Following my previous blog I looked for solutions for the outstanding issues I was having. As it turns out, AD does come with Kerberos. What’s more, it is enabled by default and automagically works. Amazing. Well that also means all the work I did previously was for nothing.

While digging around I found a useful guide which I mostly followed, aside from some issues I had to work around.

But first, let’s undo the mess I previously made.

$> mv /etc/sssd/sssd.conf /etc/sssd/sssd.old
$> apt install krb5-user realmd adcli samba-common-bin policykit-1
$> nano /etc/realmd.conf
automatic-install = no

default-home = /home/%U
default-shell = /bin/bash

computer-ou = OU=Linux,DC=ldap,DC=example,DC=com
automatic-id-mapping = yes
fully-qualified-names = no
$> realm join

I ran into some bogus issue where the realm join command would fail with an error message indicating my dependencies were not installed which was completely false. This thread suggested using the --install=/ parameter. Or installing packagekit. I just stopped reading too soon.

Well that still didn’t work for me. Checking the port requirements for AD and Kerberos provided the solution: open up a bunch of ports.

Then, another issue I ran into were DNS related, so I had to add a _kerberos TXT entry, some rDNS entries, a _ldap._tcp SRV entry. Since DNS propagation takes time I’m not sure which one worked, but I’m pretty sure all are necessary at some point. Also, I added rdns = false in /etc/krb5.conf for good measure.

Joining the AD automatically creates relevant entries in /etc/sssd/sssd.conf, but in my case some tweaks were needed to get getent passwd working.

lookup_family_order = ipv6_first
ldap_uri = ldap://

For some reason SSSD was throwing a bunch of GSSAPI errors saying something along the lines of no server being found in Kerberos database so explicitly specifying the LDAP uri seemed to do the trick.

If home directories are not automatically created for AD users (they were in my case) you can edit /etc/pam.d/common-session and add session optional Or required but mine had optional and worked just fine so I won’t complain.

One last issue I was still having is that passwords weren’t working. After messing around with /etc/pam.d and accidentally locking myself out, only a simple tweak was needed in /etc.pam.d/common-auth:

auth    [success=3 default=ignore] nullok_secure
#auth   [success=2 default=ignore] krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth    sufficient             use_first_pass

Turns out was causing some issues and commenting it out and putting auth sufficient instead worked for me. I still haven’t been able to get SSH public keys automatically imported, but that is a minor inconvenience.