How to set up an Ubuntu 18.04 Linux system to use sssd to authenticate users using Active Directory without joining a domain

LINUX_ACTIVE_DIRECTORY_SSSD_HOWTO.md

Set up Ubuntu Linux to use Active Directory for user authentication + authorization

This guide will step you through setting up an Ubuntu 18.04 Linux system so that you can login to it using an Active Directory server for authentication and authorization. NOTE: You do not need to join a domain to use this method!!

The net effect of this guide is that you do not need to ever set up a user on your Linux host. Its home directory will be automatically created at log-in time, and its password is checked (along with account expiration) against the Active Directory server.

The downside of this method is that it's not quite as secure, scalable, or easy to manage as joining your host to a domain. Joining the host to the domain takes a bit more time, coordination, and access, depending on the way you do it. But it's a better long-term, scalable solution than using LDAP in this method. It may also just perform much faster, as sssd has Active Directory-specific features that work best if you join the domain.

This guide first sets up the sssd service, which is configured to contact an LDAP server (which is really the Active Directory server). Then other software on your host (PAM, SSHD, NSS) is configured to use sssd for authentication and authorization. (Your normal system's login services will keep working as before)

Note: All these instructions are run as root user. You can run them as a normal user if you put them in a shell script and execute it with sudo.

Step 1. Install required software

apt-get update && apt-get install -y libpam-sss libnss-sss sssd sssd-tools sssd-ldap ldap-utils openssl ca-certificates

Step 2. Download and install AD LDAP TLS certificate

This step is necessary so that sssd can connect securely to your Active Directory server. You should copy this certificate offline if possible, to avoid man-in-the-middle attacks.

openssl s_client -showcerts -connect "<AD_SERVER_HOSTNAME>:<AD_SERVER_LDAP_PORT>" </dev/null 2>/dev/null \
    | openssl x509 -outform PEM > ad-ldap.crt
[ -d /usr/local/share/ca-certificates ] || mkdir -p /usr/local/share/ca-certificates
mv ad-ldap.crt /usr/local/share/ca-certificates/
update-ca-certificates

Step 3. Query LDAP to make sure your connection works

This runs an ldapsearch query against your LDAP server. This will ensure your networking works, your TLS cert was set up correctly above, and that your Base DN and Bind DN work correctly.

ldapsearch -o ldif-wrap=no -LLL \
    -H ldaps://<AD_SERVER_HOSTNAME>:<AD_SERVER_LDAP_PORT> \
    -b "<LDAP_SEARCH_BASE_DN>" \
    -D "<LDAP_BIND_DN>" \
    -W "(sAMAccountName=<SOME AD USER ID>)" > my-user.ldif
grep sAMAccountName my-user.ldif
# sAMAccountName: <SOME AD USER ID>

