DEV Community

Cover image for Join a Linux machine to the Active Directory
João Pedro
João Pedro

Posted on

Join a Linux machine to the Active Directory

Step-by-step guide to configure a Linux machine in an Active Directory domain:

Preparations and package installation

Start by updating the packages already present on the machine, and then proceed to install only what we actually need.

Update the dependencies using the command:

Debian

sudo apt update

RHEL

sudo yum update

And proceed with the installation of the packages:

Debian

sudo apt install -y realmd libnss-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob- mkhomedir packagekit

RHEL

sudo dnf install realmd sssd oddjob oddjob-mkhomedir adcli samba-common-tools -y

Configuring the realm

In short, Realm helps us discover and manage the domains we have on the machine.

To start, we first need to discover the domain we are looking for.

Use the following command:

realm discover DOMAIN-NAME

We will have a response similar to this.

Image description

Now that we have discovered the domain, we will need to log in to it with a user. Use the following command:

sudo realm join -U USUARIO DOMINIO

If no errors have occurred so far, we can verify if we are indeed connected by using the following command to check the user's permissions and groups.

id USUARIO@DOMINIO

Another method to verify if everything is going correctly is the following:

realm list

This way, we can verify if we are already connected to the desired domain.

Pam-configs (ubuntu)

The pam-configs configuration was only necessary on Ubuntu to ensure that the user's folder is created upon logging into the system.

You just need to execute the command:

sudo pam-auth-update --enable mkhomedir

Configuring SSSD

We need to access the file /etc/sssd/sssd.conf to make the modifications. In this file, we will change the use_fully_qualified_names option from False to True. With this option enabled, users will be in the format user@domain instead of just user.

In our case, we will change it to True since we have only one AD. However, please note that this change should only be made if you are certain that no other domain will be added to the AD forest.

In fallback_homedir = /home/%u@%d, we will modify it to fallback_homedir = /home/%u. By removing the "@%d" part, the user's folder will be created with only the username.

In the access_provider = ad option, change it to access_provider = simple.

Now let's add an option that is not present in our file, which is simple_allow_groups. In this option, we will add the groups we have in AD and want to grant access to the Linux machine.

In our case, we have two groups: linuxuser and linuxadmin. To add them, we should include simple_allow_groups = linuxuser, linuxadmin in the file.

As a result, the file will look like this:

Image description

Note: in the places where it says 'Domain.local', you should use the domain you are integrating with the system. And in 'simple_allow_users = groups, linuxuser, linuxadmin', it is an option that will be added automatically in the next item.

Thus, concluding the SSSD configuration process, we will allow access for users who are in the groups we added in simple_allow_groups. Use the following commands:

realm permit [group]

Example:

realm permit linuxuser

realm permit linuxadmin

SUDOERS

With the processes performed in the above steps, we will be able to access the machine using the AD user. However, the user won't have root access to the system. To solve this, we need to add the groups to the /etc/sudoers file. The result will be as follows:

Image description

We added the %linuxuser group to allow all users in the linuxuser group to access the machine and obtain root access.


Conclusion

By following these steps, Active Directory users will be able to authenticate on the Linux machine and have the appropriate privileges. Always ensure to follow best security practices when performing these configurations.

Top comments (0)