Linux guest join ad domain

From Phormix Wiki
Jump to: navigation, search

Joining a Linux guest to an Active Directory Domain

Important Note

The domain name appears to be quite case sensitive. In most cases, it will be all caps. For the purposes of this example, our domain will be "mydomain.local" and a user named "admin" with domain privileges will be assumed to exist

 

Terminate active processes and reset config

Ensure that none of the following processes are running

  • smbd
  • nmbd
  • winbind (winbindd)

Erase the following (if existing)

  • smb.conf

 

 

Install software

Install the following packages

CentOS/RHEL/Ubuntu

  • sssd
  • realmd
  • sssd-krb5
  • sssd-tools
  • adcli
  • packagekit

CentOS/RHEL only

  • pam_krb5
  • authconfig
  • krb5-workstation

Ubuntu/Debian Only

  • policykit-1
  • libpam-krb5
  • krb5-user
  • krb5-config
  • libnss-sss
  • libpam-sss

 

 


Add kerberos config

Update /etc/krb5.conf with the following. In this example we're using the mydomain.local domain (note that the caps are required in some places)

[libdefaults]
    default_realm = MYDOMAIN.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    
    #This is especially important in Ubuntu/Debian
    rdns = false
    
    default_ccache_name = KEYRING:persistent:%{uid}

 

Also, add an entry under  the "realms" section

[realms]
mydomain.local = {
 kdc = MYDOMAIN.LOCAL
 admin_server = DC01.MYDOMAIN.LOCAL
}

You'll also want to add domain realms for this and any other domains, and for case differences

[domain_realm] = 
.mydomain.local = MYDOMAIN.LOCAL
mydomain.local = MYDOMAIN.LOCAL

 


LDAP Config

You'll need two things in your LDAP config (ldap.conf). The first is that TLS_CACERT should likely point to a file containing the SSL cert for LDAP connections to your AD host. You can grab this using (e.g.)

openssl s_client -showcerts -connect dc01.mydomain.local:636 </dev/null 2>/dev/null| sed -n -e '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/ p' > /etc/ssl/certs/dc01.mydomain.local.crt


(grab everything between and including the BEGIN CERTIFICATE and END CERTIFICATE lines)

Alternately, if you have access to the host itself and it is a samba DC,  you can find the certs under 

/var/lib/samba/private/tls/



You may also need this in your ldap.conf

SASL_NOCANON    true

 

Check name resolution

Your hostname should resolve to a non-loopback IP, e.g. for the lair domain

mytestmachine.mydomain.local

Should resolve to a valid IP that is NOT 127.x.x.x

You can add this to /etc/hosts if needed

Also, check name resolution against one of your DC's. Please note that if your network uses a .local suffix or similar then the systemd resolved daemon will not work. You will need to switch to something like dnsmasq instead

Connecting with realmd

Join Domain with realmd

Per this example, domain is mydomain.local and "admin" is a user with privileges capable of joining a host to the domain

First, check that the kerberos config is working

kinit Administrator@MYDOMAIN.LOCAL

Also that the domain is discoverable

realm discover MYDOMAIN.LOCAL

Join the domain

realm join -v --user=Administrator@MYDOMAIN.LOCAL MYDOMAIN.LOCAL

 

Configuration

Add PAM config

In order to properly login for domain users, a homedir must be created at login. You can reconfigure PAM to do so by running the following (and checking the "create home directory on login" option)

pam-auth-update

 

Allowing logins

Before logins via domain are allowed, you'll need to permit a user. This can be accomplished through the following (e.g. for the "bob" user)

realm permit bob@mydomain.local

You cloud also deny a user using

realm permit -x bob@mydomain.local

You can also do this based on group, which is probably a better way of doing things

realm permit -g employees@mydomain.local

Default Domain

By default, logins are in the format

user@mydomain.local

To just use the straight username without needing the domain portion, you can add the following to /etc/sssd/sssd.conf (and restart sssd)

default_domain_suffix = MYDOMAIN.LOCAL
use_fully_qualified_names = False

Leaving the domain

To leave a domain, you should use the following. Note that the --remove flag also removes the machine from the list of those trusted by the domain

realm leave -v --user=admin@mydomain.local --remove mydomain.local

 



Troubleshooting

Tests/Analysis

Testing the LDAP connection

ldapsearch -x -LLL -H ldaps://dc01.mydomain.local -D "Administrator@mydomain.local" -W -b "dc=mydomain,dc=local" givenName

You can also use format

ldapsearch -x -LLL -H ldaps://dc01.mydomain.local -D "CN=Administrator,CN=Users,DC=mydomain,DC=local" -W -b "dc=mydomain,dc=local" givenName

Errors

Some common errors and their solutions or description


Ticket expired error during the "kinit" process

If you get the following during kinit

kinit: Ticket expired while validating credentials

You may need to destroy your tickets, e.g. using

kdestroy -A

server not found in kerberos database

If you get the above error while joining the domain with realmd/adcli, it may be related to RDNS
Ensure that the RDNS for your host matches up correctly, e.g.

$ host dc01.mydomain.local
dc01.mydomain.local has address 10.10.10.10
$ host 10.10.10.10
10.10.10.10.in-addr.arpa domain name pointer dc01.mydomain.lan


 

This is not normally the case when your AD is also the primary/only DNS, but may occur when it is a subdomain or forwarded from another DNS host.