Authenticate Ubuntu against Active Directory
Вставка
- Опубліковано 30 чер 2024
- Today, I'll demonstrate how to configure an Ubuntu 19.04 client so you can log in using accounts on your Windows Active Directory domain. We will use a PAM module that will ultimately authenticate via Kerberos to our Windows Server machine.
All of the commands and configuration I demonstrated are available here: nerdonthestreet.com/wiki?find...
---
Join the Nerd Club: nerdclub.nots.co
nerdonthestreet.com
discord.nots.co
/ nerdonthestreet
/ nerdonthestreet
/ nots_network
E-Mail: jacob@nerdonthestreet.com - Наука та технологія
This is an excellent video. There are so many out of date guides giving misleading or incomplete info, yours worked perfectly. Love your presentation style!
Been trying to do this for 2 days. This is the only video/walkthrough that worked. Thank you!
Thank you so much for this. I've been tripping over myself trying to get this working!
I just followed your tutorial in the brand new Ubuntu 20.04 LTS and works perfectly. Great job!
i was wondering about this.
I know that he said Ubuntu 18.04 had a wiki, but has anyone tried this tutorial on 18.04?
@@AndrewGistKlaxMaster yes, it works on 18.04.
it works on 19.04 but from trying it on a 20.04 fresh install the su command complains about not being able to set groups with "invalid argument" listed as the reason.
What a great video! Nice introduction and the performance through the same pfff amazing... for more professional tutorials like this one!!!
Wow. Thought this was going be hard, and it looks like it would have been nigh-on impossible without this vid. Worked first try. Thank you!
Great tutorial. Thanks so much for this. I understand in Ubuntu 20.10, you'll be able to do all of this as part of the installation routine. And it may be backported to 20.04.
OMG - this is the best comprehensive guide I have found yet!
Subscribed to your channel.
First, wonderful video.
Second, for those of us who are new to linux when you use flags or commands if you could explain them what they are doing and what is their purposes that would help a lot!
Of course, doing that will make your videos more longer but new or beginner users will have a better understanding of what is happening.
Overall, this was a great video .
It would be nice if you have links to learn more about the commands that you used so if someone wants to go into depth and learn more they can do so.
Absolutely, helpful! you rocked it. Thank you!
Been watching u sense before your room studio. Great job my friend. 😎🇺🇸👏🏾👏🏾. You bought the right laptop/notebook.
Thank you so much for the video, it was very helpful for me thanks again
I swear to god, this video was so HELPFUL!! Thank you!!
Incredibly useful. Thank you very much. Perhaps you could do a tutorial on how to get this to integrate with samba AD to allow the use of roaming profiles? Or perhaps just user shell folders? (Documents, Downloads, Pictures, Videos e.c.t)
Very good video! Thank you!
Got mate, i will play with that at home next year after y buy my new computer . very useful this videotutorial - i have just subcribed to your channel - Greetings from another Geek-Nerd :)
Nice to understand and excellent vedio.
great work, much appreciated.
Thanx mate. this method work for me.
One to note: when authenticating any client against an AD Domain Controller, but especially Kerberos, that client should NTP time from the AD domain. Kerberos tickets between client and server are heavily time dependent and if there’s sufficient clock skew between them, and it’s not much, new tickets will not be granted and existing ones will fail. I set all *nix client to NTP from all the DC’s in the domain.
Definitely Kerberos has a 5 min error margin. How do you set the *nix machine to use the AD server for the NTP time?
Thank you so much for this tutorial! You nerd
Nice tutorial, thank you. Can you make a similar video for Mageia 7.1 please?
Fantastic video and very helpful. Any chance you'd ever do one for pkcs11?
Great video, thanks so much. It is the best I have seen on the topic. is it possible to control the log on access to a specific AD group? If so how.
Also at the moment there will a authentication issue (Kerberos) if the tIme on the AD server and the Linux machine drift by 5 mins. Is there a way to set the DC as the NTP server for the client.
One other thing, how do you add multiple DCs in the domain for authentication
Thanks in advance.
Hi, could you also demonstrate, how to autheniticate against a SAMBA 4 AD DC? And login to AD Account from command line?
Would be nice?
