{"id":55503,"date":"2022-12-21T09:00:29","date_gmt":"2022-12-21T08:00:29","guid":{"rendered":"https:\/\/nolabnoparty.com\/?p=55503"},"modified":"2022-12-20T15:25:49","modified_gmt":"2022-12-20T14:25:49","slug":"join-a-linux-vm-to-active-directory-using-sssd","status":"publish","type":"post","link":"https:\/\/nolabnoparty.com\/en\/join-a-linux-vm-to-active-directory-using-sssd\/","title":{"rendered":"Join a Linux VM to Active Directory using SSSD"},"content":{"rendered":"<p><img decoding=\"async\" class=\"aligncenter wp-image-55799 size-full\" title=\"join-linux-vm-to-ad-using-sssd-01\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2022\/12\/join-linux-vm-to-ad-using-sssd-01.jpg\" alt=\"join-linux-vm-to-ad-using-sssd-01\" width=\"602\" height=\"202\" \/><\/p>\n<p>To join a Linux VM to Active Directory, the SSSD (System Security Services Daemon) component is the recommended authentication method to use for newer Linux systems.<\/p>\n<p>This solution is particularly useful if <strong>Linux instant-clones<\/strong> are used in your <a href=\"https:\/\/nolabnoparty.com\/en\/vmware-horizon-manage-outlook-ost-files\/\">VMware Horizon<\/a> because\u00a0SSSD allows you to access <strong>remote directories<\/strong> and <strong>authentication mechanisms<\/strong>.<!--more--><\/p>\n<p>SSSD is used to connect a <strong>local system to external systems<\/strong>, such as:<\/p>\n<ul class=\"itemizedlist\" type=\"disc\">\n<li class=\"listitem\">An LDAP directory<\/li>\n<li class=\"listitem\">An Identity Management domain<\/li>\n<li class=\"listitem\">An Active Directory domain<\/li>\n<li class=\"listitem\">A Kerberos realm<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2>How SSSD works<\/h2>\n<p>The SSSD authentication process is based on two stages:<\/p>\n<ul>\n<li>Retrieves <strong>identity and authentication information<\/strong> when the client is connected to a remote provider.<\/li>\n<li>The authentication information is used to <strong>create a local cache<\/strong> of users and credentials on the client.<\/li>\n<\/ul>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-55801 size-full\" title=\"join-linux-vm-to-ad-using-sssd-02\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2022\/12\/join-linux-vm-to-ad-using-sssd-02.jpg\" alt=\"join-linux-vm-to-ad-using-sssd-02\" width=\"491\" height=\"101\" \/><\/p>\n<p>&nbsp;<\/p>\n<h2>Authentication methods<\/h2>\n<p>There are different authentication methods that can be used for Linux virtual machines <span class=\"ph productname\">and the choice is based on the Linux distribution in use and the available infrastructure.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h4>OpenLDAP Pass-through Authentication (PTA)<\/h4>\n<p>PTA can be used by any Linux distribution supported by the Horizon Agent to verify the user credentials against Active Directory using the <strong>pass-through authentication<\/strong> mechanism.<\/p>\n<p>&nbsp;<\/p>\n<h4><span id=\"GUID-D8E3A4AA-83E9-46A4-8BBA-824027146E93__d102e58\" class=\"ph\">System Security Services Daemon (SSSD) Authentication<\/span><\/h4>\n<p><span id=\"GUID-D8E3A4AA-83E9-46A4-8BBA-824027146E93__d102e58\" class=\"ph\">SSSD supports <strong>offline domain join<\/strong> with Active Directory for instant-cloned VMs running the following Linux distributions:<\/span><\/p>\n<ul>\n<li>Ubuntu 18.04\/20.04\/22.04<\/li>\n<li>RHEL 7.x\/8.x\/9.x<\/li>\n<li>CentOS 7.x<\/li>\n<li>SLED\/SLES 12.x\/15.x<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h4><span id=\"GUID-D8E3A4AA-83E9-46A4-8BBA-824027146E93__d102e76\" class=\"ph\">PowerBroker Identity Services Open (PBISO) Authentication <\/span><\/h4>\n<p><span id=\"GUID-D8E3A4AA-83E9-46A4-8BBA-824027146E93__d102e76\" class=\"ph\">PBISO supports <strong>offline domain join<\/strong> with Active Directory for instant-cloned VMs running the following Linux distributions:<\/span><\/p>\n<ul>\n<li>Ubuntu 18.04\/20.04\/22.04<\/li>\n<li>RHEL 7.x<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h4>Samba<\/h4>\n<p>Samba can be used by any Linux distribution supported by the Horizon Agent and supports offline domain join with Active Directory for instant-cloned. It is recommended to use Samba only for desktops <strong>running older distributions<\/strong>, use SSSD for newer distributions.