mount -o anon nolock \\nfs01.domain.local\mnt\nfs P:

NFS mount commands (Windows)

To get a list of NFS shares, open a Windows cmd prompt:

showmount -e \\nfs01.domain.local

To mount a NFS share, open a Windows cmd prompt:

mount \\nfs01.domain.local\mnt\nfs p:

To get a list of current mounts and properties, open a Windows cmd prompt:

mount

To unmount a NFS share, open a Windows cmd prompt:

umount p:

NFS client setup (Linux)

Install the NFS client in the respective distro.

Rocky

sudo dnf -y install nfs-utils

Ubuntu

sudo apt -y install nfs-common

NFS mount commands (Linux)

To get a list of NFS shares:

showmount -e nfs01.domain.local

To mount a NFS share, create the folder, and then mount the share to the folder:

sudo mkdir /mnt/nfs01_-_nfs sudo mount -t nfs nfs01.domain.local:/mnt/nfs /mnt/nfs01_-_nfs

You will likely have to play with permissions, referance the chmod, chown, and chgrp commands above.

To unmount a NFS share:

sudo umount /mnt/nfs01_-_nfs

Troubleshooting

To increase verbosity of errors, up the logging level. The debug level can be set for the domain, NSS, or PAM. The sed command will enforce this for all three. Don't forget to change it back to the default of 2.

sudo sed -i 's/debug_level = 2/debug_level = 9/g' /etc/sssd/sssd.conf

Logs to tail for troubleshooting:

sudo tail /var/log/audit/audit.log sudo tail /var/log/messages sudo tail /var/log/secure sudo tail /var/log/sssd/sssd_domain.local.log sudo tail /var/log/sssd/sssd_nss.log sudo tail /var/log/sssd/sssd_pam.log

To get a list of the current kerberos tickets:

sudo klist

If the verify is failing, use the following commands to flush sss_cache or delete the files (to clear the SSSD cache).

sudo sss_cache -E sudo systemctl stop sssd sudo rm -rf /var/lib/sss/db/* sudo systemctl restart sssd

From the Ubuntu docs, you can clear the cache by using the sssctl tool. Remove the whole cache:

sudo sssctl cache-remove

One element:

sudo sssctl cache-expire -u stduser

Expire everything:

sudo sssctl cache-expire -E

References

How SSSD works

Basic AD join setup

How to install CA certs

AD join with SSL setup

AD GPO light reading

Securing files, configuring NSS and PAM

Realm customization

SSSD config

ldap.conf Config

How to flush and clear SSSD cache

Customize SSH access

ID Mapping

Windows - Create NFS client groups

Access to File System using UNC Path is Slow or Fails

Fantastic NFS sites

NFS Client for Windows 10

"KDC has no support for encryption type" troubles