Ubuntu Desktop 23.04 has become the first and only Linux distribution to enable native user authentication with Azure Active Directory (Azure AD). Ubuntu Desktop 23.04 has made this integration possible with the help of the aad-auth
package, which is currently available in public preview. This new feature enables users to test and experience the convenience of using Azure AD authentication in Ubuntu Desktops. Moreover, the plan is to port this feature to the LTS versions of Ubuntu, making it a standard for future releases. This update offers enterprise users a way to authenticate their Ubuntu Desktops using the same credentials they use for Microsoft 365 or their Windows clients, making it easier for them to transition between different platforms.
During installation, the aad-auth package creates three main components:
A PAM (Pluggable Authentication Module) module that handles the authentication process.
An NSS (Name Service Switch) module that queries the password, group, and shadow databases to retrieve user information.
A command-line tool that enables users to manage the local cache for offline authentication and system configuration. This tool helps users maintain access to their Ubuntu Desktops, even if there is no network connection available.
Installation
To install the AAD authentication module for Ubuntu, users can run the following command in the terminal:
1
2
sudo apt install libpam-aad libnss-aad -y
This command will install the necessary modules for PAM and NSS. For NSS, it will update the /etc/nsswitch.conf
file and add the “aad” service for password, group, and shadow databases. For PAM, it will update the /etc/pam.d/common-auth
file and add the following line after pam_unix
and pam_sss
(if configured):
auth [success=1 default=ignore] pam_aad.so
This ensures that the authentication process includes the AAD module as well.
If network users want to have a home directory created when they log in, the pam_mkhomedir
module must be enabled. This module will automatically create a home directory on the user’s first login. To enable pam_mkhomedir
, users can run the following command in the terminal:
1
sudo pam-auth-update --enable mkhomedir
This command will enable the module in PAM’s configuration, ensuring that the home directory is created automatically for network users when they log in for the first time.
Create an Azure Application
Sign-in to the Azure portal.
Open Azure Active Directory.
Select Applications > App registrations, then select New registration.
Name the application, for example “Ubuntu Signin”.
Select a supported account type, which determines who can use the application. Preferrably,
Accounts in this organizational directory only (nevinpjohn only - Single tenant)
Select Register.
From App registrations in Azure AD, select your application.
On the app’s overview page, copy the Directory (tenant) ID value and store it.
Copy the Application (client) ID value and store it in your application code.
Go to Certificates and secrets then create New client certificate
Provide a description of the secret, and a duration.
Select Add.
Once you’ve saved the client secret, the value of the client secret is displayed. Copy this value because you won’t be able to retrieve the key later. You’ll provide the key value with the tenant ID on the config file on the Ubuntu machine in the next step (aad.conf).
Configuring Ubuntu
Edit the file /etc/aad.conf
Here’s my sample template:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
### required values
## for more information on how to set up an Azure AD app.
tenant_id = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
app_id = <client secret here>
### optional values (defaults)
# offline_credentials_expiration = 90 ; duration in days a user can log in without online verification
; set to 0 to prevent old users from being cleaned and allow offline authentication for an undetermined amount of time
; set to a negative value to prevent offline authentication
# homedir = /home/%u ; home directory pattern for the user, the following mapping applies:
# ; %f - full username
# ; %U - UID
# ; %l - first char of username
# ; %u - username without domain
# ; %d - domain
# shell = /bin/bash ; default shell for the user
### overriding values for a specific domain, every value inside a section is optional
[nevinpjohn.in]
offline_credentials_expiration = 30
homedir = /home/domain.com/%f
shell = /bin/zsh
Done, reboot the vm and login as a user on the Azure Active Directory!