Great video, I just starting to learn kerberos as well. Can you sxplain the use of the keytabs created? Is a service using them to authenticate to the AD server?
Your video was a great help... Managed to get Ubuntu Desktop and Server 20.04 LTS authenticated against the Active Directory.
Question: How to get SAMBA file server that has been authenticated against an active directory using your tutorial and create file shares authenticated against active directory.
I have done everything as mentioned here step by step, but domain users still do not exist in linux. at the same time kinit does work. What might be the reason of this?
Very good video for a Windows guy.
Question: Will the permissions for domain users created on ADUC work on domain joined Linux machines or does the permissions need to be added by the administrator user after logging into the Linux machine?
good work.
Thanks man, very helfull!
Thanks for the video and appreciate the effort for making the same. Please confirm whether Is it possible to use windows AD LDAP feature alone for Linux clients to authenticate users belongs to a AD group instead of joining the linux machines to windows domain
Can you also make a video with LDAP with SSO ?
Helpful!
So Cool , thx !
Is there a way to automate this process so that you can run a script on every new Ubuntu machine you want to plug into the domain ?
I guess you'll need to create a custom image of Ubuntu with the required config and use that image to install Ubuntu on all your machines.
This was a very helpful video. Can you also show how cached login can also be enabled, so the user can login to the computer out of office?
Hi, access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sssd-cache-cred
It works.. Thank you..
Do you know if there is any way that you can implement group policy to those Ubuntu computers that we add on our Windows Domain????
Thank you...
How and where did you find out and learn that these were the specific commands needed to do this? I currently am trying to authenticate ubuntu 18.04 against server 2016. When I found your video, I thought "GREAT!" Until I saw it was for different versions of each product. After following the Ubuntu documentation, I am currently stuck near the end. I was able to join the Ubuntu to the domain, but I cannot get past the error which states that "NO DNS DOMAIN FOUND FOR AND COULD NOT PERFORM DNS UPDATE. NT_STATUS_INVALID_PARAMETER". After reading through an ungodly amount of forums, articles, etc., it SEEMS that the problem is with my /etc/hosts file configuration. After trying all sorts of suggestions, I'm still having the same problem. I just don't know which is the correct way to configure that file. I've also double checked that Windows Server is only accepting SECURE DNS updates. I don't know, I just feel like throwing in the towel.
For users of ubuntu 20.04 and above
add
ad_gpo_ignore_unreadable = True
ad_gpo_access_control = permissive
to your sssd conf file
Yep, helpful thing
I just tested and confirmed that I don't need those two lines with Ubuntu 22.04 and Windows Server 2022. However, someone else is also saying the second line is required: github.com/system76/docs/pull/1098
Can you share any additional information about your Windows Server and/or Ubuntu configuration that might explain why the extra lines are needed? The "ad_gpo_access_control = permissive" setting is apparently the default (so it shouldn't need to be specified manually), at least in upstream SSSD and Red Hat (but maybe not Ubuntu).
Fantastic demo, I got it working as well within my VMware Fusion env with WinServe2019 and Ubuntu 20. But how could you take it further so a user could have privileges to run say commands as the an oracle user if he was in an AD group called oracle, is that easy to do? For example when the normal user does an 'sudo -l' he can see he is allowed to run certain commands as the oracle user, but that privileges comes from an AD group not a group in /etc/group
I think you should create some docker images out of this
i wish you describe how to authenticate to the linux application servers using ad credentials and kerberos
As much as I hate this guy's obnoxious dismissal of Windows as a platform worthy of his attention, I do have to say he made adding a Linux box to active directory fairly easy. BTW, it worked 100% as show on a Ubuntu 20.04 box as well. I gave it a thumbs up.
Completed the walkthrough steps and it worked perfectly. But I do have a question. I would like to be able to use the user when I am away from the network. Is there a way to cache the password for offline login into the user account?
Thank you!!!!
Thanks a lot for posting this. Great work and like your presentation style! I've been struggling with getting Ubuntu Server integrated with Active Directory. Is it the same procedure for Ubuntu SERVER 20.04?
It works for my, maybe you have somewhere a typo!
I did get Ubuntu Server 20.04 integrated into AD with the help of this video. For clarity sake, I had struggled with the integration methods that others had posted. Great job and has made me a subscriber.