Step 4. Install configuration files

(base64 -d | gzip -d > sssd.conf) <<'EO_SSSD'
H4sIACzGC18CA4VYbXPbNhL+zl+BTC7jl5NEx7k6V9/Jd07stp7JJRk7ud7LZDgQsZQQkQQLgJLV
6Y/vswBJSYnjemyZAhaL3Wff+VQsvG/ceZqWum7vJ0rTpCafVrJOv0udc2qSm7pInv4h3bhUstmh
k3lOzk0sqYX0YFKlyuRtRbWXXps6pXrcuhTbGfYzLJNtrHaUhQvSs3ThqzI9m7zIPOWLWueyzGrj
yYXbEtz0YaGdYOn0vLWBqTCF4F1BtZyV5IRs/QKscZi3/8xfjdW/DsStI+vAqrCmEpe51ysSV9pS
7o3dYFfXczBcjMTxWuNo64/FQq541Rvx2ehaSKFMJXU9ARf8/te0Ipe10LXzJNUgHkW5cGpt7FKY
utwIWUDnwIUZ9oxGYr3Q+QK8KrkRc5ZoA6bOVCRmVFOhvROH/zgaiVnrBRCYY9HKEgwrg3uglRQN
GPFlyrBch71N2llb+zYYA4qvyLJNXHjWOY1ZxKNd+rVe6omimZb1xNh5erkDZz1/w4b6GbhE4Abc
7r5kMyvNfGJNXW9Wahbc5vTk+ffpyWl6epouzNqbcTD6WAZGY9VzGmu4xTzadswWCCKmR0mS/J+f
PiUR36zQJWXQx7Fdp+I0iVg6PCsqZFt6dpibIkCpjIAjdT4iOuVF7dxIsHoC0gK9tS5LUUhdPsHJ
lHyeggIy5IsQEaJqnWdnID7kSKxk2bLHeVGSdP4cp/inkTilzkX/A+wb0LgN/KNS7BUdoVtIZdZf
EwaCrfCydEZIpfhWUZiyNGuYYtQJzS7j5ZLgAkBjg1V2VV0RGEgIB5X43NyatnEHwMZDQazDbyx5
q2lFatIJFIi28jwkOUDt4GOkA4KNrEYxZFyrTPKt7SQp2hIBLSvKCmMrMJ6KZ8//BJ7wt3aelRCl
xNpf2NY4+glSXUJtYGA7GQ5cjF8ha9WpxD7fWBytfQy4ENilMUsOsbbpbMXXui5i3777cH0u8gXl
S7EgAKEj0IjiA9/BaqwoNC6R8ZoRY6l9QDt4wIzgNvBBxDMpgTTxBPqFr1mUED9TkcnGi5nMl5Bj
Bq5KUgV3VbWrpPtFzFkoMa8l4lvbXJRQy+WyIVFquFrZiPJe4U5d4gOmRnaVc2DlRE1rfJiZURtR
+0Y0cAsNPgQszP1GWAN3d1XlGv70kg2gIj4O2RifmzpnUPkPGvc2HiNUQ7rqv1typoS+bZs3+NCw
x0oiPoH2ambu2S3X6/VYSdxB+emYlRc5jGFgJFXpeoClMxfDgg3kaaXNLja5YsPlSBpezgaktCwB
Lv43+HNLRHK+xA2FvBdFaZpmsw9i3XCGBJTLiqqH8GyCUN/EtSpNzigCBkWrHuYgesDZNEi8yFOi
Kds5U+zCLauZRExz5peu7MJ73wqQDJYYDFEUIWYeMsRneH0tyz80jGf1vN90gdH6qvmWsVwhVlqR
ESvD6a+3G4cbghThZooCXkRZDp/mpI/Mk9F9o7tSOxUvmTYm2rTLsp8eCN9cIrh2uWDZ25YSfLWb
