Integrating a Linux system with Active Directory
Gardening
If your organization manages a network that includes both Windows and Linux machines, you might want to implement a unified authentication mechanism. Many businesses rely on Microsoft's Active Directory (AD) as their directory service of choice (see the "Active Directory" box). Microsoft AD has dominated the market for corporate access control for many years. Joining a Microsoft client to Active Directory is nearly effortless – you don't need an ADMIN article to explain it. Adding a Linux system is still easy, but the process requires a few more steps.
Active Directory
The Active Directory service creates a unique object for each user in a central database, together with a unique set of credentials. Moreover, every computer system is created as an object. With the same set of credentials, every user has automatic access to other systems at the workplace. All required account updates are performed once at the centralized database.
A directory service is, at its core, essentially a method of cataloging and simplifying access to all of an organization's resources. In its most basic form, Active Directory is a distributed database that you can access over a network with the Lightweight Directory Access Protocol (LDAP). By using a connection-oriented channel like TCP/IP, LDAP allows users to access directory services remotely.
In this article, I first show you how to join a Linux machine to your Windows AD domain. Following that, I'll use Active Directory as the main place to manage all users, making administrative tasks easier and less time consuming. I'll also use the AD System Security Services Daemon (SSSD) feature to check whether a user is really logging in against Active Directory.
SSSD
SSSD is designed to streamline Linux and other non-Microsoft systems interactions with Microsoft Active Directory. Essentially, it makes users and groups from an Active Directory domain seem like they are part of the local system. As a result, Active Directory users will seem to be local users of the Linux system [1].
Additionally, a standard Unix or Linux user has attributes that are not native to Active Directory. These attributes, such as the numeric User ID (UID), create at runtime or with configuration directives the home directory location and desired user shell. Similarly, Active Directory groups will seem like typical Unix or Linux groups by way of a Name Service Switch (NSS) module, a technology that is common to all Linux distributions. NSS works to resolve users and groups.
With the use of a Linux pluggable authentication module (PAM), SSSD offers a general way for Ubuntu system services to check user credentials against those present in Active Directory.
The SSSD realm
command-line tool simplifies the joining of the Active Directory domain. Additionally, SSSD runs different background processes that correspond to each service it offers (e.g., sssd
, sssd_pam
, and sssd_nss
).
Prerequisites
In this process, I configure Windows Server 2016 as a domain controller, and on the client side, I use an Ubuntu 20.04 machine. Furthermore, you need to set the configuration properly on the end machines. For example, to ensure the prerequisites are met at the Active Directory end, you must
- create an account that has sufficient access rights to add a machine to a domain,
- set up Active Directory and DNS services, and
- add a user to log on to the Ubuntu machine.
The user account that will add the Ubuntu machine to Active Directory can be the normal administrative user or a member of the administrative group. However, this element solely depends on your configuration.
All DNS queries on the Ubuntu machine should be answered by the Active Directory domain controller (DC). Consequently, this requires a proper DNS setup on the Active Directory DC. I've configured my AD directory as follows:
- Domain name: example.com
- IP address: 192.168.62.160
- Fully qualified domain name (FQDN) of the server: win-2rifamt88gr.example.com
The configuration for the Ubuntu machine is
- Hostname: node1.example.com
- IP address: 192.168.62.163
- DNS resolver: Active Directory
Active Directory will act as the DNS resolver for the Ubuntu machine. Also, you can manually set the hostname inside the hosts file (Figure 1).
Usually on the Ubuntu machine, you need to run most of the commands as a member of the sudo group, which means you should have superuser (sudo
) privileges to make them work.
DNS Configuration
It is critically important that the Ubuntu machine first approach the DC for its DNS query. You could do this with the resolv.conf
file by simply adding the Active Directory IP as the primary DNS address. However, when you restart the Ubuntu machine, the DNS IP reverts back to the initial value. To override this behavior, use resolvconf
instead [2]. This utility can help you set the desired nameserver (Active Directory IP in this case).
Buy this article as PDF
(incl. VAT)