What services are required to join a domain?
|
Note: The examples in this post use apt commands, which are for Debian-based operating systems like Ubuntu, Kali and Mint. However, the examples have also been tested with yum/dnf commands for RPM-based distros like CentOS, Red Hat, Fedora and openSUSE. Show
A Brief Summary of Linux Interaction with Active DirectoryThe main reasons to join a Linux machine to an LDAP-based directory service include business policies, access control and centralized identity management. When joining a Linux host to Active Directory (AD), two components are required: one that manages the central identity and authentication source (Microsoft Windows Active Directory), and one that handles domain discovery and acts as a middleman between the first component and the discovered identity source. Handpicked related content:
Over the years, there have been a few configuration options to join a Linux machine to AD; however, most were cumbersome to configure. For example, you can manually set up System Security Services Daemon (SSSD) to join domains. However, the realmd suite enables you to complete the task without cumbersome configuration file editing. Realm is a command line tool that can be used for management of enrollment in Kerberos realms, like Active Directory domains or IPA domains. The realmd system provides a clear and simple way to discover and join identity domains to achieve direct domain integration. It’s not too much of a lift either, as realmd handles configuration of complex underlying Linux system services, such as SSSD or Winbind. Joining Active Directory using realmd1. To add Linux to an Active Directory domain, first make sure that your Linux host can communicate with the domain controller (DC) over the network. Proper DNS and hostname resolution are essential to this process. 2. Now, let’s install realmd (using root access) and check to see if we’re already a member of a domain. If realmd wasn’t previously installed, then we shouldn’t have any domain membership. sudo apt install realmd realm list The output should be empty, indicating the host isn’t joined to AD or another domain service. If the output lists a domain you’d like to leave, run the following as the domain administrator user account originally used to join the domain: sudo realm leave example.com -U [email protected] 3. Next, we’ll want to discover our domain: realm discover The output should look like the following; it provides a list of packages that must be installed in order to join the domain: example.com type: kerberos realm-name: EXAMPLE.COM domain-name: example.com configured: no server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin Realm discovery output may differ depending on your specific host and domain controller setup. 4. We can then go ahead and install the listed required packages (shown above) and then use the realm join command to join Linux to the Windows domain using credentials with AD Domain Admin permissions: sudo apt install sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin sudo realm join --client-software=sssd When specifying the Domain Admin, we can just use the username instead of using example.com\user format, since we’re already specifying a domain controller in the command. Additionally, you can use the –computer-ou parameter to specify the organizational unit for the computer to be joined to, using distinguished name format (for example, # realm join –computer-ou=”ou=Linux Computers,dc=example,dc=com”). An invalid hostname error can occur if a hostname isn’t set with the proper format. To resolve this, simply set the hostname properly: sudo hostnamectl set-hostname ' 5. After joining the domain, we can run realm list again to confirm success and review the domain info: example.com type: kerberos realm-name: EXAMPLE.COM domain-name: example.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin login-formats: %[email protected] login-policy: allow-realm-logins In this case, the login-formats property indicates that domain accounts will be specified in [email protected] format on this host, rather than domain\user format. 6. Finally, restart the SSSD service and use the command below to verify the Active Directory user information. The output should show a domain user’s UID, groups and more: sudo service sssd restart id [email protected] That’s all there is to it! This is by no means a comprehensive guide for all the options you can manually configure along the way; however, this is the quickest route to get Linux hosts joined to Active Directory using a modern approach. Mapping Linux UIDs/GIDs to SIDs in Active DirectoryOne more thing we should touch on is how POSIX UIDs and GIDs are mapped to SIDs in Active Directory, since Linux clients don’t have a concept of SIDs like Windows does. Benefits of using SSSD Rather than WinbindBy default, realmd uses SSSD rather than Winbind. One big benefit of this approach is that SSSD automatically handles POSIX UID/GID generation using the SID of each Active Directory user or group. If you keep the default SSSD settings on each Linux host that you join to the domain, then these UID and GID values should be mapped consistently across Linux hosts. For example, in my lab, this result is consistent no matter which Linux machine I run it on, as long as the machines are joined to the same domain: user@my-linux-host:~$ id [email protected] uid=778006423([email protected]) gid=778001234(domain [email protected]) groups=778001234 (domain [email protected]) Another benefit of this approach is that UIDs and GIDs generated by SSSD can also be applied to the uidNumber and gidNumber attributes in Active Directory for users and groups. This allows applications that query these AD attributes to perform mapping of the UID or GID to the SID, ultimately resulting in the same AD users or groups being referenced regardless of whether a user or group is in use on a Windows or Linux system. Viewing and Editing the uidNumber and gidNumber AttributesTo view the uidNumber and gidNumber attributes in Active Directory Users and Computers on Windows Server, make sure you have Advanced Features enabled under the View dropdown.  