Home Azure AD authentication on Ubuntu 23.04
Post
Cancel

Azure AD authentication on Ubuntu 23.04

Ubuntu Desktop 23.04 has become the first and only Linux distribution to enable native user authentication with Azure Active Directory (Azure AD). Ubuntu Desktop 23.04 has made this integration possible with the help of the aad-auth package, which is currently available in public preview. This new feature enables users to test and experience the convenience of using Azure AD authentication in Ubuntu Desktops. Moreover, the plan is to port this feature to the LTS versions of Ubuntu, making it a standard for future releases. This update offers enterprise users a way to authenticate their Ubuntu Desktops using the same credentials they use for Microsoft 365 or their Windows clients, making it easier for them to transition between different platforms.

During installation, the aad-auth package creates three main components:

  • A PAM (Pluggable Authentication Module) module that handles the authentication process.

  • An NSS (Name Service Switch) module that queries the password, group, and shadow databases to retrieve user information.

  • A command-line tool that enables users to manage the local cache for offline authentication and system configuration. This tool helps users maintain access to their Ubuntu Desktops, even if there is no network connection available.

Installation

To install the AAD authentication module for Ubuntu, users can run the following command in the terminal:

1
2
sudo apt install libpam-aad libnss-aad -y

This command will install the necessary modules for PAM and NSS. For NSS, it will update the /etc/nsswitch.conf file and add the “aad” service for password, group, and shadow databases. For PAM, it will update the /etc/pam.d/common-auth file and add the following line after pam_unix and pam_sss (if configured):

auth [success=1 default=ignore] pam_aad.so

This ensures that the authentication process includes the AAD module as well.

If network users want to have a home directory created when they log in, the pam_mkhomedir module must be enabled. This module will automatically create a home directory on the user’s first login. To enable pam_mkhomedir, users can run the following command in the terminal:

1
sudo pam-auth-update --enable mkhomedir

This command will enable the module in PAM’s configuration, ensuring that the home directory is created automatically for network users when they log in for the first time.

Create an Azure Application

  • Sign-in to the Azure portal.

  • Open Azure Active Directory.

  • Select Applications > App registrations, then select New registration.

  • Name the application, for example “Ubuntu Signin”.

  • Select a supported account type, which determines who can use the application. Preferrably, Accounts in this organizational directory only (nevinpjohn only - Single tenant)

  • Select Register.

  • From App registrations in Azure AD, select your application.

  • On the app’s overview page, copy the Directory (tenant) ID value and store it.

  • Copy the Application (client) ID value and store it in your application code.

  • Go to Certificates and secrets then create New client certificate

  • Provide a description of the secret, and a duration.

  • Select Add.

Once you’ve saved the client secret, the value of the client secret is displayed. Copy this value because you won’t be able to retrieve the key later. You’ll provide the key value with the tenant ID on the config file on the Ubuntu machine in the next step (aad.conf).

Configuring Ubuntu

Edit the file /etc/aad.conf

Here’s my sample template:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
### required values
## for more information on how to set up an Azure AD app.
tenant_id = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
app_id = <client secret here>

### optional values (defaults)
# offline_credentials_expiration = 90 ; duration in days a user can log in without online verification
                                      ; set to 0 to prevent old users from being cleaned and allow offline authentication for an undetermined amount of time
                                      ; set to a negative value to prevent offline authentication
# homedir = /home/%u ; home directory pattern for the user, the following mapping applies:
#                    ; %f - full username
#                    ; %U - UID
#                    ; %l - first char of username
#                    ; %u - username without domain
#                    ; %d - domain
# shell = /bin/bash ; default shell for the user

### overriding values for a specific domain, every value inside a section is optional
[nevinpjohn.in]
offline_credentials_expiration = 30
homedir = /home/domain.com/%f
shell = /bin/zsh

Done, reboot the vm and login as a user on the Azure Active Directory!

Login Demo

This post is licensed under CC BY 4.0 by the author.