How to Join an Active Directory with NixOS

Hello,

Here’s how to create a connection to an Active Directory with NixOS.

The first part involves activating krb5:

nixos-rebuild switch

Here is the complete configuration:

{ config, pkgs, ... }:

{
  networking.hostName = "myserver";
  networking.domain = "server.com";

  services.realmd.enable = true;
  programs.oddjobd.enable = true;

  # Enable SSSD
  services.sssd = {
    enable = false;
    config = ''
      [sssd]
      config_file_version = 2
      domains = server.com
      services = nss, pam

      [domain/server.com]
      default_shell = /run/current-system/sw/bin/bash
      krb5_store_password_if_offline = true
      cache_credentials = true
      krb5_realm = SERVER.COM
      realmd_tags = manages-system joined-with-adcli
      id_provider = ad
      fallback_homedir = /home/%u
      ad_domain = server.com
      use_fully_qualified_names = false
      ldap_id_mapping = true
      access_provider = simple
      simple_allow_groups = admins@server.com
      auth_provider = ad
    '';
  };

  environment.etc."krb5.conf".mode = "0644";

  # Enable Kerberos
  security.krb5 = {
    enable = true;
    settings = {
      libdefaults = {
        default_realm = "SERVER.COM";
        ticket_lifetime = "24h";
        renew_lifetime = "7d";
        dns_lookup_realm = false;
        udp_preference_limit = "0";
      };
    };
  };

  # Enable PAM
  security.pam.krb5.enable = false;
  security.pam.services = {
    sshd.sssdStrictAccess = true;
    sshd.makeHomeDir = true;
    login.sssdStrictAccess = true;
  };

  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
    # Core
    vim
    # AD
    adcli
    krb5
    realmd
    samba
    sssd
  ];

  # Enable SSH
  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = true;
      KbdInteractiveAuthentication = true;
      UsePAM = true;
      PermitEmptyPasswords = false;
    };
  };

}

The second part is initiating authentication:

adcli join server.com -U administrator@SERVER.COM
kinit administrator@SERVER.COM

The third part is activating SSSD:

Now you can modify the configuration to set SSSD to true.

From:

services.sssd = {
  enable = false;

To:

services.sssd = {
  enable = true;

Then apply the change:

nixos-rebuild switch

You can now test with:

realm list

Output:

server.com
  type: kerberos
  realm-name: SERVER.COM
  domain-name: server.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U
  login-policy: allow-permitted-logins
  permitted-logins: 
  permitted-groups: admins@server.com

And:

id my.userad

Output:

uid=1994001241(my.userad) gid=1994000513(domain users) groups=1994000513(domain users)

For French Users :

6 Likes