Great video, thanks for your efforts. I have a machine that was binded to the AD. I can login as root but how do I test the ldap connection to the AD. is there any command where I can run a test and then see if the machine talks to my AD?
How do pure Linux shops normally do identity? On a fresh windows network it's a pretty standard recipe of a server with Domain Services + DNS + DHCP, then any user with an account can sign in to any client that's been joined to the domain. Is there a similar standard thing in Linux-land? Or maybe there's a preferred way for each distro?
I was wondering the same thing. I guess they use open ldap if they are linux die hards. For large companies you can't escape AD.
Great video and really helpful. Though I'm having a strange problem, but this might have something to do with me implementing this on a Kali machine, but whenever the machine is restarted I have to login as root and restart sssd before authentication will actually work. Once doing that it works fine and I can login as any user on the domain. Any idea if this is a common problem with standard Linux or might it be Kali specific?
Why are you using Kali on a machine that needs to authenticate via Active Directory? That seems really stupid.
es increible, podrias hacer una update teniendo en cuenta el ubuntu 20.04 ya lo incorpora en la instalacion¿? como usarlo para poder loguearnos correctamente con usuarios del Active Directory... gracias.
If you were to do this on a laptop would your credentials be cached if you're not connected to the domain?
Great solution! Worked on Debian and WS2019. Thank's for the tutorial, hats off!
Thanks for your tuorial! Is there something like this for ldap-server?
What about winbind? I know that supports the more complex active directory configurations... I wasn't to know what you think about that
Do you know much about it? I was looking into that myself. Looks a bit more complicated. But as it stands, msktutils doesn't cache any info for offline authentication, Which is kind of a big deal.
Thanks, great vid, nice explanation style. I will be appreciated if you will help with my problem I faced with:
I need to access to smb share created on ubuntu from windows machine (logged in as a domain user) without prompting login\pass (using kerberos auth)
Windows machine, Ubuntu server and User which i need to connect by - all members of same domain. Domain is configured correct, kerberos server, dns, AD works fine. Can it be done without winbind only with sssd? Thanks for your answer.
If you get an error restarting SSSD, try SUDO CHMOD 600 /ETC/SSSD/SSSD.CONF rather than SUDO CHMOD 0600...
I had the same issue and spent hours trying to figure it out. Got there in the end though.
YOU ARE THE "!!#$$@# BEST!!!! ty ty ty ty ty works perfectly on Ubuntu 20.04 LTS-Winserver 2019. Muchas gracias!
Thanks for the video! I'm getting the error ldap_sasl_interactive_bind_s failed (local error) when trying to run the long mskutil command any thoughts?
same, did u get any solution?
Hi,
Is it possible, after a pre-configured client, to access via RDP from a Windows machine using a user from Active Directory? I tried using XRDP, but I can't log in at all, except with the local linux client machine account.. Although they can log in directly to the linux client machine or via ssh. Have you ever tried that?
Hi. Thanks for the video. It worked for me in the office , but when trying to login to the AD user from home, it doesn't recognize the password, and I can only login to local users. Any ideas?
Okay for the life of me how do you lock down and filter what servers an user can login and can't login. Once you have a ticket can't you just login to any other kerberize server with ssh?
Is it possible to add freeradius on this? For enforcing network for enterprises?
Great video!
works on 18.04 too with some small tweaks.
I am getting this error on Ubuntu 18.04. kinit: krb5_get_init_creds: KDC has no support for encryption type
Can you please suggest the tweaks you did for 18.04?
@@MohanKumar-vj7bo 1) vi /var/kerberos/krb5kdc/kdc.conf
2) check for supported_enctypes , use any encryption techniques mentioned in there.
Taken from Stackoverflow.. a quick google search would give you that result instead of waiting for someone to reply on youtube. goodluck
@@gilshwartz8492 Thanks for the reply Gil. Like in every post, it is not mentioned to have kdc installed on the client host. Let me dig up more
@@gilshwartz8492 Sure and everybody that watches the video and encounters the same problem would have to do the same. What comments are then for? Just for complaining that others look for help related to problems their encounter?
Also, why even bother using ChatGPT if everything can be quickly found through a quick search engine search?
