Follow

Enable SSH Login for AD Users

It has commonly been requested by users to enable SSH for AD users. The below instructions are to facilitate this. There are a few pre-requisites, which should be taken into consideration before following these instructions.

Pre-Requisites:

  • The gateway, DNS and NTP is configured correctly as per the AD environment. It is imperative that the correct gateway, DNS and NTP is used to ensure proper communication to the AD environment.
  • The QuantaStor system is joined to an AD domain. For the closest compatibility to Unix, it is recommended to use rfc2307 instead of autorid/rid. When using rfc2307, it is possible to specify the uid/gid for each user and group.
  • The QuantaStor system is running the latest version. When diagnosing issues, having the latest QuantaStor version (including Samba, distribution and kernel) helps the support team. If you need assistance in upgrading your system, you can contact support@osnexus.com

Instructions:

  1. Log in to the system via SSH using qadmin user, and elevate to root (sudo su)
  2. Add the following lines in [global] to your /etc/samba/smb.conf, replacing anything with <>:
    dns forwarder = <DNS> # This option specifies the list of DNS servers that DNS requests will be forwarded to if they can not be handled by Samba itself.
    idmap config <DOMAIN> : unix_nss_info = Yes # Users and groups are read directly from AD. This is only required when joined to AD using rfc2307.
    winbind offline logon = No # Does not allow SSH login if it cannot communicate with the AD
    winbind use default domain = Yes # Will present users as <USER> instead of <DOMAIN>+<USER>, allowing for closer Unix compatibility
  3. Run the following commands:
    # systemctl restart smbd nmbd winbind
    # systemctl stop samba-ad-dc && systemctl disable samba-ad-dc
    # systemctl enable smbd nmbd winbind
  4. Join AD server using 'net ads join':
    # net ads join -U <DOMAIN_JOIN_USER>
  5. Edit /etc/nsswitch.conf to ensure that the below lines are set as per the below:
    passwd: compat winbind
    group: compat winbind
  6. Check that you can see domain users with 'getent passwd'
  7. Run 'pam-auth-update', override the local defaults and ensure that all boxes are ticked
  8. Add the following line to /etc/pam.d/common-account:
    session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
  9. Make the following changes to /etc/pam.d/common-password
    ADD password [success=1 default=ignore] pam_winbind.so try_first_pass
    COMMENT OUT password [success=1 default=ignore] pam_winbind.so try_authtok try_first_pass

    It should look like the below:
    #password [success=1 default=ignore] pam_winbind.so try_authtok try_first_pass
    password [success=1 default=ignore] pam_winbind.so try_first_pass
  10. Use 'getent passwd | grep <USER>' to find your user, for example:
    josh:*:19999998:19999998::/home/JBTEST/josh:/sbin/nologin
  11. Add the information from step 10 into /etc/passwd, replacing /sbin/nologin with /bin/bash, for example:
    josh:*:19999998:19999998::/home/JBTEST/josh:/bin/bash

By default, users added in this way will not be given sudo access. If you want to add a user to the sudoers group, you can do so with 'usermod -aG sudo <USER>'. At this point, you should be able to log in via SSH using an AD user. If you encounter any issues with the above instructions, please contact support@osnexus.com, and upload logs using the Send Support Logs button in the web interface.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk