Table of Contents
AD On Linux
NIS is old and lacking in features, so we would like come up with a modern replacement. Going with AD as an auth solution gives us the option of ditching our own AD servers at some point and simply hooking in to the ITS servers instead.
Linux Auth Basics
Linux authentication deals with two main classes of data, users and groups. We can use the getent
command to see the data associated with a given class object, such as this user:
ktm5j@kurma ~/local/bin $ getent passwd ktm5j ktm5j:x:356237:22:Kevin Thomas Miles:/u/ktm5j:/bin/bash
This returns all data associated with the given user account (except for password data, which is typically stored in /etc/shadow
for local accounts). This is essentially the line you would find in /etc/passwd
for a local account. Each data field is separated by a colon :
character.
We can also view group data in the same fashion:
ktm5j@kurma ~/local/bin $ getent group compstaff compstaff::22:fls4t,ejs3s,ktm5j,pgh5a,tc3lzr
What we need from Active Directory is to provide the same information for users and groups that is available for local or NIS accounts in Linux.
LDAP Unix Attributes
Typical users and groups in Active Directory do not have the information required for a Linux account, so we need to populate special Unix attributes to store this data.
Users
Field | AD Attribute | Required |
---|---|---|
User Name | sAMAccountName | * |
User ID | uidNumber | * |
Group ID | gidNumber | * |
Home Dir | unixHomeDirectory | * |
Login Shell | loginShell |
Groups
Field | AD Attribute | Required |
---|---|---|
Group Name | name | * |
Group ID | gidNumber | * |
Editing Attributes
Attributes can be modified from any Windows Domain Controller (AD server) using the Active Directory Users and Computers utility. To view attributes for users and groups, you must first enable Advanced Features by clicking View → Advanced Features in the top menubar. Then open any user or group by double clicking on the item, or right click and select Properties. Then select the Attribute Editor tab.
Manual Creation
After a user or group is created manually in Active Directory (ie from a domain controller using Active Directory Users and Computers), the unix attributes discussed above must be populated by hand. Unix groups must be created in the OU unixGroups
.
Linux Auth Providers
Sssd is used as the auth provider for Linux systems. The config for this service is found in /etc/sssd/sssd.conf
[sssd] domains = cs.virginia.edu config_file_version = 2 services = nss, pam [domain/cs.virginia.edu] ad_domain = cs.virginia.edu krb5_realm = CS.VIRGINIA.EDU realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = False default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /u/%u access_provider = ad ldap_user_principal = nosuchattribute ldap_user_name = sAMAccountName ldap_group_object_class = group ldap_group_name = Name ldap_group_gid_number = GidNumber ldap_group_search_base = OU=unixGroups,DC=cs,DC=virginia,DC=edu