@@MateuszStepniak the comments are another tool for information gathering and it's the less effective tool if you take TIME under consideration. while you wait for someone to take his time to watch the video, review the comments and answer one I bet you could have already solved your issue by asking a AI tool a direct question. Google is another great tool but I found that it takes less time to ask chatGPT. (i'm converting my python GUI app to a webapp with only intermidiate skill with python and i have everything set up except the last design tweaks. so, that means i used it to get my html, css and javascript codes work with my python app in less than 2 weeks so you do the math)
I was able to connect to AD, is it possible to look up AD group using id command or something else. Also how do we restrict access to only certain group in AD, not everyone in the domain. ?
Hi your video is amazing. At the end I can log in with other users on the terminal. However, when I log out and try to log in at the starting GUI screen it doesnt let me. I can only log in with the local user, and then switch users from the terminal any advice for this final problem?
Did you try clicking the "Not listed?" button on the login screen like I clearly pointed out how to do?
What's the use of "heimdal-clients" package?
Will it be applicable for Ubuntu 18.04 client also?
If yes, will the AD users can able to login without AD network?
(When they are in the AD network the user able to login into the system. When they are out of AD network the user is not able to login into the system.)
I followed your great tutorial (and this is not the first tutorial I tried) but every time I am at the stage of connecting with a domain user (su -l user), I get a "system error"
Cannot fix this problem since I started this feature of connecting a linux pc to the windows AD...
I'm totally stuck on this step :(
I got the same problem
hi cyrill did you resolve problem
@@tahirfatihdemircioglu5837 Hi Tahir, not. It doesn't work :/
me too!!
anyone the issue "Error: krb5_get_default_realm failed"???
Got this error while following the instructions: Error:
ldap_sasl_interactive_bind_s failed (Can't contact LDAP server)
Error: ldap_connect failed
--> Is your kerberos ticket expired? You might try re-"kinit"ing.
thanks for the video.I am really confused. I watched a video before watching yours. I guess there are different ways of joining the ubuntu to ad.I have successfully enrolled my ubuntu to ad.it is listed in the domain computers. I cant sign in as an ad user(administrator)i tried to use sudo login administrator but i got an error "system error".can you assist?
after putting in "msktutil -N -c ETC." i get an error saying:
"error: ldap_sasl_interactive_bind_S failed (local error) additional info: sasl(-1): generic failure: GSSAPI Error: unspecified GSS Failure. Minor code may provide information (matching credential not found (filename: /tmp/krb5cc_1000)) Error: ldap_connect failed" i tried kdestroy and then kinit administrator again, then putting in the code again but no luck
any help?
thanks for this video really help me with my lab,
is there a way to specify where can we create the computer on a specific OU.
I checked the documentation but i cant get to make it work
msktutil -N -c -b -b 'OU=SERVERs,OU=LINUX-SERVERS,DC=MYLAB,DC=COM,DC=SA'
it's should be the same method for Ubuntu 20.04 ?
Hello, , when I add host which is my windows server and try to ping it says destination unreachable. why is it so? my server machine is running at the same time. Any idea?
All these package applicable and work on RHEL/centos as well?
Did you ever figure this out with centOS? I cant seem to make it work. Ive gotten it to join the domain with realm but I cant get it to show up on Active Directory or even login with any of AD accounts
hi where are the users created from the AD reside in Linux machine, I cant see them in /etc/password
Having same issue. This was presented as it would 'fall back to local login' which it does, but only for the original local accounts. Cant seem to get an offline authentication for added AD accounts.
Did you discover any solution for this?
I was able to configure for offline authorization, which may also answer your question. it is in sssd.
I was able to config pam and sssd to cache the credentials for offline authorization with 2 lines to a config.
access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sssd-cache-cred#:~:text=It%20is%20possible%20to%20enable,authenticate%2C%20using%20their%20stored%20credentials.
Hi
Can then open my share folders o
Of Windows in ubuntu without need to type password or can i open the local website service of Windows in ubuntu, usually the local website linked to users profiles to show private information
Hy, i joined my ubuntu in an ad, then i changed the domain admin pw and the authenticate doesn't work now. How can i change the administrator pw?
in msktutil (the long command) i got an error that,
Error : Unknown parameter (--computer-name)
im using ubuntu 19 .*.*
What is the resolution for this?
