Joining a Linux server to an Active Directory domain can save you from a lot of unnecessary administrative work even in small businesses. If you need a shared Linux workstations with a lot of users and already have a domain controller in your network, you can join your servers to the domain instead of creating accounts and different access levels on each standalone host.
If you prefer running LXC containers as workstations and OS level virtualisation rather than regular VMs, you may face some unexpected challenges with uid/gid mapping after registering your host to the domain controller.
This tutorial shows you how to:
- Create a new Ubuntu LXC container
- Install realmd and join the container to an Active Directory domain
- Fix uid/gid mapping for the container
- Verify this setup with login over SSH
I will assume that you already have:
- an Active Directory server in your network with administrator access
- LXC installed on your Linux server
Launch a new container first:
> lxc launch ubuntu:18.04 ad-join-test Creating ad-join-test Starting ad-join-test
Get a shell inside:
> lxc exec ad-join-test -- /bin/bash root@ad-join-test:~#
On Ubuntu servers, we can use System Security Services Daemon (sssd) for connecting to remote authentication providers. The documentation recommends using an automated tool to configure it and here I'm going to use the realm command-line tool for quick enrolment.
Install realmd and some other necessary packages:
root@ad-join-test:~# apt update && apt install realmd sssd-tools sssd libnss-sss libpam-sss adcli packagekit
Try to discover your realm on the network:
root@ad-join-test:~# realm discover eilabs.local
In case of no answer here, make sure that you can resolve the name of domain controller:
root@ad-join-test:~# nslookup -type=srv _ldap._tcp.eilabs.local
I couldn't resolve the domain name of my domain controller in the first place, because we used .local as top level domain, which is nowadays intended to use in multicast DNS, so I had to change the systemd-resolver configuration.
If realm can discover the ldap service, use your administrator account to join. Realm is a silent program, so I am going to use --verbose to see the details of the process:
root@ad-join-test:~# realm join eilabs.local --user=david.jenei --verbose
Now try to check the connection to the domain controller and look up your user passwd entry:
root@ad-join-test:~# getent passwd firstname.lastname@example.org
If you try to login now, you will see that the system is using the pam_sss module now as it supposed to, but you may find this error in the auth.log.
pam_sss(login:auth): received for user email@example.com: 4 (System error)
Changing the log level to debug in sssd reveals, that there is problem with the uid. If you would like see the error message, put the debug directive under your domain's section in the sssd configuration (/etc/sssd/sssd.conf) and restart sssd.
Here you can see, that my uid is a huge number but the default id mapping in sssd can't map those into the allocated uid map:
root@ad-join-test:~# cat /proc/self/uid_map 0 100000 65536 root@ad-join-test:~# getent passwd firstname.lastname@example.org email@example.com:*:1149001181:1149000513:Jenei, David:/firstname.lastname@example.org:/bin/bash
Add these lines to the sssd configuration for your domain to limit idmap range and map uid/gid into the available space.
ldap_id_mapping = True ldap_idmap_range_min = 10000 ldap_idmap_range_max = 50000 ldap_idmap_range_size = 1000
I also changed the backup homedir line to a new home directory format and enabled login without fully qualified names:
use_fully_qualified_names = False override_homedir = /home/%d/%u
If you restart sssd after changing the configuration, it will fail, because we also need to manually clear the cache:
root@ad-join-test:~# rm -rf /var/lib/sss/db/*
Restart sssd service and login with your account:
root@ad-join-test:~# systemctl restart sssd root@ad-join-test:~# login ad-join-test login: david.jenei Password: Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-88-generic x86_64)
Run pam-auth-update and enable home directory creation on login. Next time you login, your home directory will be created automatically.
Finally edit /etc/ssh/sshd_config and enable password login:
Restart the ssh daemon and now you can use SSH with your AD user name to login to your container.
root@ad-join-test:~# systemctl restart sshd root@ad-join-test:~# ssh david.jenei@localhost
For more information, you can check out the details of uid mapping in LXD here.