Difference between revisions of "Active Directory Client"

From NixOS Wiki
Jump to: navigation, search
m (Added note about default settings)
m (Minor cleanup and freshening)
 
Line 1: Line 1:
Active Directory (AD) is a directory service that enables you to provide login to computers and other useful purposes.
+
Active Directory (AD) is a directory service that lets you login to multiple computers with the same username, password, id, and group memberships. It has other useful purposes such as security groups and mailing lists.
  
 +
<span id="basic-setup"></span>
 
== Basic Setup ==
 
== Basic Setup ==
  
1) Create /etc/nixos/nixos-ad.nix and add the following. Replace your_domain_lowercase and YOUR_DOMAIN_UPPERCASE with something like ad.foobar.com and AD.FOOBAR.COM.
+
<ol style="list-style-type: decimal;">
 
+
<li><p>Create /etc/nixos/nixos-ad.nix and add the following. Replace ''your_domain_lowercase'' and ''YOUR_DOMAIN_UPPERCASE'' with something like ad.foobar.com and AD.FOOBAR.COM.</p>
<syntaxhighlight lang="nix">
+
<syntaxhighlight lang="nix"> #
#
+
  # nixos-ad.nix -- Active Directory Client
# nixos-ad.nix -- Active Directory Client
 
#
 
# Join AD: sudo adcli join --domain=your.domain.com --user=administrator
 
#
 
{
 
  config,
 
  pkgs,
 
  ...
 
}: {
 
 
   #
 
   #
   # Packages
+
   # Join AD: sudo adcli join --domain=your.domain.com --user=administrator
 
   #
 
   #
   environment.systemPackages = with pkgs; [
+
   {
    adcli # Helper library and tools for Active Directory client operations
+
    config,
    realmd # Diagnostic command; Does not configure AD client on NixOS
+
    pkgs,
    samba # Standard Windows interoperability suite of programs for Linux and Unix
+
    ...
  ];
+
  }: {
 +
    #
 +
    # Packages
 +
    #
 +
    environment.systemPackages = with pkgs; [
 +
      adcli # Helper library and tools for Active Directory client operations
 +
      realmd # Diagnostic command; Does not configure AD client on NixOS
 +
      samba # Standard Windows interoperability suite of programs for Linux and Unix
 +
    ];
  
  #
+
    #
  # Security
+
    # Security
  #
+
    #
  security = {
+
    security = {
    krb5 = {
+
      krb5 = {
      enable = true;
+
        enable = true;
      settings = {
+
        settings = {
        libdefaults = {
+
          libdefaults = {
          udp_preference_limit = 0;
+
            udp_preference_limit = 0;
          default_realm = "YOUR_DOMAIN_UPPERCASE";
+
            default_realm = "YOUR_DOMAIN_UPPERCASE";
 +
          };
 
         };
 
         };
 
       };
 
       };
    };
 
  
    pam = {
+
      pam = {
      makeHomeDir.umask = "077";
+
        makeHomeDir.umask = "077";
      services.login.makeHomeDir = true;
+
        services.login.makeHomeDir = true;
      services.sshd.makeHomeDir = true;
+
        services.sshd.makeHomeDir = true;
    };
+
      };
  
    sudo = {
+
      sudo = {
      extraConfig = ''
+
        # Use extraConfig because of blank space in 'domain admins'.
        %domain\ admins ALL=(ALL:ALL) NOPASSWD: ALL
+
        extraConfig = ''
        Defaults:%domain\ admins env_keep+=TERMINFO_DIRS
+
          %domain\ admins ALL=(ALL:ALL) NOPASSWD: ALL
        Defaults:%domain\ admins env_keep+=TERMINFO
+
          Defaults:%domain\ admins env_keep+=TERMINFO_DIRS
      '';
+
          Defaults:%domain\ admins env_keep+=TERMINFO
 
+
        '';
       # Use extraConfig because of blank space in 'domain admins'.
+
       };
      # Alternatively, you can use the GID.
 
      # extraRules = [
 
      #  { groups = [ "domain admins" ];
 
      #    commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; }  ]; }
 
      # ];
 
 
     };
 
     };
  };
 
  
  #
+
    #
  # Services
+
    # Services
  #
+
    #
  services = {
+
    services = {
    resolved.enable = true;
+
      resolved.enable = true;
  
    sssd = {
+
      sssd = {
      enable = true;
+
        enable = true;
      config = ''
+
        config = ''
        [sssd]
+
          [sssd]
        domains = your_domain_lowercase
+
          domains = your_domain_lowercase
        config_file_version = 2
+
          config_file_version = 2
        services = nss, pam
+
          services = nss, pam
  
        [pam]
+
          [pam]
        offline_credentials_expiration = 365
+
          offline_credentials_expiration = 365
  