<\/p>\n<p>&nbsp;<\/p>\n<h2>Pre-requisites<\/h2>\n<p>Before proceeding with the configuration, ensure the following <strong>prerequisites are met<\/strong>:<\/p>\n<ul>\n<li>Before discovering the AD domain to join, make sure required <strong>ports are open<\/strong> in the Domain Controller and the Linux VM can <strong>access the DC<\/strong>.<\/li>\n<\/ul>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-55803 size-large\" title=\"join-linux-vm-to-ad-using-sssd-03\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2022\/12\/join-linux-vm-to-ad-using-sssd-03-600x684.jpg\" alt=\"join-linux-vm-to-ad-using-sssd-03\" width=\"600\" height=\"684\" \/><\/p>\n<ul>\n<li>Both systems must be <strong>time synced<\/strong> to ensures that Kerberos can work correctly.<\/li>\n<li>If you work with <a href=\"https:\/\/nolabnoparty.com\/en\/kemp-load-balancer-for-vmware-horizon-deployment-pt-1\/\">VMware Horizon<\/a>, make sure the used Linux OS is supported by the Horizon Linux Agent. Supported Linux distribution:<\/li>\n<\/ul>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-55805 size-large\" title=\"join-linux-vm-to-ad-using-sssd-04\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2022\/12\/join-linux-vm-to-ad-using-sssd-04-600x264.jpg\" alt=\"join-linux-vm-to-ad-using-sssd-04\" width=\"600\" height=\"264\" \/><\/p>\n<p>This article has been written for\u00a0<a href=\"https:\/\/www.starwindsoftware.com\/blog\/\" target=\"_blank\" rel=\"noopener noreferrer\">StarWind blog<\/a>\u00a0and can be found in\u00a0<a href=\"https:\/\/www.starwindsoftware.com\/blog\/join-a-linux-vm-to-active-directory-using-sssd\" target=\"_blank\" rel=\"noopener\">this page<\/a>. It covers the full procedure to <strong>Join a Linux VM to Active Directory using SSSD<\/strong>.<\/p>\n<p>&nbsp;<\/p>\n<h2>Install Horizon Agent if required<\/h2>\n<p>If the configured VM is intended to be used as Golden Image in a\u00a0<a href=\"https:\/\/nolabnoparty.com\/en\/vmware-horizon-configure-smart-card-authentication\/\">VMware Horizon<\/a> environment, download the <a href=\"https:\/\/customerconnect.vmware.com\/downloads\/#all_products\" target=\"_blank\" rel=\"noopener\">Horizon Agent<\/a> from VMware website and copy it to the RHEL machine using a tool like WinSCP. Since Linux VDI supports <strong>Blast protocol only<\/strong>, if you use Thin Clients to connect your VDIs, make sure Blast protocol is supported.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-55807 size-large\" title=\"join-linux-vm-to-ad-using-sssd-05\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2022\/12\/join-linux-vm-to-ad-using-sssd-05-600x382.jpg\" alt=\"join-linux-vm-to-ad-using-sssd-05\" width=\"600\" height=\"382\" \/><\/p>\n<p>The Horizon Agent package has some <strong>dependencies that must be installed<\/strong> in the system before running the installation. Normally you need to install these packages only if the system has a <strong>minimal installation setup<\/strong>.<\/p>\n<p><span style=\"color: #0000ff;\"># yum install bc gdm libappindicator-gtk3 lsof pulseaudio-module-x11 pulseaudio-utils xorg-x11-drv-vmware xorg-x11-server-utils xorg-x11-xauth zenity<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-55809 size-large\" title=\"join-linux-vm-to-ad-using-sssd-06\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2022\/12\/join-linux-vm-to-ad-using-sssd-06-600x213.jpg\" alt=\"join-linux-vm-to-ad-using-sssd-06\" width=\"600\" height=\"213\" \/><\/p>\n<p>When the dependencies have been installed, install the Horizon Agent.<\/p>\n<p><span style=\"color: #0000ff;\"># rpm -ivh \/tmp\/VMware-horizonagent-linux-2209-8.7.0-20612436.el8.x86_64.rpm<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-55811 size-large\" title=\"join-linux-vm-to-ad-using-sssd-07\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2022\/12\/join-linux-vm-to-ad-using-sssd-07-600x270.jpg\" alt=\"join-linux-vm-to-ad-using-sssd-07\" width=\"600\" height=\"270\" \/><\/p>\n<p>If you have multiple networks, you may receive this warning during the Horizon Agent installation.