How To Join a Linux Box To An Active Directory Domain and Control access
Here I’ll show you how to add your Linux system to a Microsoft Windows Active Directory (AD) domain through the command line. This will allow us to SSH into the Linux server with user accounts in our AD domain, providing a central source of cross-platform authentication.
Pre-req -
1. An AD/DC server
Here is our AD/DC server details which I’ve created using Windows Server 2019 on a VirtualBox VM
Domain Server : Windows Server 2019
NetBIOS Name : EXAMPLE
Domain Name : example.com
Realm : EXAMPLE.COM
Hostname : WIN-RJUN0KAIJNM.example.com
IP — 172.42.42.205
2. A Linux box
here is our Linux box -
IP/Hostname: 172.42.42.202/kworker-rj2
Operating System: Ubuntu 18.04.4 LTS
Step 1: Confirm DNS is configured correctly:
Make sure you Linux box is able to resolve Active Directory servers so update your /etc/resolv.conf on the Client host.
root@kworker-rj2:~# cat /etc/resolv.conf
nameserver 172.42.42.205
#options edns0
Ubuntu 18.04 comes with systemd-resolve which you need to disable for the server to access your network DNS directly.
root@kworker-rj2:~# systemctl disable systemd-resolvedroot@kworker-rj2:~# systemctl stop systemd-resolved
If on DHCP, you can update DNS server manually.
root@kworker-rj2:~# unlink /etc/resolv.confroot@kworker-rj2:~# vim /etc/resolv.conf
Or If you too are using vagrant/virtualbox vm can do this as well.
Change this file and add nameservers config.
root@kworker-rj2:~# cat /etc/netplan/50-vagrant.yaml
— -
network:
version: 2
renderer: networkd
ethernets:
eth1:
addresses:
— 172.42.42.202/24
nameservers:
addresses: [172.42.42.205]
No need to change this file — as this is for NAT interface eth0 on vagrant boxes.
root@kworker-rj2:~# cat /etc/netplan/01-netcfg.yaml
network:
version: 2
ethernets:
eth0:
dhcp4: true
root@kworker-rj2:~#netplan apply
We Need to change the dns server configs else you will get (Couldn’t join realm: Insufficient permissions to join the domain) error.
Step 2: Install required packages
A number of packages are required for joining an Ubuntu 18.04 / Debian 10 system to Active Directory (AD) domain.
root@kworker-rj2:~# apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
Step 3: Discover Active Directory domain on Debian 10 / Ubuntu 18.04
The realm discover command returns complete domain configuration and a list of packages that must be installed for the system to be enrolled in the domain
root@kworker-rj2:~# realm discover example.com
example.com
type: kerberos
realm-name: EXAMPLE.COM
domain-name: example.com
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U
login-policy: allow-realm-logins
Replace example.com with your valid AD domain.
Step 4: Join Ubuntu 18.04 / Debian 10 To Active Directory (AD) domain
An AD administrative user account is required for integrating your Linux machine with Windows Active Directory domain. Check and confirm AD admin account and the password.
The realm join command will set up the local machine for use with a specified domain by configuring both the local system services and the entries in the identity domain.
root@kworker-rj2:~# realm join -U Administrator example.comPassword for Administrator:
Where:
- Administrator is the name of admin account used to integrate machine to AD.
- example.com is the name of AD domain
The command first attempts to connect without credentials, but it prompts for a password if required.
Or If you have an Org Unit created in AD and you want to join your system to that specific OU please use below command -
root@kworker-rj2:~# realm join -U rakeshrhcss — computer-ou=OU=Linux example.com -v
Please note here we have used rakeshrhcss as a user because this user is part of AD Domain Admins group.
root@kworker-rj2:~# realm list
example.com
type: kerberos
realm-name: EXAMPLE.COM
domain-name: example.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U
login-policy: allow-realm-logins
On RHEL based systems, user’s home directory will be created automatically. On Ubuntu / Debian, you need to enable this feature.
sudo bash -c "cat > /usr/share/pam-configs/mkhomedir" <<EOF
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel
EOFThen activate with:sudo pam-auth-updateEnsure “activate mkhomedir” is selected, it should have [*]
Then Select <Ok> to save changes.
Your sssd.conf configuration file is located at /etc/sssd/sssd.conf. Whenever there is a change in the file, restart is required.sudo systemctl restart sssd
Status should be running.
$ systemctl status sssd
If the integration is working, it should be possible to get an AD user info.
Now that our Linux server is a member of the Active Directory domain we can perform some tests. By default if we want to specify any users in the domain, we need to specify the domain name. For example with the ‘id’ command below, we get nothing back for ‘administrator’, however ‘rakeshrhcss@example.com’ shows the UID for the account as well as all the groups the account is a member of in the Active Directory domain.
root@kworker-rj2:~# id rakeshrhcss@example.com
uid=395401104(rakeshrhcss) gid=395400513(domain users) groups=395400513(domain users)
We can change this behaviour by modifying the /etc/sssd/sssd.conf file, the following lines need to change from:
use_fully_qualified_names = False
fallback_homedir = /home/%u
To apply these changes, restart sssd.
root@kworker-rj2:~# systemctl restart sssd
Now we should be able to find user accounts without specifying the domain, as shown below this now works where it did not previously.
root@kworker-rj2:~# id rakeshrhcss
uid=395401104(rakeshrhcss) gid=395400513(domain users) groups=395400513(domain users)
Configuring SSH and Sudo Access
Now that we have successfully joined our Ubuntu server to the example.com domain, we can SSH in as any domain user from Active Directory with default settings.
$ ssh rakeshrhcss@172.42.42.202
rakeshrhcss@172.42.42.202’s password:
Creating directory ‘/home/rakeshrhcss’.
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0–99-generic x86_64)
rakeshrhcss@kworker-rj2:~$
We can modify our sudoers configuration to allow our user account from the domain the desired level of access. I usually create an Active Directory group called something like ‘sudoers’, put my user in it, then allow this group sudo access by creating a file in /etc/sudoers.d/ which allows root access to be centrally controlled by AD.
AD Group -
root@kworker-rj2:~# cat /etc/sudoers.d/sudoers
%sudoers ALL=(ALL) ALL
root@kworker-rj2:~# su — rakeshrhcss
rakeshrhcss@kworker-rj2:~$ sudo su
root@kworker-rj2:/home/rakeshrhcss#
We can further restrict SSH access by modifying the /etc/ssh/sshd_config file and make use of things like AllowUsers or AllowGroups to only allow certain user or groups from AD to have access.
Step 5: Control Access — Limit to user/group
To permit a user access via SSH and console, use the command:
root@kworker-rj2:~# realm permit rakeshrhcss@example.com
root@kworker-rj2:~# realm permit -g sudoers
This will modify sssd.conf file.
root@kworker-rj2:~# cat /etc/sssd/sssd.conf
[sssd]
domains = example.com
config_file_version = 2
services = nss, pam
[domain/example.com]
ad_domain = example.com
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = simple
simple_allow_users = rakeshrhcss@example.com
simple_allow_groups = sudoers
To deny a users access, use:
root@kworker-rj2:~# realm permit — withdraw ldapusers@example.com
root@kworker-rj2:~# su — ldapusers
su: Permission denied
(Ignored)
To deny all Domain users access, use:
root@kworker-rj2:~# realm deny --all
Leaving The Domain
If you want to reverse the process and remove yourself from the domain, simply run the ‘realm leave’ command followed by the domain name, as shown below.
root@kworker-rj2:~# realm leave example.com
Hope you like the tutorial. Please let me know your feedback in the response section.
Happy Learning!
