Accessing Active Directory from SUSE Linux Micro

Publication Date: 12 Dec 2024

WHAT?: SUSE Linux Micro enables you to work with data stored in Active Directory.
WHY?: The topic provides instructions how to join an Active Directory domain.
EFFORT: It takes approximately 5 minutes to read the article.
GOAL: You will be able to access data stored in an Active Directory domain.
REQUIREMENTS: Credentials for a particular Active Directory domain

Revision History: Accessing Active Directory from SUSE Linux Micro

1 What is Active Directory #

Active Directory* (AD) is a directory-service based on LDAP, Kerberos, and other services. It is used by Microsoft* Windows* to manage resources, services, and people. In a Microsoft Windows network, Active Directory provides information about these objects, restricts access to them, and enforces policies. SUSE Linux Micro lets you join existing Active Directory domains and integrate your Linux machine into a Windows environment.

SUSE Linux Micro offers you the following benefits when integrated with Active Directory

Offline authentication: Users can log in and access their local data on the Linux machine even if they are offline or the Active Directory server is unavailable for other reasons.
Windows password change: This port of Active Directory support in Linux enforces corporate password policies stored in Active Directory. The console support password change messages and accept your input. You can even use the Linux passwd command to set Windows passwords.
Single-sign-on through Kerberos: adcli can transparently handle authentication for the user without the need for password reentry at Web servers, proxies, groupware applications, or other locations.

To communicate with the directory service, the client needs to share at least two protocols with the server:

LDAP: LDAP is a protocol optimized for managing directory information. A Windows domain controller with Active Directory can use the LDAP protocol to exchange directory information with the clients.
Kerberos: Kerberos is a third-party trusted authentication service. All its clients trust Kerberos authorization of another client's identity, enabling kerberized single-sign-on (SSO) solutions. Windows supports a Kerberos implementation, making Kerberos SSO possible even with Linux clients.

2 Prerequisites needed to join Active Directory #

Before you try to join an Active Directory domain, make sure that the following requirements are met:

DNS: DNS is configured to forward DNS requests to the Active Directory DNS server. Alternatively, configure your client to use the Active Directory DNS.
NTP: Make sure that the time is properly synchronized when using Kerberos. It is highly recommended to use a central NTP time server for this purpose (this can be also the NTP server running on your Active Directory domain controller). For details, refer to NTP time synchronization.
Firewall: Either disable the firewall entirely or mark the interface used for browsing as part of the internal zone. You can use Cockpit to configure the internal firewall zone.
Active Directory account: Make sure that you have proper credentials to access the Active Directory domain.

3 Joining an Active Directory domain #

On SUSE Linux Micro you need to first join an active directory domain. To do so, use the adcli command, which creates a computer account for the machine joining the domain and if Kerberos is used, a keytab is created for the machine.

To join a domain, proceed as follows:

(Optional) To use offline authentication using SSSD, install it first:
1. Run the command:
```
            > sudo  transactional-update pkg install sssd
```
2. Reboot the system.
3. Review the /etc/sssd/sssd.conf if it needs any adjustment.
4. To allow SSSD to use Kerberos, switch on the kerberos_enabled boolean by running:
```
> sudo setsebool -P kerberos_enabled 1
```
Run the adcli command as follows:
```
> sudo adcli join -d DOMAIN_NAME
```
Provide your credentials for the domain.

After you join a domain, you can login to Active directory and you can use offline authentication.

4 Logging to the Active Directory domain #

You can log in to the Active Directory client machine either using the text-based console or even remotely using SSH

To login via the console, enter at the login: prompt:

DOMAIN_NAME\USER_NAME

Then provide the password.

For remote login, use the SSH as follows:

    > sudo ssh DOMAIN_NAME\\USER_NAME@HOST_NAME

The \ domain and login delimiter is escaped with another \ sign.

Then provide your password to login.

5 Legal Notice #

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”.

For SUSE trademarks, see https://www.suse.com/company/legal/. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks.

All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors, nor the translators shall be held liable for possible errors or the consequences thereof.