LG5zjmLTTsXZyQnn6quYpL0lpIbgR0OUx/DlGMylQ9Wi2mmuGwl/zYav4FXgNmJujjxXLOR8dCBQ
gKYsQczxw1pIjwG4tHNP6QfjWD9uG04ZnrsOzrHYRnrwXHBZ+tH26+v3H2N1jsm6X4YTcldxeHH6
46snR5HXUNO5kheoG1A05hzm6dAowDbaI9UpU9MgK3TB+a3kYovp7lKvP/6XHFzZAl0Eqiu2Un5M
n7X/fKaSR7aTzrCZW1DJBk0RnSl7dpJwN5XB5dmNbLgvtICx8dtudMta7dIO1MlT/pd5OJelX3Ky
vq83U7aHWSff3leEgFWPcajhhnaHAM62s8/qcGFvljrFbirVmLcnDVVfnWFYds8g9msmSeO2i2JC
yZZ9kP2FD28NE7a7sB28PWy/SIazlWwadtPdM5YKsjaGTW/PsMGeioD0VmbS+1hkOtj8HeWt1X5z
E2LOa3LnD67uskIqypp2Vuo8W9LmEVbbQ5k3S6qHXN7dH2TfmQRi+0dqhtyD7qnr/87SE/y+3M4O
49qMA6sxAmWGKBw79IZ12l3nkCYqKXZ/psIW+emLk5cz3eH/INHlVYcw9Njf4VWW8O83b++ubz+I
N1eX7wWe/n19e/7+HRZ+ur69vuhOO5I2X2TwfYqn+1OvLu+uxdXbQPw3cf2fy3+9f4OW4ur1lO5l
1ZQ0wiO6p4vIJ+iYRR0Dn/g4TDT4XYdGJLT95EOWCJLF2onvyEshdV1+/PDTu9ub/113+R7dT0ge
oelHOzefh4ZkthEHD0flgZAzs6KjDuOOyNg+oOONyWObIxGKAg1EBjNGLBSUoRPR+SYU+WSPS6fK
FsTL16+v7+7EDzdvPlzffgnl4W+HEaR3xTSvp3eh6qEdrHjMCiXYjUw7/TE44kjlA/B4BPBHe6ev
UOWCET8yZo+eOxIXbBYQRgMEfM2SG8lQqW1bxj7yB2O7whAHvFEwXpwOYru+peeVL0fNvSnt88Ka
X2k5KUHSFf4wsr3469nJhKfio50Jbb2eMOvJ2oVZnJ+h1YSxnmAh0qNNx/p+/t2NgT7EmGjfzWEg
bqJi1x12RNhhB73YjrwoTmiWj2sidcz6wR2D2watuTuCTw6zcb+JJo1BQHMvYv/Cqc/wu4Yv23rU
1jDJ8AiIempp3pbSRu57LwAYx1eQd0nUCJ6HuGsP8cIXHkdux0KHXFZoxEbHMnYYlgcn11COvZwN
ismKJycwCc0Ia4Teg1sPp+EomOHFQe9bByI0NBjKbMdwIu5Mz7ufFcDuxcmXh5BUY8PAN2AIbtHq
DcKyJ4Vod0RhvDTzcRz1wGtGGERhlILWfB9PSED4qzcZkdlxkG0PvcEjMYEhN++64QMvcLTLW8cz
tktPv//u5Ozs+VHybc+q0bEMWa3UFb+4QEZH2YZxQl8V1AoRxYLVhLBWSNed1Sf9Wbi0Y//ym4Zf
AwF2djSWesbzux8FC0E6DPTx3cxQlbrXKNzUR1OHOI5lTnCZ4yZmspuYWQow6TrYoMhJ8njBG9rM
V+xuqAQsThj8kSzFYVNKfo9x748in76lQielMlXvVpKbt1d9JbnYJ2Y5cfkDxO8v7+5+fnd71Rer
3wG5YKVq0xMAAA==
EO_SSSD