        [domain/your_domain_lowercase]
+
          [domain/your_domain_lowercase]
        override_shell = /run/current-system/sw/bin/zsh
+
          override_shell = /run/current-system/sw/bin/zsh
        krb5_store_password_if_offline = true
+
          krb5_store_password_if_offline = true
        cache_credentials = true
+
          cache_credentials = true
        account_cache_expiration = 365
+
          account_cache_expiration = 365
        entry_cache_timeout = 14400
+
          entry_cache_timeout = 14400
        krb5_realm = YOUR_DOMAIN_UPPERCASE
+
          krb5_realm = YOUR_DOMAIN_UPPERCASE
        realmd_tags = manages-system joined-with-samba
+
          realmd_tags = manages-system joined-with-samba
        id_provider = ad
+
          id_provider = ad
        fallback_homedir = /home/%u
+
          fallback_homedir = /home/%u
        ad_domain = your_domain_lowercase
+
          ad_domain = your_domain_lowercase
        use_fully_qualified_names = false
+
          use_fully_qualified_names = false
        ldap_id_mapping = false
+
          ldap_id_mapping = false
        auth_provider = ad
+
          auth_provider = ad
        access_provider = ad
+
          access_provider = ad
        chpass_provider = ad
+
          chpass_provider = ad
        ad_gpo_access_control = permissive
+
          ad_gpo_access_control = permissive
        enumerate = true
+
          enumerate = true
      '';
+
        '';
 +
      };
 
     };
 
     };
   };
+
   }
}
+
  ```</syntaxhighlight></li></ol>
</syntaxhighlight>
 
  
 
'''Note'''
 
'''Note'''
  
 
* As of NixOS 25.11 services.nscd.enable and services.nscd.enableNsncd default to TRUE. They are required to successfully use the sssd Active Directory client.
 
* As of NixOS 25.11 services.nscd.enable and services.nscd.enableNsncd default to TRUE. They are required to successfully use the sssd Active Directory client.
* It's my personal custom to leave out default options, unless I'm overriding them. Feel free to declare services.nscd.enable = true; and services.nscd.enableNsncd = true; in your nixos-ad.nix if you prefer a more explicit configuration.
+
* It’s my personal custom to leave out default options, unless I’m overriding them. Feel free to declare services.nscd.enable = true; and services.nscd.enableNsncd = true; in your nixos-ad.nix if you prefer a more explicit configuration.
 
 
2) Update your configuration.nix to import ./nixos-ad.nix
 
  
<syntaxhighlight lang="nix">
+
<ol start="2" style="list-style-type: decimal;">
imports =
+
<li><p>Update your configuration.nix to import ./nixos-ad.nix</p>
  [
+
<syntaxhighlight lang="nix"> imports =
    ./hardware-configuration.nix
+
    [
    ./nixos-ad.nix
+
      ./hardware-configuration.nix
  ]
+
      ./nixos-ad.nix
</syntaxhighlight>
+
    ]</syntaxhighlight></li>
 
+
<li><p><code>nix-channel --update ; nixos-switch rebuild --upgrade</code></p></li></ol>
3) <code>nix-channel --update ; nixos-switch rebuild --upgrade</code>
 
  
 
'''Note'''
 
'''Note'''
  
* These commands presume that you're using the classic NixOS channels and not the experimental flakes configuration.
+
* These commands presume that you are using classic NixOS channels and not an experimental flakes configuration.
 
* These commands will freshen all installed packages and configuration settings.
 
* These commands will freshen all installed packages and configuration settings.
 
* If you experience an error from systemd/sssd, disregard it. You will fix that error by joining the domain.
 
* If you experience an error from systemd/sssd, disregard it. You will fix that error by joining the domain.
  
4) Join your domain
+
<ol start="4" style="list-style-type: decimal;">
 
+
<li><p>Join your domain</p>
<code>sudo adcli join --domain=your.domain.com --user=administrator</code>
+
<p><code>sudo adcli join --domain=your.domain.com --user=administrator</code></p></li>
 
+
<li><p>Restart SSSD</p>
5) Restart SSSD
+
<p><code>sudo systemctl restart sssd</code></p></li>
 
+
<li><p>Confirm that you have successfully joined your AD</p>
<code>sudo systemctl restart sssd</code>
+
<p><code>realm discover your_domain_lowercase</code></p>
 
+
<p><code>id user_in_AD</code></p></li>
6) Confirm that you have successfully joined your AD
+
<li><p>Optional: You may reboot to ensure that your machine sustains its domain binding and that end users can login. As of 2024, the adcli join and sssd restart seem to be sufficient.</p></li>
 
+
<li><p>Optional: If the computer is a laptop, add users to the NixOS local networkmanager group so they can add a WiFI network, switch between wireless/wired, and so on.</p>
<code>realm discover your_domain_lowercase</code>
+
<syntaxhighlight lang="nix"> users.groups.networkmanager.members = ["user_in_AD"];</syntaxhighlight></li></ol>
 
 
<code>id user_in_AD</code>
 
 
 
7) Optional: You may reboot to ensure that your machine sustains its domain binding and that end users can login. As of 2024, the adcli join and sssd restart seem to be sufficient.
 
 
 
8) Optional: If the computer is a laptop, you may add a named user to the NixOS local networkmanager group so that person can add a WiFI network, switch between wireless/wired, and so on.
 
 
 
<syntaxhighlight lang="nix">
 
users.groups.networkmanager.members = ["user_in_AD"];
 
</syntaxhighlight>
 
  
Unfortunately, Linux local groups do not support nesting of AD groups. You have to grant this access to individual users.
+
Note: Linux local groups do not support nesting of AD groups. You have to grant access to individual users.
  
 
[[Category:Cookbook]]
 
[[Category:Cookbook]]

Latest revision as of 04:17, 9 December 2025

Active Directory (AD) is a directory service that lets you login to multiple computers with the same username, password, id, and group memberships. It has other useful purposes such as security groups and mailing lists.

Basic Setup

  1. Create /etc/nixos/nixos-ad.nix and add the following. Replace your_domain_lowercase and YOUR_DOMAIN_UPPERCASE with something like ad.foobar.com and AD.FOOBAR.COM.

      #
  # nixos-ad.nix -- Active Directory Client
  #
  # Join AD: sudo adcli join --domain=your.domain.com --user=administrator
  #
  {
    config,
    pkgs,
    ...
  }: {
    #
    # Packages
    #
    environment.systemPackages = with pkgs; [
      adcli # Helper library and tools for Active Directory client operations
      realmd # Diagnostic command; Does not configure AD client on NixOS
      samba # Standard Windows interoperability suite of programs for Linux and Unix
    ];

    #
    # Security
    #
    security = {
      krb5 = {
        enable = true;
        settings = {
          libdefaults = {
            udp_preference_limit = 0;
            default_realm = "YOUR_DOMAIN_UPPERCASE";
          };
        };
      };

      pam = {
        makeHomeDir.umask = "077";
        services.login.makeHomeDir = true;
        services.sshd.makeHomeDir = true;
      };

      sudo = {
        # Use extraConfig because of blank space in 'domain admins'.
        extraConfig = ''
          %domain\ admins ALL=(ALL:ALL) NOPASSWD: ALL
          Defaults:%domain\ admins env_keep+=TERMINFO_DIRS
          Defaults:%domain\ admins env_keep+=TERMINFO
        '';
      };
    };

    #
    # Services
    #
    services = {
      resolved.enable = true;

      sssd = {
        enable = true;
        config = ''
          [sssd]
          domains = your_domain_lowercase
          config_file_version = 2
          services = nss, pam

          [pam]
          offline_credentials_expiration = 365

          [domain/your_domain_lowercase]
          override_shell = /run/current-system/sw/bin/zsh
          krb5_store_password_if_offline = true
          cache_credentials = true
          account_cache_expiration = 365
          entry_cache_timeout = 14400
          krb5_realm = YOUR_DOMAIN_UPPERCASE
          realmd_tags = manages-system joined-with-samba
          id_provider = ad
          fallback_homedir = /home/%u
          ad_domain = your_domain_lowercase
          use_fully_qualified_names = false
          ldap_id_mapping = false
          auth_provider = ad
          access_provider = ad
          chpass_provider = ad
          ad_gpo_access_control = permissive
          enumerate = true
        '';
      };
    };
  }
  ```

