Linux – SSSD AD Integration – Clarification on Computer to join AD

active-directorydomain-controllerkerberoslinuxsssd

Objective

Clarify Computer, Not User, when integrating a Linux box with a Windows Domain.

Background

Having confusion because most SSSD AD information focuses on User Authentication, however apparently in a Windows Domain, the computer to which the users logon should be in the domain already (as a service principal?). It seems to me I need a help to get to the bottom.

Question – Computer to join a Windows domain.

I believe there are several ways. Please suggest if below are correct.

  1. Run realm in the Linux box.
  2. Run Samba net ads join in the Linux box (Creating Host Keytab with Samba).
  3. Run setSPN and ktpass in the Domain Controller

Regarding using realm and samba, I suppose the command also will join the Linux box into the Domain and AD. It it correct? Also please point to resources to understand what is going on behind with regard to computer and domain if any.

These ways require an Administrator credential Or a user credentials who has the permission to add a computer to a domain, which would not always be available. Then I suppose need to ask a Windows domain administrator to do what realm and samba do. Which seem to me involving below but need corrections/confirmation if they are correct.

  1. Create a A record and reverse lookup PTR record in the domain DNS.
  2. Add a computer for the Linux box in the Computers management view. The UPN of the box will be <linux hostname>@<realm or domain>.
  3. Create a SPN for the Linux box with setSPN. The SPN is like host/<name>@<realm or domain>.
  4. Create a keytab with ktpass. The SPN is specified with -princ and the UPN is specified with -mapuser.
  5. Copy the keytab to the linux box as /etc/krb5.keytab and change permissions. (Treat like pem file in ~/.ssh/)

Question – UPN and SPN?

Why having multiple identifiers for the same object (linux box)? Why SPN is required?

Best Answer

From man net:

Join a domain. If the account already exists on the server, and [TYPE] is MEMBER, the machine will attempt to join automatically. (Assuming that the machine has been created in server manager) Otherwise, a password will be prompted for, and a new account may be created.

In short, "net ads join" joins the machine to the domain. When running this command on your linux box, you need to enter the domain admin credentials (or other user with appropriate permissions).

In my experience, based on your samba version, you may need to manually create an A or PTR record. After that, any dynamic IP obtained via DHCP will automatically refresh/updated both the A and PTR records.

On the other hand, you do not need to bother with setSPN or ktpass.

You can read here for an in-depth guide.

Related Topic