Foreword: I’m far more versed in terms of administering Windows-based systems than I am in Linux based systems. The setup I’m currently dealing with is 95% Windows based, with a few Linux machines for very specific tasks (mostly Docker-related).
I’ve set up a Linux Server (Ubuntu 24.04) and have registered it with our Active Directory instance. I’ve also managed to configure SSSD to permit logins from a specific set of AD users.
The sudoers configuration has been expanded to allow AD users su access:
"%Docker Admins@domain.name" ALL=(ALL) ALL
The resulting setup permits me to login using SSH (or via a KVM console if need be, since it’s all on a VM) using my AD credentials username@domain.name, provided username@domain.name is a member of the “Docker Admins” AD group. It’s not a complex setup, but it gets the job done while enabling me to handle users in a centralised way via AD.
I’d like to install Webmin on this Linux server and configure it to permit a similar experience (i.e. permit AD users from the Docker Admins group login and have administrative privileges).
However it seems that Webmin uses LDAP by default and seems to rely on having the whole server integrated using LDAP? In any case, some preliminary searches showed that this topic was already attempted in the past, but has never received much support (ex Virtualmin/Webmin and SSSD, instead of LDAP | Virtualmin).
Can someone point me to how I can set up Webmin to permit AD logins if I’m already using SSSD on the Linux server? Supposedly it’s using PAM under the hood but I’m not sure what needs to be done - none of the forum posts I found about this have gone into adequate detail for me to figure this one out…
If you setup the Linux server to authenticate to AD, and the users are in a group that has sudoALL capabilities, they should be able to login to Webmin with root-level access. (Or you can do other things with groups, Webmin provides a lot of options for allowing UNIX system users to log in to Webmin…so, if you make your system auth via AD using PAM, Webmin will Just Work, because Webmin can authenticate via PAM.)
Oh, you probably need to install the Perl Authen::PAM module for this to work. I don’t know exactly what that package would be named on Ubuntu. Probably something like libauthen-pam-perl or something like that.
Thanks for the response. Alas, from what I can tell the Authen::PAM module was already installed…
sudo apt -y install libauthen-pam-perl
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
libauthen-pam-perl is already the newest version (0.16-3build9).
libauthen-pam-perl set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.
I’ve also installed pamtester to actually test if there’s no internal problem with PAM and there doesn’t appear to be anything wrong:
Unfortunately Webmin doesn’t appear to “just work” as you say. Attempting to sign-in with a login that would work via SSH (and one which has SUDO capabilities) results in a simple “Login failed” error, and the following entry in the logs:
Aug 15 15:09:54 linux-test.my.domain perl[3986]: pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty=10000 ruser= rhost=10.152.4.20 user=mbender_adm@my.domain
Aug 15 15:09:55 linux-test.my.domain perl[3986]: pam_sss(webmin:auth): authentication success; logname= uid=0 euid=0 tty=10000 ruser= rhost=10.152.4.20 user=mbender_adm@my.domain
Aug 15 15:09:55 linux-test.my.domain perl[3986]: pam_sss(webmin:account): Access denied for user mbender_adm@my.domain: 6 (Permission denied)
Aug 15 15:09:55 linux-test.my.domain webmin[3986]: Invalid login as mbender_adm@my.domain from 10.152.4.20
PS. I’ve slightly changed the sssd.conf to use the ad provider, instead of simple (with a filter attribute to, well, filter the group membership). I was hoping the “full” provider would bridge some kind of gap, but alas, that doesn’t appear to be the case.
PPS. Does Webmin’s default PAM configuration include SSS?
Right, so I finally managed to get this working. Most definitely Webmin doesn’t work with this “by default”. If it does there there are probably some hidden requirements, but that’s a different discussion.
To get this working:
I had to make the following change to /etc/sudo.conf:
echo "Set group_source dynamic" >> /etc/sudo.conf
I got the solution from this forum post. This is probably the main problem point.
In my case for some reason the PAM webmin setup was missing (/etc/pam.d/webmin), so I’ve had to recreate it:
Initially I’ve taken inspiration from this forum post and replaced the ldap modules with sss modules instead, which worked. However after I’ve installed Webmin on another server the above defaults were placed there, and I was able to sign in with these default values without the need to change the config.
With these two changes I was finally able sign into Webmin with my AD credentials.
The default pam.d/webmin configuration works only if SSSD is configured with access_provider = simple. If it’s configured with access_provider = ad then this default is insufficient!