Integrating Ubuntu with Active Directory for Posit Workbench / RStudio Server Pro

Follow

Integrating a Linux server with Active directory is documented in detail by the various Linux distributions and others.  As such, the intent of this article is only to provide an overview of the process at each step as it relates to Posit Workbench (formerly RStudio Workbench) and RStudio Server Pro. It's important to note this is a general resource to assist with a topic outside of our support.  These exact steps may not work in your specific environment, in which case we suggest reviewing the additional resources.

The use of # in front of each command signifies the need to be executed as root or with sudo.

1) Install the prerequisites

We'll be using realmd to join with the AD server.  To use the realmd system, install the realmd package and the other required dependencies:

sudo apt-get -y install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli ntp

 

2) Join the underlying Linux server with Active Directory

Complete the join using the following syntax: realm join [-U user] [realm-name]

# realm join -U Administrator dc1.rstudio.example

You will be prompted for the password of the username entered.  If the command completes without error, confirm with:

# realm list

Example output:

rstudio.example
type: kerberos
realm-name: RSTUDIO.EXAMPLE
domain-name: rstudio.example
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U@rstudio.example
login-policy: allow-realm-logins

 

The realm join completes these steps automatically:

  1. Joining the domain by creating an account entry for the system in the directory.
  2. Creating the /etc/krb5.keytab host keytab file.
  3. Configuring the domain in SSSD and restarting the service.
  4. Enabling domain users for the system services in PAM configuration and the /etc/nsswitch.conf file.

 

Below is the example /etc/sssd/sssd.conf file automatically produced from the realm join:

[sssd]
domains = rstudio.example
config_file_version = 2
services = nss, pam

[domain/rstudio.example]
ad_server = dc1.rstudio.example
ad_domain = rstudio.example
krb5_realm = RSTUDIO.EXAMPLE
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

 

The following addition under the [domain/rstudio.example] section above may be required to allow the /etc/pam.d/rstudio profile:

ad_gpo_map_service = +rstudio​

 

You can now check and verify an AD account using the id command before moving on to the next section.

# id user@rstudio.example

 

3) Configure PAM to create the user home directory

Edit /etc/pam.d/common-session by adding this line directly after session required pam_unix.so:

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

 

4) Configure the rstudio PAM profile

After integrating the underlying Linux operating system with Active Directory, you can copy the /etc/pam.d/login PAM profile for use with Workbench as suggested here:

# cp /etc/pam.d/login /etc/pam.d/rstudio

   

5) Test the PAM profile and AD integration using pamtester

# /usr/lib/rstudio-server/bin/pamtester --verbose rstudio user@rstudio.example authenticate acct_mgmt setcred open_session close_session

 

If a pam_acct_mgmt error is observed, edit /etc/pam.d/common-account by commenting out this line:

#account [default=bad success=ok user_unknown=ignore] pam_sss.so

 

Then, try again; if successful please continue on.

 

6) Test Workbench and AD integration

Login to your Posit Workbench instance with an Active Directory ID to test using the username@domain.example format.  If you wish to have your users login with username, instead of username@domain  you can adjust this line in the sssd.conf like so:

use_fully_qualified_names = False

 Then restart the sssd service.

Additional resources:

Ubuntu Docs: SSSD and Active Directory

Ubuntu realmD man page

 

Comments