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-55813 size-large\" title=\"join-linux-vm-to-ad-using-sssd-08\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2022\/12\/join-linux-vm-to-ad-using-sssd-08-600x276.jpg\" alt=\"join-linux-vm-to-ad-using-sssd-08\" width=\"600\" height=\"276\" \/><\/p>\n<p>Edit the <em>\/etc\/vmware\/viewagent-custom.conf<\/em> file and specify the correct subnet:<\/p>\n<p><span style=\"color: #0000ff;\"># vi \/etc\/vmware\/viewagent-custom.conf<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-55815 size-large\" title=\"join-linux-vm-to-ad-using-sssd-09\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2022\/12\/join-linux-vm-to-ad-using-sssd-09-600x221.jpg\" alt=\"join-linux-vm-to-ad-using-sssd-09\" width=\"600\" height=\"221\" \/><\/p>\n<p>Enable also the following line:<\/p>\n<blockquote><p>OfflineJoinDomain=sssd<\/p><\/blockquote>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-55817 size-large\" title=\"join-linux-vm-to-ad-using-sssd-10\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2022\/12\/join-linux-vm-to-ad-using-sssd-10-600x288.jpg\" alt=\"join-linux-vm-to-ad-using-sssd-10\" width=\"600\" height=\"288\" \/><\/p>\n<p>When the Horizon Desktop Pool is configured, the Linux instant-clone desktop will be <strong>created and joined to AD<\/strong> domain using SSSD. Use the <strong>AD credentials<\/strong> to login to the VDI.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-55819 size-large\" title=\"join-linux-vm-to-ad-using-sssd-11\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/2022\/12\/join-linux-vm-to-ad-using-sssd-11-600x433.jpg\" alt=\"join-linux-vm-to-ad-using-sssd-11\" width=\"600\" height=\"433\" \/><\/p>\n<p>The Linux machine can now be accessed by Active Directory users.\u00a0For newer versions of Linux systems, SSSD is the <strong>recommended method<\/strong> of authentication against <a href=\"https:\/\/nolabnoparty.com\/en\/active-directory-quickly-transfer-fsmo-roles\/\">Active Directory<\/a>.<\/p>\n<p>Read the\u00a0<a href=\"https:\/\/www.starwindsoftware.com\/blog\/join-a-linux-vm-to-active-directory-using-sssd\" target=\"_blank\" rel=\"noopener\">full article<\/a>\u00a0on StarWind blog.<\/p>\n<p><img decoding=\"async\" title=\"signature\" src=\"https:\/\/nolabnoparty.com\/wp-content\/uploads\/images\/firma.jpg\" alt=\"signature\" \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>To join a Linux VM to Active Directory, the SSSD (System Security Services Daemon) component is the recommended authentication method to use for newer Linux systems. This solution is particularly useful if Linux instant-clones are used in your VMware Horizon because\u00a0SSSD allows you to access remote directories and authentication mechanisms.<\/p>\n","protected":false},"author":3,"featured_media":55799,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rop_custom_images_group":[],"rop_custom_messages_group":[],"rop_publish_now":"initial","rop_publish_now_accounts":{"linkedin_93tdZWzMZc_93tdZWzMZc":"","facebook_2879994398731222_17841400390232720":"","twitter_113568041_113568041":"","mastodon_115463926174894442_115463926174894442":""},"rop_publish_now_history":[],"rop_publish_now_status":"pending","footnotes":""},"categories":[1025,903],"tags":[688,2293,2552,2551],"class_list":["post-55503","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-horizon-en","category-vmware-en","tag-active-directory-en","tag-domain-en","tag-join-en","tag-sssd","has_thumb"],"_links":{"self":[{"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/posts\/55503","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/comments?post=55503"}],"version-history":[{"count":0,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/posts\/55503\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/media\/55799"}],"wp:attachment":[{"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/media?parent=55503"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/categories?post=55503"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nolabnoparty.com\/en\/wp-json\/wp\/v2\/tags?post=55503"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}