AcadeNice/Lab_AD_Complet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Lab_AD_Complet/docs/etudiant/en/07-join-linux-client.md
Corentin 8e1b06e090 Initial lab release: Docker-based Active Directory lab 
Complete Active Directory teaching environment based on dockurr/windows:
- Windows Server domain controller, Windows 11 client, Debian 12 client
- docker-compose orchestration, env-driven configuration
- Bilingual documentation (FR + EN) for students
- Dual approach (GUI + PowerShell) in every procedure
- Instructor course plan and reference scripts
- RDP launcher scripts for Linux, macOS and Windows

Made by AcadéNice - https://acadenice.fr/
2026-04-17 11:29:49 +02:00

2.8 KiB
Raw Permalink Blame History

Join the Linux client to the domain

Goal: configure the Debian client linux01 to authenticate against AD, and validate resolution of AD users and groups.

Standard stack on Debian/Ubuntu/RHEL:

  • realmd: domain discovery and join
  • sssd: daemon handling the integration (cache, Kerberos, NSS, PAM)
  • adcli: low-level AD client
  • krb5: Kerberos layer

All these packages are baked into the image (see linux-client/Dockerfile).

Start the container

docker compose up -d linux01
docker exec -it lab-linux01 bash

The entrypoint auto-configures /etc/resolv.conf to point at the DC container IP and adds hosts overrides for AD names.

Check:

cat /etc/resolv.conf
cat /etc/hosts | tail
ping -c 2 corp.lab

Domain discovery

Key tool: realm discover.

realm discover corp.lab

You should see structured output with type: kerberos and server-software: active-directory.

If empty, check DNS: the DC must answer on port 53 at the used IP.

Join

Key tool: realm join.

realm join -U Administrator corp.lab
# Enter CORP\Administrator password when asked

Under the hood, realmd:

  1. Creates a LINUX01 computer account in CN=Computers
  2. Generates a Kerberos keytab at /etc/krb5.keytab
  3. Configures /etc/sssd/sssd.conf
  4. Enables sssd as NSS backend and PAM module

Start sssd

In a container, systemd may be absent. Start sssd directly:

sssd --daemon

Validation

NSS resolution:

id pmartin@corp.lab
getent passwd pmartin@corp.lab
getent group 'GG_Teaching@corp.lab'

You should see:

  • a UID assigned by sssd (large number derived from the SID)
  • the AD groups of the user, including AGDLP-nested ones

Kerberos auth:

kinit pmartin@CORP.LAB
klist

klist must show a valid TGT.

SSH with an AD account

If you enabled SSH in the container (default with the provided Dockerfile):

ssh pmartin@lab-linux01
# or the container IP

The home directory is auto-created on first login via pam_mkhomedir configured by the entrypoint.

Restrict access to specific AD groups

By default, any AD user can log in. To restrict:

realm permit -g "GG_Teaching@corp.lab"

Or the opposite (deny-all with exceptions) via /etc/sssd/sssd.conf.

Notes

  • realm join fails with bad DNS, or if clock drift > 5 minutes vs the DC. Fresh containers inherit the host clock, that's fine.
  • In this lab, DNS resolution is tricky: the DC advertises a non-routable internal IP. We work around via /etc/hosts. In production, the DC is directly reachable on the network.
  • sssd caches users for 6h by default. To flush: sss_cache -E or restart sssd.

Leave the domain

realm leave corp.lab

Removes the computer account on the DC, the keytab, disables sssd.

Next

The lab is fully operational. See troubleshooting.md for issues.