Difference between revisions of "Active Directory Client"

From NixOS Wiki
Jump to: navigation, search
m (Minor grammar fix)
m (Enabled long term credential caching for offline laptops. Simplified setup. oddjobd and realmd are irrelevant to NixOS.)
Line 21: Line 21:
 
   environment.systemPackages = with pkgs; [
 
   environment.systemPackages = with pkgs; [
 
     adcli # Helper library and tools for Active Directory client operations
 
     adcli # Helper library and tools for Active Directory client operations
     oddjob # Odd Job Daemon
+
     samba # Standard Windows interoperability suite of programs for Linux and Unix
    samba4Full # Standard Windows interoperability suite of programs for Linux and Unix
 
    sssd # System Security Services Daemon
 
    krb5 # MIT Kerberos 5
 
    realmd # DBus service for configuring Kerberos and other
 
 
   ];
 
   ];
  
Line 90: Line 86:
 
         config_file_version = 2
 
         config_file_version = 2
 
         services = nss, pam
 
         services = nss, pam
 +
 +
        [pam]
 +
        offline_credentials_expiration = 365
  
 
         [domain/your_domain_lowercase]
 
         [domain/your_domain_lowercase]
 
         override_shell = /run/current-system/sw/bin/zsh
 
         override_shell = /run/current-system/sw/bin/zsh
         krb5_store_password_if_offline = True
+
         krb5_store_password_if_offline = true
         cache_credentials = True
+
         cache_credentials = true
 +
        account_cache_expiration = 365
 +
        entry_cache_timeout = 14400
 
         krb5_realm = YOUR_DOMAIN_UPPERCASE
 
         krb5_realm = YOUR_DOMAIN_UPPERCASE
 
         realmd_tags = manages-system joined-with-samba
 
         realmd_tags = manages-system joined-with-samba
Line 108: Line 109:
 
         enumerate = true
 
         enumerate = true
 
       '';
 
       '';
    };
 
  };
 
 
  #
 
  # Systemd
 
  #
 
  systemd = {
 
    services.realmd = {
 
      description = "Realm Discovery Service";
 
      wantedBy = ["multi-user.target"];
 
      after = ["network.target"];
 
      serviceConfig = {
 
        Type = "dbus";
 
        BusName = "org.freedesktop.realmd";
 
        ExecStart = "${pkgs.realmd}/libexec/realmd";
 
        User = "root";
 
      };
 
 
     };
 
     };
 
   };
 
   };

Revision as of 21:33, 7 May 2025

Active Directory (AD) is a directory service that enables you to provide login to computers and other useful purposes.

Basic Setup

1) Create /etc/nixos/nixos-ad.nix and add the following. Replace your_domain_lowercase and YOUR_DOMAIN_UPPERCASE with something like ad.foobar.com and AD.FOOBAR.COM.

#
# nixos-ad.nix -- Active Directory Client
#
# Join AD: sudo adcli join --domain=your.domain.com --user=administrator
#
{
  config,
  pkgs,
  ...
}: {
  #
  # Packages
  #
  environment.systemPackages = with pkgs; [
    adcli # Helper library and tools for Active Directory client operations
    samba # Standard Windows interoperability suite of programs for Linux and Unix
  ];

  #
  # Security
  #
  security = {
    krb5 = {
      enable = true;
      settings = {
        libdefaults = {
          udp_preference_limit = 0;
          default_realm = "YOUR_DOMAIN_UPPERCASE";
        };
      };
    };

    pam = {
      makeHomeDir.umask = "077";
      services.login.makeHomeDir = true;
      services.sshd.makeHomeDir = true;
    };

    sudo = {
      extraConfig = ''
        %domain\ admins ALL=(ALL:ALL) NOPASSWD: ALL
        Defaults:%domain\ admins env_keep+=TERMINFO_DIRS
        Defaults:%domain\ admins env_keep+=TERMINFO
      '';

      # Use extraConfig because of blank space in 'domain admins'.
      # Alternatively, you can use the GID.
      # extraRules = [
      #   { groups = [ "domain admins" ];
      #     commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; }  ]; }
      # ];
    };
  };

  #
  # Services
  #
  services = {
    nscd = {
      enable = true;
      config = ''
        server-user nscd
        enable-cache hosts yes
        positive-time-to-live hosts 0
        negative-time-to-live hosts 0
        shared hosts yes
        enable-cache passwd no
        enable-cache group no
        enable-cache netgroup no
        enable-cache services no
      '';
    };

    sssd = {
      enable = true;
      config = ''
        [sssd]
        domains = your_domain_lowercase
        config_file_version = 2
        services = nss, pam

        [pam]
        offline_credentials_expiration = 365

        [domain/your_domain_lowercase]
        override_shell = /run/current-system/sw/bin/zsh
        krb5_store_password_if_offline = true
        cache_credentials = true
        account_cache_expiration = 365
        entry_cache_timeout = 14400
        krb5_realm = YOUR_DOMAIN_UPPERCASE
        realmd_tags = manages-system joined-with-samba
        id_provider = ad
        fallback_homedir = /home/%u
        ad_domain = your_domain_lowercase
        use_fully_qualified_names = false
        ldap_id_mapping = false
        auth_provider = ad
        access_provider = ad
        chpass_provider = ad
        ad_gpo_access_control = permissive
        enumerate = true
      '';
    };
  };
}

2) Update your configuration.nix to import ./nixos-ad.nix

imports =
  [
    ./hardware-configuration.nix
    ./nixos-ad.nix
  ]

3) nix-channel --update ; nixos-switch rebuild --upgrade

Note

  • These commands presume that you're using the classic NixOS channels and not the experimental flakes configuration.
  • These commands will freshen all installed packages and configuration settings.
  • If you experience an error from systemd/sssd, disregard it. You will fix that error by joining the domain.

4) Join your domain

sudo adcli join --domain=your.domain.com --user=administrator

5) Restart SSSD

sudo systemctl restart sssd

6) Confirm that you have successfully joined your AD

realm discover your_domain_lowercase

id user_in_AD

7) Optional: You may reboot to ensure that your machine sustains its domain binding and that end users can login. As of 2024, the adcli join and sssd restart seem to be sufficient.

8) Optional: If the computer is a laptop, you may add a named user to the NixOS local networkmanager group so that person can add a WiFI network, switch between wireless/wired, and so on.

users.groups.networkmanager.members = ["user_in_AD"];

Unfortunately, Linux local groups do not support nesting of AD groups. You have to grant this access to individual users.