Note:
This documentation has moved to a new home! Please update your bookmarks to the new URL for the up-to-date version of this page.
1 Like
Thank you for this document. I followed this guide on a clean 22.04 minimal server install. I was able to login locally like the guide shows but the ssh attempts just fail with a disconnect. Is there additional configuration required besides allowing PasswordAuthentication in the sshd config (although though the default account work via ssh without making this change)?
Have you used the full username, with the realm part, like ssh user@DOMAIN@server?. But it’s best to check /var/log/auth.log as to why the login via ssh was denied.
1 Like
It appears that is a potential sssd bug related to the GPO code. The auth.log provided just a generic permission denied error, however from the bug notes adding ad_gpo_access_control = permissive to the sssd domain config allows the domain user to login.
Have you tried creating the empty policy file on the samba server like outlined in this bug comment?
1 Like
sssd 2.7.x has the fix, but it’s not in any ubuntu release yet. I guess we can update this section with the two workarounds for now (the permissive setting (less ideal), and creating the empty policy file if the AD is samba4).
1 Like
I have a 2016 level MS AD domain with only 3 policies that I was testing with so the samba directory wouldn’t apply however that tpl file only appears to show up if you make changes to the security settings in a GPO. The 2 default domain polices this exists but not in my third policy. Its very likely there is another issue and making the sssd setting to permissive allows it to ignore the error. I know this site is not for technical support so I will keep it high level. I just know that I did minimal installs on 20.04 Deskto and both 22.04 Desktop / Server testing both the ubiquity installed AD join and the post install instructions above and they all had this problem were AD users weren’t able to ssh with the most standard OOB configuration.
I did some additional debugging. The default value for ad_gpo_access_control for sssd 2.2.3 in ubuntu on 20.04 is “enforcing” and this applies the ad_gpo_map. What I found was I needed to create a GPO in AD that set the “Allow log on through Remote Desktop Services” and add the AD users trying to SSH. Once this was in place, sssd pulled the computer’s GPO and referenced that policy to allow the domain user to login. This is a direct policy lookup each login via the SYSVOL. I was able to login with a user. Remove them from the gpo setting at the policy level and it immediately blocked the login, so not traditional MS AD gpudate provisioning delays. So I think if you make a reference in the documentation that if a domain user is unable to login remotely via ssh, the domain admins may need to configure the Allow log on through Remote Desktop Services policy under Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment and configure that item, then link the GPO. There are 2 notes I found. 1) There are limits to the “security filtering” that sssd handles on the GPO and folks should reference man sssd-ad for those specifics and 2) it doesn’t appear that AD groups can be used at this time as that didn’t work in my initial testing.
1 Like
At least in Ubuntu Studio 22.04.1 (with KDE Plasma 5.24.6) krb5-user does not appear to be necessary, as the command "smbclient -k -L " runs successfully without it. However the command results in the warning “The option -k|–kerberos is deprecated!”. Running it without -k requests the logged in user’s password, so it looks as though the kerberos ticket is not being used without the “-k” option. This is more a problem with smbclient: I was not able to find a man page which mentioned -k.
After following these instructions (as quoted in the whitepaper “Integration of Ubuntu Desktop with Microsoft Active Directory”), login as a domain user works, but both login and logout are accompanied by “Invalid user” messages, apparently caused by failures of authentication by pam_unix, which are immediately followed by successful authentications by pam_sss.
P.S. I have meanwhile found man pages which mention “-k”, but not in the usual places:
manpagez & Oracle
Apparently the pam_unix error message is normal behavior for a domain login, because pam tries to authenticate first as a local user. A more detailed explanation can be found here.
BTW, I would suggest testing domain login via “su” rather than “login”.
Indeed, pam_sss takes care of obtaining the kerberos ticket. Having krb5-user installed, and its tooling (kinit, klist, kdestroy and others) does help, though, specially klist, as it will tell you where the ticket is, what kind of encryption was used, flags, etc.
1 Like
It got dropped recently from samba as part of their command-line overhaul. The equivalent option should be --use-kerberos=desired|required|off.
1 Like
Do you get these messages in the terminal/GUI, or in the logs? In the logs the failure to authenticate should be correct, as pam_unix comes first in the stack, before the AD authentication is tried. But I wouldn’t want to see such errors “in my face” (terminal or GUI).
1 Like
The message “Invalid user name” appears in terminal but not in GUI. It appears after the login or logout has succeeded, regardless of whether “login” or “su” is used. I prefer “su” to “login”, because “login” requires sudo privileges. If this guide continues to recommend “login”, then “sudo” should be prepended to the illustrated command. Without it, a rather opaque error message, “Cannot possibly work without effective root” is displayed. Regardless of whether the guide recommends “login” or “su”, it would be nice to mention that the message “Invalid user name” is to be expected.
Many thanks for your work on this otherwise excellent guide!
You mean the message appears only during this login test from the guide? Not in day-to-day usage, when people login via a terminal on this system?
1 Like
Exactly, but I prefer to use “su”, because login prompts for both the admin password of the already logged in user, as well as the password of the domain user being tested, which can be confusing. I guess you already added “sudo” to the login test. I don’t remember seeing it before.
Also, the KDE login screen in Ubuntu Studio does not show previously logged in domain users as stated here: “the next time you login, the AD user will be listed as if it was a local user”. It only shows a local user. OTOH, it is pretty clear that your guide is referring to the gnome GUI.
It might be a setting in the KDE login manager. If you find out where to tweak it, post a comment here and I can update the guide.
Correct, I didn’t try any of the other Ubuntu flavors.
1 Like
Hi
I have same issues with ssh login when gpo is enforce.
There are cases where if a specific policy is missing, the login will be denied.
I am trying to update sssd but I did not succeed.
Does anyone succeed to solve it or update sssd? (without change to permissive)
How have you been trying to update sssd? Note that sssd >= 2.7.x is only available from kinetic and on.
@ahasenack Could you cross-reference ADSys documentation, similarly to what we do in ADSys for SSSD. Something like:
Group Policies for Ubuntu
SSSD manages user authentication and sets initial security policies.
ADSys serves as a Group Policy client for Ubuntu, streamlining the configuration of Ubuntu systems within a Microsoft Active Directory environment.
Detailed information can be found in the ADSys documentation on Active Directory GPO support.