Good evening:
I run lxc within ProxMox and Incus on my Debian 12 box. All linux containers on the PVE server authenticate with Active Directory. I would like to do the same w/ Incus on my Debian 12 box. On PVE, to get this up and running is as “simple” as modifying the container’s .conf file to add:
lxc.idmap: u 1000000000 1000000000 2500000000
lxc.idmap: g 1000000000 1000000000 2500000000
lxc.idmap: u 0 100000 65536
lxc.idmap: g 0 100000 65536
and then running this script I created:
#!/bin/bash
read -p "Run installation and configuration?" -n 1 -r
if [[ $REPLY =~ ^[Yy]$ ]]
then
apt update && apt upgrade -y && apt install -y ntp realmd sssd sssd-tools libnss-sss libpam-sss krb5-user adcli samba-common-bin git sudo curl
fi
echo
echo "dns_lookup_kdc = true" >> /etc/krb5.conf
echo "dns_lookup_realm = true" >> /etc/krb5.conf
echo Please provide FQDN of Domain Controller
domain_name=foo.bar
#sed -i 's/#NTP=/NTP=$domain_name/g' /etc/systemd/timesyncd.conf
#timedatectl set-ntp true &&
#systemctl restart systemd-timesyncd.service &&
#timedatectl --adjust-system-clock &&
echo
touch /etc/realmd.conf &&
echo
os_name=$(uname -o 2>&1)
echo $os_name
echo
echo Please Provide Os-Version
os_version=$(uname -v 2>&1)
echo $os_version
# Editing realmd configuration file
echo "[users]" >> /etc/realmd.conf
echo "default-home = /home/%D/%U" >> /etc/realmd.conf
echo "default-shell = /bin/bash" >> /etc/realmd.conf
echo "" >> /etc/realmd.conf
echo "[active-directory]" >> /etc/realmd.conf
echo "default-client = sssd" >> /etc/realmd.conf
echo "os-name = $os_name" >> /etc/realmd.conf
echo "os-version = $os_version" >> /etc/realmd.conf
echo "" >> /etc/realmd.conf
echo "[service]" >> /etc/realmd.conf
echo "automatic-install = no" >> /etc/realmd.conf
echo "" >> /etc/realmd.conf
echo "[$domain_name]" >> /etc/realmd.conf
echo "fully-qualified-names = yes" >> /etc/realmd.conf
echo "automatic-id-mapping = no" >> /etc/realmd.conf
echo "user-principal = yes" >> /etc/realmd.conf
echo "manage-system = yes" >> /etc/realmd.conf
echo
pam-auth-update &&
echo
echo Please provide Domain Admin Username
domain_uname=foo.domadm
read -p " Confirm $domain_uname ?" -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]
then
echo Please provide Domain Name
echo $domain_name
read -p "Confirm $domain_name ?" -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]
then
echo Please provide computer-ou
computer_ou="OU=devices,OU=linux,DC=foo,DC=bar"
read -p "Confirm $computer_ou ?" -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]
then
realm join --verbose --user=$domain_uname --computer-ou=$computer_ou $domain_name --install=/
fi
fi
fi
# Editing sssd.conf
sed -i 's/services = nss, pam/services = nss, pam, ssh/g' /etc/sssd/sssd.conf
sed -i 's/ldap_id_mapping = False/ldap_id_mapping = True/g' /etc/sssd/sssd.conf
sed -i 's/use_fully_qualified_names = True/use_fully_qualified_names = False/g' /etc/sssd/sssd.conf
echo "ldap_user_ssh_public_key = altSecurityIdentities" >> /etc/sssd/sssd.conf
echo
realm deny --all
echo Please provide Authorized Active Directory Security Group
domain_gname=realm_permit
realm permit -g $domain_gname@$domain_name
echo $domain_gname security group added to authorization list
echo
# Editing sudoers file
echo "# Allow AD Security Group SUDO Access" >> /etc/sudoers
echo "%realm_sudo ALL=(ALL:ALL) ALL" >> /etc/sudoers
echo
echo linux_sudo security group added to sudoers file
# Editing sshd_config file
echo "Modifying sshd_config file"
sed -i 's/\#SyslogFacility\ AUTH/SyslogFacility\ AUTH/g' /etc/ssh/sshd_config
sed -i 's/\#LogLevel\ INFO/LogLevel\ INFO/g' /etc/ssh/sshd_config
sed -i 's/\#LoginGraceTime\ 2m/LoginGraceTime\ 30s/g' /etc/ssh/sshd_config
sed -i 's/\#PermitRootLogin\ prohibit-password/PermitRootLogin\ prohibit-password/g' /etc/ssh/sshd_config
sed -i 's/\#MaxAuthTries\ 6/MaxAuthTries\ 3/g' /etc/ssh/sshd_config
sed -i 's/\#MaxSessions\ 10/MaxSessions\ 3/g' /etc/ssh/sshd_config
sed -i 's/\#PubkeyAuthentication\ yes/PubkeyAuthentication\ yes/g' /etc/ssh/sshd_config
sed -i 's/\#AuthorizedKeysCommand\ none/AuthorizedKeysCommand\ \/usr\/bin\/sss_ssh_authorizedkeys\ \%u/g' /etc/ssh/sshd_config
sed -i 's/\#AuthorizedKeysCommandUser\ nobody/AuthorizedKeysCommandUser\ root/g' /etc/ssh/sshd_config
sed -i 's/\#PasswordAuthentication\ yes/PasswordAuthentication\ no/g' /etc/ssh/sshd_config
sed -i 's/\#PermitEmptyPasswords\ no/PermitEmptyPasswords\ no/g' /etc/ssh/sshd_config
echo "Done modifying sshd_config file"
systemctl restart sshd &&
systemctl status sshd &&
# Create config file copies
cp -v /etc/krb5.conf $HOME/realm_configs/ &&
cp -v /etc/systemd/timesyncd.conf $HOME/realm_configs/ &&
cp -v /etc/realmd.conf $HOME/realm_configs/ &&
cp -v /etc/sssd/sssd.conf $HOME/realm_configs/ &&
echo
echo "Don't foreget to check /etc/ssh/sshd.conf"
echo
echo "Specifically, look for:"
echo "AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys %u"
echo "AuthorizedKeysCommandUser root"
sss_cache -E
Now, I run the script within the container and everything seems to go to plan but I am not able to login via Active Directory credentials.
I suspect it may have to do with not adding:
lxc.idmap: u 1000000000 1000000000 2500000000
lxc.idmap: g 1000000000 1000000000 2500000000
lxc.idmap: u 0 100000 65536
lxc.idmap: g 0 100000 65536
but I am not sure where I would add the above as I am not sure incus has a similar .conf file for containers.
I may be way off, too. I’ll take any suggestions
Thank you!