Join Ubuntu VM to Domain
Step 1: Check and correct the VM name
hostnamectl set-hostname FQDN-HOSTNAME
hostname FQDN-HOSTNAME
vi /etc/hosts
Step 2: Install Required Packages
apt update && apt upgrade -y
apt install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit -y
systemctl enable --now oddjobd
reboot
Step 3: Discover the Domain
realm discover domain.local
Step 4: Join the Domain
realm join --user=vishal.rajput domain.local
realm list
Step 5: Create a Local Linux Group
groupadd ssh-admins
Step 6: Add Domain Users to the Local Group
usermod -a -G ssh-admins 'vishal.rajput@domain.local'
Step 7: Restrict Logins to Local Group Only
vi /etc/sssd/sssd.conf
[sssd]
domains = DOMAIN.LOCAL
config_file_version = 2
services = nss, pam, ssh
[domain/DOMAIN.LOCAL]
ad_domain = DOMAIN.LOCAL
krb5_realm = DOMAIN.LOCAL
realmd_tags = manages-system joined-with-adcli
id_provider = ad
access_provider = simple
simple_allow_groups = domain admins, ssh-admins
# Recommended for login experience
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
default_shell = /bin/bash
ldap_id_mapping = True
cache_credentials = True
krb5_store_password_if_offline = True
systemctl restart sssd
Step 8: Check & Configure the NSSSWICTH settings
vi /etc/nsswitch.conf
passwd: compat systemd sss
group: compat systemd sss
shadow: compat sss
Step 9: Grant sudo Access to Local Group
visudo
%ssh-admins ALL=(ALL:ALL) ALL
Step 10: Update /etc/ssh/sshd_config
vi /etc/ssh/sshd_config
UsePAM yes
Step 11: Enable Home Directory Creation
pam-auth-update --force
Ensure the following are checked:
"SSSD"
"Create home directory on login" (pam_mkhomedir)
"Unix authentication"
"Unix account"
After this, the following PAM files should have references to pam_sss.so:
grep sss /etc/pam.d/common-*
You should see lines like:
/etc/pam.d/common-auth:auth [success=1 default=ignore] pam_sss.so use_first_pass
/etc/pam.d/common-account:account [success=1 new_authtok_reqd=done default=ignore] pam_sss.so
Step 12: Restart All Related Services
systemctl restart sssd
systemctl restart ssh
Step 13: Test the Setup
ssh 'vishal.rajput'@10.50.2.122
Step 14: verify user group membership with:
id 'vishal.rajput@domain.local’
Step 15: update membership for users in the machine and try the sudo access.
usermod -a -G ssh-admins vishal.rajput
Step 16: To leave the domain, execute the below command.
realm leave DOMAIN.LOCAL
Configure DUO authentication
One the Domain login works fine with the above steps, make the below changes in configuration files to make the DUO working.
Installation of prerequisites for DUO configuration.
Create a file in the system.
vi /etc/apt/sources.list.d/duosecurity.list
deb [arch=amd64] https://pkg.duosecurity.com/Ubuntu jammy main
curl -s https://duo.com/DUO-GPG-PUBLIC-KEY.asc | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/duo.gpg
apt-get update && apt-get install duo-unix -y
Update the key details in DUO configuration files. (These details can be obtained from the DUO portal for application, all key details will be different according to the application)
vi /etc/duo/pam_duo.conf
[duo]
; Duo integration key
ikey = DIPZKZT8H9ELTTTVLFE2
; Duo secret key
skey = AHZoYq7j9197Bgf9bWFl1QUdLy6smEPGsFAR6pvD
; Duo API host
host = api-cf60925f.duosecurity.com
; `failmode = safe` In the event of errors with this configuration file or connection to the Duo service
; this mode will allow login without 2FA.
; `failmode = secure` This mode will deny access in the above cases. Misconfigurations with this setting
; enabled may result in you being locked out of your system.
failmode = safe
; Send command for Duo Push authentication
pushinfo = yes
autopush = yes
prompts = 1
cp /etc/duo/pam_duo.conf /etc/duo/login_duo.conf
Working “/etc/pam.d/sshd” file content:
Before adding the content make sure to find the pam_duo.so file location and update content accordingly in the file.
vi /etc/pam.d/sshd
# First, perform system password-based auth (local or SSSD)
@include common-auth
# Conditionally apply DUO for domain users only (UID >= 1000000 for SSSD)
auth [default=1 success=ok] pam_succeed_if.so uid >= 1000000
# Then trigger Duo MFA (only after password is verified)
auth required /usr/lib64/security/pam_duo.so
# Check for login restrictions (nologin, etc.)
account required pam_nologin.so
# Include account handling (local and AD)
@include common-account
# Session setup
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
@include common-session
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session optional pam_mail.so standard noenv
session required pam_limits.so
session required pam_env.so
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# Password updates
@include common-password
Working “/etc/pam.d/common-auth” file content:
vi /etc/pam.d/common-auth
# /etc/pam.d/common-auth - authentication settings common to all services
auth [success=2 default=ignore] pam_unix.so nullok
#auth [success=1 default=ignore] pam_duo.so
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
Enable settings in sshd_config file.
vi /etc/ssh/sshd_config
KbdInteractiveAuthentication yes
PubkeyAuthentication yes
Restart all required services and check the SSH access.
systemctl restart sshd
systemctl restart sssd