echo "07ac0be1e5aad14a262f72a1868244de  sssd.conf" | md5sum -c && \
mv sssd.conf /etc/sssd/sssd.conf && \
chown root:root /etc/sssd/sssd.conf && \
chmod 0600 /etc/sssd/sssd.conf

(base64 -d | gzip -d > sshd) <<'EO_PAMD'
H4sIAL4WCV8CA7VVTW8bNxC961cM4EOSIpYaoFcBTW2hDdCmQRyjhyAwqOWslhCX3PJDH/31fUPu
OnalOL5UB0nLnXnz5s0HL+jD2z+o8a41mxxUMt5R6wOljumGmxzw07G1FDnsTMOz2QXdJOW0Cppu
3Q8HUhm2LpmmOM9nPxvX2KwZoH3v3aW8F69rE5W1fk8Oh8H7RNZvjIu0hzstODUL58sR8cHEFOcz
1TQ+u0T4BP47m8Ba/tOg+rvRdh69gN86iQYaBGrE2qSKGCUFk44LQHGMc0mUTEtHn8kx4JJHZkm4
DpYPQKqGZE1vUoQMCpAQoZN8YcyHIch7sIyx03dVuXl1rGRPqI6xK9NT8Xww/3xLu4pZ/Fa/G5cP
hXUUJmsuRWpNiAk5xCilC9nynOhTZyKxiyjflIM7AsQat+GAL6l44kNCXhFIKEBjGXlqOP9lwCkn
+AEEQuJ78IBfWx6xgNR7jVCAyRZ6HyBzkidQhzLCax88wmjfKxRpNvH7HHMRY+m3ZDbOB17WnxHw
Lrut83s3nWpuVbZpuVb6C40fkTSyFTWgKYj7WNuSU4lc+iIbTUPwpZYqpWDWIPiVx7mOmvxKoYri
Vx9Xn+jm7e3Vin5Z/fruvZxeBVZI9Tffo8sCAav4PYncb7tqLnzjlu2yNif+LU4ird5fzx4EUqj4
/r6+Wz5K+R4l4gdpHmXvw8HIOJMkGEa5YRDa+e2Z0Z1AMAF5KJOT0AQa+p+24mgrIB9AoUrd41Bt
mHxbHrU6Uh4EsFa5zbaqI/NRenIERU1IH53qsTWsPdKGHWP5QLJBhURt8D0tQnaL3ic9Hy1lxkBR
UUwYl4ZeKt0bdynDrtCbrx76irzF90mhigVUIvmzPA34HF/n86BB/bEwQjHHSZeM5fkiEkbBrv3h
WxI9GQ2upXmm+jnPbkcX9PnNl6n3UUIJNK2ur0LcL8H6pizB74xCNawb6yMrjLjbGUx0WbE7FYwo
/jDGw/egCLfHoQUVNs+ILVbItKZ2Qe8cXfPaKEc/zX+klwDtXr2GZGgcvgxsS9ecZ7fnsld2Zc1P
jMaNsqgIrwmhgiRYN5s4WfssgqL1nbjieflGKLTG8vJMkLPrG52CGxV9j/VUO4CS6bncMWVxV0bS
PtMeQ/FDigAbVyzOB9R7DEaT1tNuxyr/02G4xlzkojVNV24zCe40S5kQD30/QY6dOt0OsSv7HVeN
2KgWlMu18L8udCTlTnfVoGLcezyVcSs78L8rajKZ/Qs2906z1QgAAA==
EO_PAMD

echo "4de996135ffdd266364b9809b8dbadb5  sshd" | md5sum -c && \
mv sshd /etc/pam.d/sshd

