Photo by Francesco Gallarotti on Unsplash

Integrating a Linux system with Active Directory

Gardening

Article from ADMIN 76/2023

By Ali Imran Nagori

Your Active Directory system doesn't have to be a walled garden. A few easy steps are all you need to integrate Linux with AD.

If your organization manages a network that includes both Windows and Linux machines, you might want to implement a unified authentication mechanism. Many businesses rely on Microsoft's Active Directory (AD) as their directory service of choice (see the "Active Directory" box). Microsoft AD has dominated the market for corporate access control for many years. Joining a Microsoft client to Active Directory is nearly effortless – you don't need an ADMIN article to explain it. Adding a Linux system is still easy, but the process requires a few more steps.

Active Directory

The Active Directory service creates a unique object for each user in a central database, together with a unique set of credentials. Moreover, every computer system is created as an object. With the same set of credentials, every user has automatic access to other systems at the workplace. All required account updates are performed once at the centralized database.

A directory service is, at its core, essentially a method of cataloging and simplifying access to all of an organization's resources. In its most basic form, Active Directory is a distributed database that you can access over a network with the Lightweight Directory Access Protocol (LDAP). By using a connection-oriented channel like TCP/IP, LDAP allows users to access directory services remotely.

In this article, I first show you how to join a Linux machine to your Windows AD domain. Following that, I'll use Active Directory as the main place to manage all users, making administrative tasks easier and less time consuming. I'll also use the AD System Security Services Daemon (SSSD) feature to check whether a user is really logging in against Active Directory.

SSSD

SSSD is designed to streamline Linux and other non-Microsoft systems interactions with Microsoft Active Directory. Essentially, it makes users and groups from an Active Directory domain seem like they are part of the local system. As a result, Active Directory users will seem to be local users of the Linux system [1].

Additionally, a standard Unix or Linux user has attributes that are not native to Active Directory. These attributes, such as the numeric User ID (UID), create at runtime or with configuration directives the home directory location and desired user shell. Similarly, Active Directory groups will seem like typical Unix or Linux groups by way of a Name Service Switch (NSS) module, a technology that is common to all Linux distributions. NSS works to resolve users and groups.

With the use of a Linux pluggable authentication module (PAM), SSSD offers a general way for Ubuntu system services to check user credentials against those present in Active Directory.

The SSSD realm command-line tool simplifies the joining of the Active Directory domain. Additionally, SSSD runs different background processes that correspond to each service it offers (e.g., sssd , sssd_pam , and sssd_nss ).

Prerequisites

In this process, I configure Windows Server 2016 as a domain controller, and on the client side, I use an Ubuntu 20.04 machine. Furthermore, you need to set the configuration properly on the end machines. For example, to ensure the prerequisites are met at the Active Directory end, you must

create an account that has sufficient access rights to add a machine to a domain,
set up Active Directory and DNS services, and
add a user to log on to the Ubuntu machine.

The user account that will add the Ubuntu machine to Active Directory can be the normal administrative user or a member of the administrative group. However, this element solely depends on your configuration.

All DNS queries on the Ubuntu machine should be answered by the Active Directory domain controller (DC). Consequently, this requires a proper DNS setup on the Active Directory DC. I've configured my AD directory as follows:

Domain name: example.com
IP address: 192.168.62.160
Fully qualified domain name (FQDN) of the server: win-2rifamt88gr.example.com

The configuration for the Ubuntu machine is

Hostname: node1.example.com
IP address: 192.168.62.163
DNS resolver: Active Directory

Active Directory will act as the DNS resolver for the Ubuntu machine. Also, you can manually set the hostname inside the hosts file (Figure 1).

Figure 1: The hosts file on Ubuntu.

Usually on the Ubuntu machine, you need to run most of the commands as a member of the sudo group, which means you should have superuser (sudo) privileges to make them work.

DNS Configuration

It is critically important that the Ubuntu machine first approach the DC for its DNS query. You could do this with the resolv.conf file by simply adding the Active Directory IP as the primary DNS address. However, when you restart the Ubuntu machine, the DNS IP reverts back to the initial value. To override this behavior, use resolvconf instead [2]. This utility can help you set the desired nameserver (Active Directory IP in this case).

1 2 3 Next »