Active Directory Client
Active Directory (AD) is a directory service that lets you login to multiple computers with the same username, password, id, and group memberships. It has other useful purposes such as security groups and mailing lists.
Basic Setup
Create /etc/nixos/nixos-ad.nix and add the following. Replace your_domain_lowercase and YOUR_DOMAIN_UPPERCASE with something like ad.foobar.com and AD.FOOBAR.COM.
# # nixos-ad.nix -- Active Directory Client # # Join AD: sudo adcli join --domain=your.domain.com --user=administrator # { config, pkgs, ... }: { # # Packages # environment.systemPackages = with pkgs; [ adcli # Helper library and tools for Active Directory client operations realmd # Diagnostic command; Does not configure AD client on NixOS samba # Standard Windows interoperability suite of programs for Linux and Unix ]; # # Security # security = { # Kerberos krb5 = { enable = true; settings = { libdefaults = { udp_preference_limit = 0; default_realm = "YOUR_DOMAIN_UPPERCASE"; }; }; }; # Create a home directory when an AD user logs in pam = { makeHomeDir.umask = "077"; services.login.makeHomeDir = true; services.sshd.makeHomeDir = true; }; # Grant AD Domain Admin full sudo on Linux machines sudo = { # Use extraConfig because of blank space in 'domain admins'. extraConfig = '' %domain\ admins ALL=(ALL:ALL) NOPASSWD: ALL Defaults:%domain\ admins env_keep+=TERMINFO_DIRS Defaults:%domain\ admins env_keep+=TERMINFO ''; }; }; # # Services # services = { resolved.enable = true; sssd = { enable = true; config = '' [sssd] domains = your_domain_lowercase config_file_version = 2 services = nss, pam [domain/your_domain_lowercase] override_shell = /run/current-system/sw/bin/zsh krb5_store_password_if_offline = True cache_credentials = True krb5_realm = YOUR_DOMAIN_UPPERCASE realmd_tags = manages-system joined-with-adcli id_provider = ad fallback_homedir = /Users/%u ad_domain = your_domain_lowercase use_fully_qualified_names = False ldap_id_mapping = False access_provider = ad # Red Hat recommendation to reduce server queries entry_cache_timeout = 14400 auth_provider = ad chpass_provider = ad ad_gpo_access_control = disabled enumerate = False dyndns_update = False # Red Hat recommendation to reduce terminated by own WATCHDOG timeout = 20 # Fast fallback in case of server interruption/unavailability ldap_network_timeout = 3 ldap_opt_timeout = 10 ''; }; }; }
Note
- As of NixOS 25.11 services.nscd.enable and services.nscd.enableNsncd default to TRUE. They are required to successfully use the sssd Active Directory client.
- It’s my personal custom to leave out default options, unless I’m overriding them. Feel free to declare services.nscd.enable = true; and services.nscd.enableNsncd = true; in your nixos-ad.nix if you prefer a more explicit configuration.
Update your configuration.nix to import ./nixos-ad.nix
imports = [ ./hardware-configuration.nix ./nixos-ad.nix ]
Apply NixOS configuration
nix-channel --update && nixos-rebuild switch --upgradeNote
- These commands presume that you are using classic NixOS channels and not an experimental flakes configuration.
- These commands will freshen all installed packages and configuration settings.
- If you experience an error from systemd/sssd, disregard it. You will fix that error by joining the domain.
Join your domain
sudo adcli join --domain=your.domain.com --user=administratorRestart SSSD
sudo systemctl restart sssdConfirm that you have successfully joined your AD
realm discover your_domain_lowercaseid user_in_ADOptional: You may reboot to ensure that your machine sustains its domain binding and that end users can login. As of 2024, the adcli join and sssd restart seem to be sufficient.
Optional: If the computer is a laptop, add users to the NixOS local networkmanager group so they can add a WiFI network, switch between wireless/wired, and so on.
users.groups.networkmanager.members = ["user_in_AD"];
Note: Linux local groups do not support nesting of AD groups. You have to grant access to individual users.