Manually Join AD on SLE Micro

SUSE Linux Enterprise Micro 5
SUSE Linux Enterprise Micro 6

Manual configuration of AD on SLE Micro.

Some Pre-requisites:

1. Configure NTP to use the same configuration as the AD Server environment. Many errors authenticating come down to the client not able to communicate with the AD server due to time differences.
2. The server should either be using the AD servers as its DNS nameservers, or the same DNS servers as the AD server is using for its nameservers. Not having this configured, along with missing any required AD DNS records, can result in issues with the client finding and using the AD server.
3. Ensure ports required by Active Directory and Kerberos are open through the network and firewalls.
4. Configure the system FQDN. The command “hostname -f” and/or "hostnamectl status" should return the FQDN.
5. Note that Winbind is not available and SSSD will need to be used.

Install Packages

1. Use transactional-update to install the necessary packages:

   # transactional-update pkg install adcli sssd sssd-ldap sssd-ad
   

2. Reboot to apply changes
   

   # reboot

Make Configuration Changes

1. Enter transactional-update shell to make all the following configuration changes:

   # transactional-update shell
   

2. In shell, configure selinux to be Kerberos aware:
   

   # setsebool -PV kerberos_enabled on

3. In shell, configure the Kerberos client:

   In AD all domain controllers by default are the KDC and DNS server as well. After configuring the default realm it can rely on AD SRV DNS records to find the kdc settings, if 'dns_lookup_kdc = true'. If using DNS is not wanted, or to force specific domain controllers, then set dns_lookup_kdc to false and uncomment the entries under [realms].
   Example /etc/krb5.conf file configuration:

   [libdefaults]
       default_realm = EXAMPLE.COM
       dns_lookup_kdc = true
       forwardable = true
       default_ccache_name = FILE:/tmp/krb5cc_%{uid}
   [realms]
       EXAMPLE.COM = {
           admin_server = example.com
           #kdc = dc1.example.com
           #kdc = dc2.example.com
       }
   [logging]
       kdc = FILE:/var/log/krb5/krb5kdc.log
       admin_server = FILE:/var/log/krb5/kadmind.log
       default = SYSLOG:NOTICE:DAEMON
   [domain_realm]
       .example.com = EXAMPLE.COM
       example.com = EXAMPLE.COM

4. In shell, configure NSS:

   Example parameters in /etc/nsswitch.conf:

   passwd: compat sss
   group: compat sss

5. In shell, configure PAM:

   Enable using pam-config:

   # pam-config -a --sss
   # pam-config -a --mkhomedir
   

6. In shell, configure SSSD:
   

   Example configuration of file /etc/sssd/sssd.conf

   [sssd]
   config_file_version = 2
   services = nss,pam
   domains = example.com
   
   [nss]
   filter_users = root
   filter_groups = root
   
   [pam]
   
   [domain/example.com]
   id_provider = ad
   auth_provider = ad
   ad_domain = example.com
   cache_credentials = true
   enumerate = false
   override_homedir = /home/%d/%u
   ldap_id_mapping = true
   ldap_referrals = false
   ldap_schema = ad
   

7. Exit shell from step 1 and reboot to apply changes:

   # exit
   # reboot

Join Domain and Enable SSSD

1. 1. Enter transactional-update shell to make the next configuration change:

      # transactional-update shell

2. In shell, create the computer account and join to the domain (AD user must be able to create computer accounts):

   # adcli join -D example.com
   Password for [Administrator@](<mailto:Administrator@EXAMPLE.COM>)EXAMPLE.COM:

3. Exit shell from step 1:
   

   # exit

4. Enable the SSSD daemon:

   # systemctl enable sssd
   

5. Reboot to apply changes:

   # reboot
   

Common Optional Step: Configure LDAP/KRB5 Client Toolbox

1. Configure and deploy toolbox:

   # mv .toolboxrc{,.bak}
   # echo "TOOLBOX_NAME=openldap2-client" >.toolboxrc
   # toolbox
   

2. In toolbox shell, (if the shell was exited, it can be re-entered with the "toolbox enter openldap2-client" command.) install openldap2-client and krb5-client:

   openldap2-client:/ # zypper in openldap2-client cyrus-sasl-gssapi krb5-client

3. In toolbox shell, configure /etc/openldap/ldap.conf:

   URI ldap://example.com
   BASE dc=example,dc=com
   REFERRALS OFF

4. Exit toolbox shell
   

   openldap2-client:/ # exit

5. Copy krb5.conf and krb5.keytab into toolbox, then enter to use:
   

   # podman cp /etc/krb5.conf 'openldap2-client':/etc/krb5.conf
   # podman cp /etc/krb5.keytab 'openldap2-client':/etc/krb5.keytab
   # toolbox enter openldap2-client

Central authentication configuration is environment dependent. Administrators are advised to carefully look over the parameters given as examples and to use the man pages to search for any additional parameters needed, if any.

Useful commands for testing listed below. Some of these will need to be run in the toolbox specified in "Common Optional Step: Configure LDAP/KRB5 Client Toolbox" section of this TID:

Kerberos ticket information can be tested in the toolbox with:

openldap2-client:~ # klist -k -t /etc/krb5.keytab

AD Server info collected by client should show after successfully joining the computer account.

# adcli info example.com

Test Kerberos authentication to AD in toolbox with ("klist" must show an active ticket from successful "kinit <Admin user>". Also, "Optional Step: Configure LDAP Client" must be completed):

openldap2-client:~ # ldapsearch -Y GSSAPI cn=Administrator

After completing all the steps in this document the following tests can be run. A different user known to be in the AD database can be used instead of Administrator.

NSS access through SSSD:

# id Administrator
# getent passwd Administrator

After validating above NSS is working, test PAM stack without password, as root, using:

# su - Administrator

Lastly, validate with password as well:

# ssh Administrator@localhost