(base64 -d | gzip -d > sshd_config) <<'EO_SSHD'
H4sIADQWCV8CA41XW28aRxR+9v6KaajkpLINOE2jIPWB4Pgik9gypGqfrGH3ABMvM6uZWfD2ob+9
3znLYnBwU9nGu3POfOd+oXXw801B9uPorKdCmGf3qbNTMztaqu5Jt9NVp53u+3bnbbv7q+q873U/
9DrvVfZtoT49FurnJGmp8dwEhd84JwFQgfySvApViLQ4XpmMVI1Zeh2Ns2pqcjpRakSE61syX797
o6bOq4XzpIzF40IunGzECP5KBwAuCqDgxcS5uu2PL39vl8G3J8b26g9+C/LEnzUCFIzQgWaVKgMu
szBXsAhYYMWCjKa6zOO2WirMTVGsZQGH3TUaXYrNToWCUjOtNjiiEJCM32AtdV6SWs3Js8GFC8FM
cjpSkzKqnPSSmH/BNi3IRsrgm69287ZBdvCqZ2+CGzg76OyiW+ejOj1NWv0s8xTCuV6YvFLaVklr
aBAMuyaozon8PD/u9YBy6UK8pkq1KaZteIH/7uc4vPdB3z9Q9V8slGb/gyk7ffeu+0HYYMfAFPBM
gJ6ZwpGxs6R1R3gamoWJGzOts8TsQzebCc+oCrmbnevU5CZWqv91fAmD3GxIS8rV1ZfzG2bvl/CW
jSaVTGIDwWLshdcpjc2C1OkCniMPUXfORSGqwru5mZh4XOgQVs5nkBa9SeNnl1FQFYWk9Vk/MvbY
G5z8Ju8jOFEi1e1wOMoJjNiVL1ehFYqH0qhO2C8aHM6bvyljj4RTTqoJEtEETzPtM2TApNq4AdpN
y1h6RLzV39yEo8M56uFgH+J+Mcn2/VtvbGoKnQtK4+td/AESkmMkxP20ryh90Ccuk8haWiX7MZpa
RVKEe06MJ+1YueRldI8gJQx+jtqN87oGEaIHVbkSxZfnClY4yIbfON2UuABu20nEB+tWVtIx1Kk6
0WgIz4JlHafnXNsZsRTETpmpyMmcPYwq+hL4/7TFv1uI3Fdw8wXYpHU1s+hwbM41X7qUOyLsTHA9
6UyaEZqUPwwswdfA7DuWtxaDWIUG7q4+WyfY2HECabQZFUtriVtlil4Dn9FjVE1ehyOVbuyzTnGL
+mkduds1z54Mruvl06KIVcMlBnznLvwjK1pATJ4TSMdoNQWKhJ6UUK8ntNLc80MoKTR9NjiU523/
M+ZBVsJSsT7O2TvhTTJoAO/WeN8HDxjX5CfkXWiaaNJqTvbEuiHd+KFLdS6mZXW1N6SxSR8oDuBJ
Wxa7pAuK/fPR2D1QI/xiNOrfXj2Jrt/3CK4Ja9SBp4zpSONaQE2tG1A/TamIzg/mlD5sk1Ennx7X
sayljyhuCuQQnIdb0WCv6h09jpROU1fayM0v5UZmZ0dAYZ+Huq9tUU7U1bQGx2+NmR3tQZWCBAr6
GaLlViQBdOVMRqT6UQwhHJf3JyKG5BlhEmdQR3FeutKLBju7BpuwR62l0T8UvtAVGi8nKTBkuaEY
RdhUvXo+MThlXfk0MF6hPbOPuFl84y6x0jYKimizdvW2c1OOqATLlxu8vdofMY5tQilR4E0C6r3g
qnUYf2Qw54l1hycJOhNLrVtJn+PWn4EPHRdVKv6WxBPKOC2en19gw1rpitcR6Qp/drvPWXB0ZkKR
6+pmOmXFMTH5EJKl9KRxC2ft6PH4r7rxYE5hCMdMykbehjpwDGru8eD2mqjo5wZLlZwIIkdILggY
N95Pdmm8s7xhCQUjpvDrSGQEvQiZN8gN6AJ2hU3MY9NSnZ3jAYcRk1+9FUlnX0a1HJPJHG0vtW8j
nDxyspPCZPWaELWPZcFrQu9tp9ftdDZmSquuFZrzpDszHnuC89V66v6BRQkqYmFD4peLzVKE1t0s
CBMNDI/myj30Y/3SsEnEMAdYfw43Z6vK2eGEdHryCNQ2nFwYxNJv4C017H+5UMPB/S8MtFlFG6mo
CegQykm99Ydk1DwehGksDmTg52bSdihZGcI4Pa6/KdQLkV4U0AI4a2zOlXXFBa5vrQryxzwRYWIw
soHFdK5kK9CwMF3i7GA32diTB3vyVM6fUkteQU6pWVAAtv4ekzzF9aX+/S99z+shQw0AAA==
EO_SSHD

echo "f4a671a4b326caa64f6930d6086fc74b  sshd_config" | md5sum -c && \
mv sshd_config /etc/ssh/sshd_config

(base64 -d | gzip -d > nsswitch.conf) <<'EO_NSSWITCH'
H4sIANsVCV8CA31SMW7cMBDs+YqBVVwTn3unDoI0bpz0psiVxBzFFbiUz/p9lpLvojiXEAII7Mzs
zizV4IGKe0gi51DccHScOtOYBl/e7DhFQi2Efs62BE7gDl+ffuDJjoRnyq/B6b0q0c3JVY6NoSxH
7fCtw8IzBvtKKAPhpY+hdfee3X2mjjIlRwfY5PESUscHTNadbE+CkKTYGMl/QsnLo/ZaGah63N0Y
fndAxxmVlMfNqW15Ljo3CLoQ6WjMZDWkf8TlOB4nWyCLFBo9RMQ0feZ5+k35wDF1L8m2MaS+8qFz
DqvkgHOIEc7OQhBWg/RWKEnQ7JH7kFDCSDoAVrAq4KnYEAU2VwqfyGOejvheHeuXuCCRIxGbF/yc
RcOw6lvSaPouhWtjjfxZXcQFW7p1nTJYz+faWFP/P9GaeuP/vRiF+g9YXaUYM7AU2TVdy/BJTKJy
5ny6gu+CKXNhx/FS9+070sj2kFfBBdmc/QM0pD9U3jm4AnlyO187wDRq7Y9lpLANuVFXtsye9yN2
pm4h5hdmPPYdSQMAAA==
EO_NSSWITCH

