Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
documentation.suse.com / Accessing Active Directory from SUSE Linux Micro

Accessing Active Directory from SUSE Linux Micro

Publication Date: 12 Dec 2024
WHAT?

SUSE Linux Micro enables you to work with data stored in Active Directory.

WHY?

The topic provides instructions how to join an Active Directory domain.

EFFORT

It takes approximately 5 minutes to read the article.

GOAL

You will be able to access data stored in an Active Directory domain.

REQUIREMENTS

Credentials for a particular Active Directory domain

1 What is Active Directory

Active Directory* (AD) is a directory-service based on LDAP, Kerberos, and other services. It is used by Microsoft* Windows* to manage resources, services, and people. In a Microsoft Windows network, Active Directory provides information about these objects, restricts access to them, and enforces policies. SUSE Linux Micro lets you join existing Active Directory domains and integrate your Linux machine into a Windows environment.

SUSE Linux Micro offers you the following benefits when integrated with Active Directory

Offline authentication

Users can log in and access their local data on the Linux machine even if they are offline or the Active Directory server is unavailable for other reasons.

Windows password change

This port of Active Directory support in Linux enforces corporate password policies stored in Active Directory. The console support password change messages and accept your input. You can even use the Linux passwd command to set Windows passwords.

Single-sign-on through Kerberos

adcli can transparently handle authentication for the user without the need for password reentry at Web servers, proxies, groupware applications, or other locations.

To communicate with the directory service, the client needs to share at least two protocols with the server:

LDAP

LDAP is a protocol optimized for managing directory information. A Windows domain controller with Active Directory can use the LDAP protocol to exchange directory information with the clients.

Kerberos

Kerberos is a third-party trusted authentication service. All its clients trust Kerberos authorization of another client's identity, enabling kerberized single-sign-on (SSO) solutions. Windows supports a Kerberos implementation, making Kerberos SSO possible even with Linux clients.

2 Prerequisites needed to join Active Directory

Before you try to join an Active Directory domain, make sure that the following requirements are met:

DNS

DNS is configured to forward DNS requests to the Active Directory DNS server. Alternatively, configure your client to use the Active Directory DNS.

NTP

Make sure that the time is properly synchronized when using Kerberos. It is highly recommended to use a central NTP time server for this purpose (this can be also the NTP server running on your Active Directory domain controller). For details, refer to NTP time synchronization.

Firewall

Either disable the firewall entirely or mark the interface used for browsing as part of the internal zone. You can use Cockpit to configure the internal firewall zone.

Active Directory account

Make sure that you have proper credentials to access the Active Directory domain.

3 Joining an Active Directory domain

On SUSE Linux Micro you need to first join an active directory domain. To do so, use the adcli command, which creates a computer account for the machine joining the domain and if Kerberos is used, a keytab is created for the machine.

To join a domain, proceed as follows:

  1. (Optional) To use offline authentication using SSSD, install it first:

    1. Run the command:

                  > sudo  transactional-update pkg install sssd
    2. Reboot the system.

    3. Review the /etc/sssd/sssd.conf if it needs any adjustment.

    4. To allow SSSD to use Kerberos, switch on the kerberos_enabled boolean by running:

      > sudo setsebool -P kerberos_enabled 1
  2. Run the adcli command as follows:

    > sudo adcli join -d DOMAIN_NAME
  3. Provide your credentials for the domain.

After you join a domain, you can login to Active directory and you can use offline authentication.

4 Logging to the Active Directory domain

You can log in to the Active Directory client machine either using the text-based console or even remotely using SSH

To login via the console, enter at the login: prompt:

DOMAIN_NAME\USER_NAME

Then provide the password.

For remote login, use the SSH as follows:

    > sudo ssh DOMAIN_NAME\\USER_NAME@HOST_NAME

The \ domain and login delimiter is escaped with another \ sign.

Then provide your password to login.