You’ll then be able to view and edit those fields in the user’s or group’s Properties menu on the Attribute Editor tab: Listing all AD users and groups, with their UIDs and GIDsDepending on the number of users and groups in your domain, it may take a long time to manually assign uidNumber and gidNumber values. Although methods to programmatically populate these fields will be environment-specific, we can at least list all AD users and groups, with their UIDs and GIDs, using the getent command from a Linux host joined to the domain. By default, getent will list only the users and groups on the local machine. However, this can be modified by adding a line to your /etc/sssd/sssd.conf file and restarting SSSD. However, enabling this enumeration option can cause significant stress on the Active Directory server. Typically, I like to step through this process outside of production hours, save the results, and then disable the full enumeration. 1. First, we add “enumerate = True” to sssd.conf, and then we restart the SSSD service: echo "enumerate = True" | sudo tee -a /etc/sssd/sssd.conf &> /dev/null sudo service sssd restart Depending on the size of your Active Directory, it can take up to ten minutes to complete the initial enumeration into the local cache. During this period, you’ll notice domain users and groups populating in the outputs from getent passwd and getent group, respectively. 2. Once enumeration to the local credential cache is complete, we can use the following commands to format the getent output ( sudo realm leave example.com -U [email protected]0 The first command outputs each domain user with their UID and their GID in comma-separated format: sudo realm leave example.com -U [email protected]1 The second outputs each domain group with its GID in comma-separated format: sudo realm leave example.com -U [email protected]2 3. You can redirect outputs to text or CSV files for parsing into Active Directory’s uidNumber and gidNumber attributes. With this UID and GID information in CSV format, you could create a script that imports each CSV and automatically updates uidNumber and gidNumber for Active Directory users and groups. For example, the following Windows PowerShell command adds the specified UID and GID to those attributes in AD: sudo realm leave example.com -U [email protected]3 With this command (and Set-ADGroup), it wouldn’t be too difficult to generate a script that fits your environment and speeds up the process of mapping UIDs/GIDs to uidNumber and gidNumber in AD, which ultimately map to Windows SIDs. 4. Once you’ve saved the output from the getent commands, you can remove the enumerate value from sssd.conf and restart the SSSD service to prevent the expensive LDAP enumeration from occurring in the future: sudo realm leave example.com -U [email protected]4 ConclusionLinux hosts are often used for some of the most critical functions in an organization’s infrastructure. Accordingly, it’s vital for admins to monitor these hosts, understand how they’re used, observe who accesses them and verify how they’re secured. This is even more critical when Linux hosts are joined to Active Directory. Indeed, it only takes one compromised host or user for attackers to move laterally into admin rights in your domain, by exploiting issues from over-provisioned user access to weak passwords to open SMB/NFS shares. The Netwrix Active Directory Security Solution includes preconfigured and customizable jobs for auditing, logging, analyzing and reporting on both Unix/Linux and Active Directory. FAQCan you join a Linux machine to Active Directory? Yes. You can join any distro to an AD domain by manually connecting SSSD client or using the realm join command. How does Linux connect to Active Directory? System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directory services and authentication mechanisms on Linux machines. What is realmd in Linux? realmd is a Linux system service that allows callers to configure network authentication and domain membership via SSSD or Winbond services. Joe Dibley Security Researcher at Netwrix. Joe is an expert in Active Directory, Windows, and a wide variety of enterprise software platforms and technologies, Joe researches new security risks, complex attack techniques, and associated mitigations and detections. What components or services are needed for a domain controller?This includes the operating system (usually Windows Server or Linux), an LDAP service (Red Hat Directory Server, etc.), a network time service (ntpd, chrony, etc.), and a computer network authentication protocol (usually Kerberos).
How does joining a domain work?When a computer is joined to a domain, it doesn't use its own local user accounts. User accounts and passwords are managed on the domain controller. When you log into a computer on that domain, the computer authenticates your user account name and password with the domain controller.
What services are required for Active Directory?Active Directory requires at least one domain controller to respond to authentication requests and verify users on the network. Domain controllers also replicate the AD DS database inside an AD forest.
|
