Ubuntu Workstation 18.04 - Cannot Authenticate Using Active Directory Credentials
by fishnoodlesoup from LinuxQuestions.org on (#5029R)
Hello everyone,
This is my first post here and I'm rather new to Linux. I'm trying to do something rather simple (or so I thought). I want to authenticate with my Ubuntu Workstation using an Active Directory account.
I followed countless guides online and still seem to be facing major issues.
From my configuration I'm able to:
- See in the computers container that my Ubuntu Workstation was added properly
- Properly run the command "id user@example.com"
- Properly run the command "kinit user@EXAMPLE.COM"
- Once I completed the kinit command I run the command "sudo klist" this returns a ticket that expires
- I can run the command "getent passwd user" this returns my user info
However, for whatever reason I'm unable to login as a domain user.
Please see the following configuration files:
/etc/krb5.conf
Quote:
/etc/realmd.conf
Quote:
/etc/sssd/sssd.conf
Quote:
/etc/pam.d/common-session
Quote:
Any help would be greatly appreciate, please let me know if you need any other information.
Thanks in advance!
This is my first post here and I'm rather new to Linux. I'm trying to do something rather simple (or so I thought). I want to authenticate with my Ubuntu Workstation using an Active Directory account.
I followed countless guides online and still seem to be facing major issues.
From my configuration I'm able to:
- See in the computers container that my Ubuntu Workstation was added properly
- Properly run the command "id user@example.com"
- Properly run the command "kinit user@EXAMPLE.COM"
- Once I completed the kinit command I run the command "sudo klist" this returns a ticket that expires
- I can run the command "getent passwd user" this returns my user info
However, for whatever reason I'm unable to login as a domain user.
Please see the following configuration files:
/etc/krb5.conf
Quote:
| [libdefaults] default_realm = EXAMPLE.COM dns_lookup_kdc = true dns_lookup_realm = true # The following krb5.conf variables are only for MIT Kerberos. kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # The only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java). #default_tgs_enctypes = des3-hmac-sha1 #default_tkt_enctypes = des3-hmac-sha1 #permitted_enctypes = des3-hmac-sha1 # The following libdefaults parameters are only for Heimdal Kerberos. fcc-mit-ticketflags = true [realms] EXAMPLE.COM = { kdc = DC01.example.com kdc = DC02.example.com admin_server = DC01.example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM |
Quote:
| [users] deafult-home = /home/%D/%U deafult-shell = /bin/bash [active-directory] default-client = sssd os-name = Ubuntu Desktop Linux os-version = 18.04 [service] automatic-install = no [example.com] fully-qualified-names = yes automatic-id-mapping = no user-principal = yes manage-system = yes |
Quote:
| [sssd] domains = example.com config_file_version = 2 services = nss, pam, ssh [domain/example.com] ad_domain = example.com krb5_realm = EXAMPLE.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad |
Quote:
| # # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) session[default=1]pam_permit.so # here's the fallback if no module succeeds sessionrequisitepam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around sessionrequiredpam_permit.so # The pam_umask module will set the umask according to the system default in # /etc/login.defs and user settings, solving the problem of different # umask settings with different shells, display managers, remote sessions etc. # See "man pam_umask". session optionalpam_umask.so # and here are more per-package modules (the "Additional" block) sessionrequiredpam_unix.so sessionoptionalpam_sss.so sessionoptionalpam_systemd.so sessionoptionalpam_mkhomedir.so # end of pam-auth-update config |
Thanks in advance!