This has something to do with the way the text acts when you copy it from the website. The resolution is to remove or delete all of the --parameters by using backspace and then re-typing them out. Otherwise, it will error on every single parameter.
@@brentrincker its because those commands are supposed to have two dashes (--) , and the commands on his website only have one (-)
Hi, I have samba share on ubuntu. I want some machines gain access without a username and password. So I want only certain pc's gaining access to the ubuntu share what ever user is logged on the client. Clients are windows 10 machines. Is this possible?
everything was okay with me until minute 18:34 when i authenticate on linux terminal using "su -l administrator" it show me su: Authentication failure .. why ? help plz
Wow, thanks a lot for this tutorial, how do you manage environment variables, aliases, etc.
it just keeps saying "su: cannot set groups: Invalid argument" when i try and login. any idea of where to look?
How do you clear up unable to reach any KDC in realm error?
Thank you for this! looks easy to follow, btw will this work with a raspberry pi 4? Using the 64bit version of their latest raspbian OS.
That was wonderful thanks much, if possible could you please post a video that how can we add multiple linux machines without entering one after another
Just a note, Linux is not Windows. You don't need to reboot it. There are actually very few reasons to reboot the system, like kernel updates and kernel related stuff, java gone amok, badly written and and misbehaved program. It's built to be a multi-user system and as such most things can be updated, restarted and reloaded without rebooting. But it would be interesting to know what your reasons are for the reboot.
Nice video.
You're correct that in this case, GDM didn't need to be restarted, and since we already restarted SSSD manually before testing the login with su, there was technically no need to reboot. (I just tested this on an Ubuntu 22.04 LTS machine with Windows Server 2022 to confirm.) However, rebooting is a good way to test (and demonstrate for the audience) that the configuration is persistent and the domain login isn't dependent on any previous connections we'd made during configuration. After all, the intended use case for this configuration involves logging in immediately after boot, so it doesn't hurt to make sure that works instead of playing games with the uptime counter.
I'de get an error :
"
Error: could not find any credentials to authenticate with. Neither keytab,
default machine password, nor calling user's tickets worked. Try
"kinit"ing yourself some tickets with permission to create computer
objects, or pre-creating the computer object in AD and selecting
'reset account'."
if i don't run "kinit administrator" as root in a new tab
Hello sir,I am not able login multiple ad user on Ubuntu. When I configured Ubuntu machine as domain.can you help me?
I'm looking for a way to do this but with Azure AD. I've seen a lot of info on doing it for VM's but not for endpoints. I guess it's technically similar but from a user perspective I'm not sure if it will work the same as this. I guess I'll have to test it out myself. If someone has any info which would be greatly appreciated!
i had used pbis-open that is super easy, but i have one problem. X login is not working
What would change in the steps if I don't have permission to create a computer account in my AD and get an account created with my computer's name separately by the admin?
(IT administrator in my company doesn't support Linux, but can help me create an account for my Ubuntu box)
Hi, great video, i have installed ubutu 16 and wants to use google authenticator on free radius and AD integration for my vpn users. is it possible?
Thanks for this video.
hello, I have an error when i try to restart sssd service.
If the name of my Desktop is "UbunWin", must i write in sssd.conf all the letter on Lowercase/upercase or UbunWin ?
Thank you for your help
I've changed the hostname.
Thank you for the video
I am unable to add "sudo adduser administrator sudo", and am unable to login with domain user.
Any help please
Any possibility to authenticate Domain users without joining Domain ?
what should i change if my active directory server has a DNS?
If your Active Directory server is also a DNS server, then you should change the DNS settings on the client to point to the DNS server in your network settings. (In the past, you could have edited /etc/resolv.conf to point to the DNS server, but Ubuntu includes systemd-resolved and NetworkManager which will overwrite any changes you make to that file, so it will be easiest to just use the GUI network settings if you have to ask this question.)
Anyone know if this method still works. Followed every step but when running kinit administrator (Which is the account I am using on my windows server) it says the password is incorrect even though it's not. Anyone else knows what I might try?
Typo in your wiki on step 3. All your options that using the '-' (computer-name, server, upn) are supposed to have a double dash '--'
Both lines that use them have the error