# Join the Linux client to the domain

Goal: configure the Debian client `linux01` to authenticate against AD, and
validate resolution of AD users and groups.

Standard stack on Debian/Ubuntu/RHEL:

- `realmd`: domain discovery and join
- `sssd`: daemon handling the integration (cache, Kerberos, NSS, PAM)
- `adcli`: low-level AD client
- `krb5`: Kerberos layer

All these packages are baked into the image (see `linux-client/Dockerfile`).

## Start the container

```
docker compose up -d linux01
docker exec -it lab-linux01 bash
```

The entrypoint auto-configures `/etc/resolv.conf` to point at the DC container
IP and adds `hosts` overrides for AD names.

Check:

```
cat /etc/resolv.conf
cat /etc/hosts | tail
ping -c 2 corp.lab
```

## Domain discovery

Key tool: `realm discover`.

```
realm discover corp.lab
```

You should see structured output with `type: kerberos` and
`server-software: active-directory`.

If empty, check DNS: the DC must answer on port 53 at the used IP.

## Join

Key tool: `realm join`.

```
realm join -U Administrator corp.lab
# Enter CORP\Administrator password when asked
```

Under the hood, `realmd`:

1. Creates a `LINUX01` computer account in `CN=Computers`
2. Generates a Kerberos keytab at `/etc/krb5.keytab`
3. Configures `/etc/sssd/sssd.conf`
4. Enables `sssd` as NSS backend and PAM module

## Start sssd

In a container, systemd may be absent. Start sssd directly:

```
sssd --daemon
```

## Validation

NSS resolution:

```
id pmartin@corp.lab
getent passwd pmartin@corp.lab
getent group 'GG_Teaching@corp.lab'
```

You should see:

- a UID assigned by sssd (large number derived from the SID)
- the AD groups of the user, including AGDLP-nested ones

Kerberos auth:

```
kinit pmartin@CORP.LAB
klist
```

`klist` must show a valid TGT.

## SSH with an AD account

If you enabled SSH in the container (default with the provided Dockerfile):

```
ssh pmartin@lab-linux01
# or the container IP
```

The home directory is auto-created on first login via `pam_mkhomedir`
configured by the entrypoint.

## Restrict access to specific AD groups

By default, any AD user can log in. To restrict:

```
realm permit -g "GG_Teaching@corp.lab"
```

Or the opposite (deny-all with exceptions) via `/etc/sssd/sssd.conf`.

## Notes

- `realm join` fails with bad DNS, or if clock drift > 5 minutes vs the DC.
  Fresh containers inherit the host clock, that's fine.
- In this lab, DNS resolution is tricky: the DC advertises a non-routable
  internal IP. We work around via `/etc/hosts`. In production, the DC is
  directly reachable on the network.
- `sssd` caches users for 6h by default. To flush: `sss_cache -E` or restart
  `sssd`.

## Leave the domain

```
realm leave corp.lab
```

Removes the computer account on the DC, the keytab, disables sssd.

## Next

The lab is fully operational. See `troubleshooting.md` for issues.