echo "28148f8b3795be72832ee94a02a40d67  nsswitch.conf" | md5sum -c && \
mv nsswitch.conf /etc/nsswitch.conf

If you didn't copy the updated pam config, you can try running this:

pam-auth-update --enable mkhomedir

If you didn't copy the updated nsswitch config, you can try running this:

authconfig --enablesssdauth --enablesssd --updateall

Step 5. Add Bind DN, Bind Password, Search base to sssd.conf

Open /etc/sssd/sssd.conf and edit its values as you see fit.

• You should change the Bind DN and set the password (ldap_default_bind_dn, ldap_default_authtok).
• You should change the LDAP filter that specifies what users can authenticate (ldap_access_filter).
• You should review the filter_users and filter_groups. These are typically set to system user and system groups that sssd should not pass on to LDAP authentication.
• Check that the ldap_uri is correct. You can specify multiple hosts here.

Step 6. Restart services

service sssd restart
service systemd-logind restart
service ssh restart

If you need to troubleshoot/start over from scratch, remove the old sss database files before restarting sssd:

rm /var/lib/sss/db/

Step 7. Log in with ssh using your AD user

The first log-in may take a (very) long time as it looks up LDAP groups/attributes.

If you get a login error, increase sssd debugging level and check logs.

Links

• Man pages ( https://linux.die.net/man/8/sssd https://linux.die.net/man/5/sssd.conf https://linux.die.net/man/5/sssd-ldap https://linux.die.net/man/5/sssd-sudo https://linux.die.net/man/8/sss_debuglevel )

Hi @peterwwillis,

I'm trying to configure an AWS Ubuntu instance to work against an AD living in another VPC. VPC peering and all required ports are opened and verified using netcat command.

I followed your instructions but unfortunately I'm still getting ldap_sasl_bind(SIMPLE): Can’t contact LDAP server error.
ldapsearch command works fine on 389 port. When switching to 636 port I'm getting above error.

When trying to ssh the Ubuntu host either locally or from another host living in the same VPC, I'm getting permission denied error. In auth.log file, I see the following errors:

pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=****
pam_sss(sshd:auth): received for user ***: 10 (User not known to the underlying authentication module)
sshd[393537]: pam_ldap: ldap_search_s Operations error
sshd[393537]: Failed password for invalid user **** from 127.0.0.1 port 59262 ssh2
sshd[393537]: message repeated 2 times: [ Failed password for invalid user **** from 127.0.0.1 port 59262 ssh2]
sshd[393537]: Connection closed by invalid user **** 127.0.0.1 port 59262 [preauth]

Is it related to the root CA that it is not public and not synced with the Ubuntu host? as per this document: https://fabianlee.org/2021/02/24/ubuntu-using-ldapsearch-to-query-against-a-secure-windows-domain-controller/

Same configuration is working from AWS Linux image.

Any idea?

Best regards,
Ahmad

Hi @ahmadhajali80

If netcat says both ports 389 and 686 are accessible, but the ldapsearch query fails on port 686, that feels like the issue is the TLS cert somehow. For me, all I needed to do was to add the AD host's cert like the above, but if your AD server has a custom CA cert, couldn't hurt to add it in the same manner.

My only other guess is that there's a problem with the configuration, which could theoretically be a separate problem from the ldapsearch problem. Follow Step #4 above but don't install the files, just diff them against your system's files, see if anything's different. Go through Step #5 and see if there's anything else missing.