Note

  • As of NixOS 25.11 services.nscd.enable and services.nscd.enableNsncd default to TRUE. They are required to successfully use the sssd Active Directory client.
  • It’s my personal custom to leave out default options, unless I’m overriding them. Feel free to declare services.nscd.enable = true; and services.nscd.enableNsncd = true; in your nixos-ad.nix if you prefer a more explicit configuration.

  1. Update your configuration.nix to import ./nixos-ad.nix

      imports =
    [
      ./hardware-configuration.nix
      ./nixos-ad.nix
    ]

  2. nix-channel --update ; nixos-switch rebuild --upgrade

Note

  • These commands presume that you are using classic NixOS channels and not an experimental flakes configuration.
  • These commands will freshen all installed packages and configuration settings.
  • If you experience an error from systemd/sssd, disregard it. You will fix that error by joining the domain.

  1. Join your domain

    sudo adcli join --domain=your.domain.com --user=administrator

  2. Restart SSSD

    sudo systemctl restart sssd

  3. Confirm that you have successfully joined your AD

    realm discover your_domain_lowercase

    id user_in_AD

  4. Optional: You may reboot to ensure that your machine sustains its domain binding and that end users can login. As of 2024, the adcli join and sssd restart seem to be sufficient.

  5. Optional: If the computer is a laptop, add users to the NixOS local networkmanager group so they can add a WiFI network, switch between wireless/wired, and so on.

      users.groups.networkmanager.members = ["user_in_AD"];

Note: Linux local groups do not support nesting of AD groups. You have to grant access to individual users.

Retrieved from "https://nixos.wiki/index.php?title=Active_Directory_Client&oldid=14346"