This repository contains comprehensive scripts and configurations for setting up Active Directory (AD) integration with SSSD and PIV smart card authentication on Ubuntu 22.04 systems.
This solution provides:
- Active Directory Integration via SSSD for centralized authentication
- PIV Smart Card Authentication for enhanced security
- GNOME Desktop Integration for seamless login experience
- SSH Configuration for remote access with AD/PIV credentials
- Automated Deployment using Ansible
Configures Active Directory integration with SSSD:
- Domain joining and discovery
- SSSD configuration for AD authentication
- Kerberos configuration
- PAM configuration
- SSH integration
Usage:
sudo python3 configure_ad_sssd.py \
--domain example \
--realm example.com \
--domain-controller dc.example.com \
--admin-user adminConfigures PIV smart card authentication:
- OpenSC and PCSC daemon setup
- PAM PKCS11 configuration
- GNOME smart card support
- Certificate management
- Service configuration
Usage:
sudo python3 configure_piv_auth.py --ca-cert /path/to/ca-cert.pemComplete automated deployment using Ansible:
- Package installation
- Configuration deployment
- Service management
- Testing and validation
Usage:
# Create inventory file
cat > inventory << EOF
[ubuntu_hosts]
your-server.example.com
[ubuntu_hosts:vars]
ansible_user=your-user
ansible_ssh_private_key_file=~/.ssh/id_rsa
EOF
# Run playbook
ansible-playbook -i inventory deploy_ad_piv.yml \
--extra-vars "vault_ad_admin_password=your_admin_password"Located in the templates/ directory:
sssd.conf.j2- SSSD configurationkrb5.conf.j2- Kerberos configurationnsswitch.conf.j2- Name service switch configurationpam_pkcs11.conf.j2- PAM PKCS11 configurationopensc.conf.j2- OpenSC configuration50-smartcard- GNOME smart card configuration
- Ubuntu 22.04 LTS
- Root/sudo access
- Network connectivity to Active Directory
- PIV smart card reader (if using PIV authentication)
- CA certificate (if using certificate-based authentication)
- DNS resolution for AD domain
- LDAP/AD ports open (389, 636, 3268, 3269)
- Kerberos ports open (88, 464)
-
Install dependencies:
sudo apt update && sudo apt install -y python3 python3-pip -
Configure AD integration:
sudo python3 configure_ad_sssd.py \ --domain yourdomain \ --realm yourdomain.com \ --domain-controller dc.yourdomain.com \ --admin-user youradmin -
Configure PIV authentication (optional):
sudo python3 configure_piv_auth.py --ca-cert /path/to/ca-cert.pem
-
Install Ansible:
sudo apt update && sudo apt install -y ansible -
Create inventory file:
cat > inventory << EOF [ubuntu_hosts] your-server.yourdomain.com [ubuntu_hosts:vars] ansible_user=youruser ansible_ssh_private_key_file=~/.ssh/id_rsa ad_domain=yourdomain ad_realm=yourdomain.com ad_domain_controller=dc.yourdomain.com ad_admin_user=youradmin EOF
-
Create Ansible vault for password:
ansible-vault create vault.yml # Add: vault_ad_admin_password: your_admin_password -
Run playbook:
ansible-playbook -i inventory deploy_ad_piv.yml --ask-vault-pass
| Parameter | Description | Example |
|---|---|---|
--domain |
AD domain name | example |
--realm |
AD realm (FQDN) | example.com |
--domain-controller |
Domain controller hostname | dc.example.com |
--admin-user |
AD admin username | admin |
| Parameter | Description | Example |
|---|---|---|
--ca-cert |
Path to CA certificate file | /tmp/ca-cert.pem |
# Check domain status
realm list
# Test user lookup
getent passwd username@domain.com
# Test authentication
su - username@domain.com# Check smart card reader
pcsc_scan
# Test PIV card detection
opensc-tool -l
# Test PIV authentication
# Insert card and attempt login via GDM# Test SSH with AD credentials
ssh username@domain.com@server
# Test SSH with PIV card
ssh -I /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so username@server- Check DNS resolution:
nslookup yourdomain.com - Verify credentials:
kinit admin@YOURDOMAIN.COM - Check firewall: Ensure ports 389, 636, 88, 464 are open
- Check logs:
journalctl -u sssd -f - Test configuration:
sssctl config-check - Verify user lookup:
getent passwd username@domain.com
- Check reader:
lsusb | grep -i smart - Test PCSC:
pcsc_scan - Check OpenSC:
opensc-tool -l - Verify PAM:
sudo pamtester login username authenticate
- SSSD:
/var/log/sssd/ - PAM:
/var/log/auth.log - Kerberos:
/var/log/krb5.log - OpenSC:
/var/log/opensc-debug.log
# Restart services
sudo systemctl restart sssd
sudo systemctl restart ssh
sudo systemctl restart pcscd
sudo systemctl restart gdm3
# Check service status
sudo systemctl status sssd
sudo systemctl status ssh
sudo systemctl status pcscd- Store CA certificates securely
- Regular certificate rotation
- Monitor certificate expiration
- Implement card PIN policies
- Enable card lockout after failed attempts
- Regular security audits
- Use least privilege for service accounts
- Monitor AD logs for anomalies
- Regular password rotation
# SSSD tools
sssctl user-show username@domain.com
sssctl domain-status yourdomain.com
# Kerberos tools
kinit username@DOMAIN.COM
klist
# Smart card tools
pkcs11-tool -L
pkcs11-tool -OFor issues or questions:
- Check the troubleshooting section
- Review log files
- Test with provided validation commands
- Open an issue in the repository
This project is provided as-is for educational and operational use. Please ensure you understand and test all configurations in your environment before production deployment.