Hello,
Here’s how to create a connection to an Active Directory with NixOS.
The first part involves activating krb5:
nixos-rebuild switch
Here is the complete configuration:
{ config, pkgs, ... }:
{
networking.hostName = "myserver";
networking.domain = "server.com";
services.realmd.enable = true;
programs.oddjobd.enable = true;
# Enable SSSD
services.sssd = {
enable = false;
config = ''
[sssd]
config_file_version = 2
domains = server.com
services = nss, pam
[domain/server.com]
default_shell = /run/current-system/sw/bin/bash
krb5_store_password_if_offline = true
cache_credentials = true
krb5_realm = SERVER.COM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u
ad_domain = server.com
use_fully_qualified_names = false
ldap_id_mapping = true
access_provider = simple
simple_allow_groups = admins@server.com
auth_provider = ad
'';
};
environment.etc."krb5.conf".mode = "0644";
# Enable Kerberos
security.krb5 = {
enable = true;
settings = {
libdefaults = {
default_realm = "SERVER.COM";
ticket_lifetime = "24h";
renew_lifetime = "7d";
dns_lookup_realm = false;
udp_preference_limit = "0";
};
};
};
# Enable PAM
security.pam.krb5.enable = false;
security.pam.services = {
sshd.sssdStrictAccess = true;
sshd.makeHomeDir = true;
login.sssdStrictAccess = true;
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
# Core
vim
# AD
adcli
krb5
realmd
samba
sssd
];
# Enable SSH
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = true;
KbdInteractiveAuthentication = true;
UsePAM = true;
PermitEmptyPasswords = false;
};
};
}
The second part is initiating authentication:
adcli join server.com -U administrator@SERVER.COM
kinit administrator@SERVER.COM
The third part is activating SSSD:
Now you can modify the configuration to set SSSD to true.
From:
services.sssd = {
enable = false;
To:
services.sssd = {
enable = true;
Then apply the change:
nixos-rebuild switch
You can now test with:
realm list
Output:
server.com
type: kerberos
realm-name: SERVER.COM
domain-name: server.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy: allow-permitted-logins
permitted-logins:
permitted-groups: admins@server.com
And:
id my.userad
Output:
uid=1994001241(my.userad) gid=1994000513(domain users) groups=1994000513(domain users)
For French Users :