To join a Linux VM to Active Directory, the SSSD (System Security Services Daemon) component is the recommended authentication method to use for newer Linux systems.
This solution is particularly useful if Linux instant-clones are used in your VMware Horizon because SSSD allows you to access remote directories and authentication mechanisms.
SSSD is used to connect a local system to external systems, such as:
- An LDAP directory
- An Identity Management domain
- An Active Directory domain
- A Kerberos realm
How SSSD works
The SSSD authentication process is based on two stages:
- Retrieves identity and authentication information when the client is connected to a remote provider.
- The authentication information is used to create a local cache of users and credentials on the client.
Authentication methods
There are different authentication methods that can be used for Linux virtual machines and the choice is based on the Linux distribution in use and the available infrastructure.
OpenLDAP Pass-through Authentication (PTA)
PTA can be used by any Linux distribution supported by the Horizon Agent to verify the user credentials against Active Directory using the pass-through authentication mechanism.
System Security Services Daemon (SSSD) Authentication
SSSD supports offline domain join with Active Directory for instant-cloned VMs running the following Linux distributions:
- Ubuntu 18.04/20.04/22.04
- RHEL 7.x/8.x/9.x
- CentOS 7.x
- SLED/SLES 12.x/15.x
PowerBroker Identity Services Open (PBISO) Authentication
PBISO supports offline domain join with Active Directory for instant-cloned VMs running the following Linux distributions:
- Ubuntu 18.04/20.04/22.04
- RHEL 7.x
Samba
Samba can be used by any Linux distribution supported by the Horizon Agent and supports offline domain join with Active Directory for instant-cloned. It is recommended to use Samba only for desktops running older distributions, use SSSD for newer distributions.
Pre-requisites
Before proceeding with the configuration, ensure the following prerequisites are met:
- Before discovering the AD domain to join, make sure required ports are open in the Domain Controller and the Linux VM can access the DC.
- Both systems must be time synced to ensures that Kerberos can work correctly.
- If you work with VMware Horizon, make sure the used Linux OS is supported by the Horizon Linux Agent. Supported Linux distribution:
This article has been written for StarWind blog and can be found in this page. It covers the full procedure to Join a Linux VM to Active Directory using SSSD.
Install Horizon Agent if required
If the configured VM is intended to be used as Golden Image in a VMware Horizon environment, download the Horizon Agent from VMware website and copy it to the RHEL machine using a tool like WinSCP. Since Linux VDI supports Blast protocol only, if you use Thin Clients to connect your VDIs, make sure Blast protocol is supported.
The Horizon Agent package has some dependencies that must be installed in the system before running the installation. Normally you need to install these packages only if the system has a minimal installation setup.
# yum install bc gdm libappindicator-gtk3 lsof pulseaudio-module-x11 pulseaudio-utils xorg-x11-drv-vmware xorg-x11-server-utils xorg-x11-xauth zenity
When the dependencies have been installed, install the Horizon Agent.
# rpm -ivh /tmp/VMware-horizonagent-linux-2209-8.7.0-20612436.el8.x86_64.rpm
If you have multiple networks, you may receive this warning during the Horizon Agent installation.
Edit the /etc/vmware/viewagent-custom.conf file and specify the correct subnet:
# vi /etc/vmware/viewagent-custom.conf
Enable also the following line:
OfflineJoinDomain=sssd
When the Horizon Desktop Pool is configured, the Linux instant-clone desktop will be created and joined to AD domain using SSSD. Use the AD credentials to login to the VDI.
The Linux machine can now be accessed by Active Directory users. For newer versions of Linux systems, SSSD is the recommended method of authentication against Active Directory.
Read the full article on StarWind blog.
