AcadeNice/Lab_AD_Complet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Lab_AD_Complet/docs/etudiant/en/07-join-linux-client.md
Corentin 8e1b06e090 Initial lab release: Docker-based Active Directory lab 
Complete Active Directory teaching environment based on dockurr/windows:
- Windows Server domain controller, Windows 11 client, Debian 12 client
- docker-compose orchestration, env-driven configuration
- Bilingual documentation (FR + EN) for students
- Dual approach (GUI + PowerShell) in every procedure
- Instructor course plan and reference scripts
- RDP launcher scripts for Linux, macOS and Windows

Made by AcadéNice - https://acadenice.fr/
2026-04-17 11:29:49 +02:00

136 lines
2.8 KiB
Markdown
Raw Permalink Blame History

# Join the Linux client to the domain
Goal: configure the Debian client `linux01` to authenticate against AD, and
validate resolution of AD users and groups.
Standard stack on Debian/Ubuntu/RHEL:
- `realmd`: domain discovery and join
- `sssd`: daemon handling the integration (cache, Kerberos, NSS, PAM)
- `adcli`: low-level AD client
- `krb5`: Kerberos layer
All these packages are baked into the image (see `linux-client/Dockerfile`).
## Start the container
```
docker compose up -d linux01
docker exec -it lab-linux01 bash
```
The entrypoint auto-configures `/etc/resolv.conf` to point at the DC container
IP and adds `hosts` overrides for AD names.
Check:
```
cat /etc/resolv.conf
cat /etc/hosts | tail
ping -c 2 corp.lab
```
## Domain discovery
Key tool: `realm discover`.
```
realm discover corp.lab
```
You should see structured output with `type: kerberos` and
`server-software: active-directory`.
If empty, check DNS: the DC must answer on port 53 at the used IP.
## Join
Key tool: `realm join`.
```
realm join -U Administrator corp.lab
# Enter CORP\Administrator password when asked
```
Under the hood, `realmd`:
1. Creates a `LINUX01` computer account in `CN=Computers`
2. Generates a Kerberos keytab at `/etc/krb5.keytab`
3. Configures `/etc/sssd/sssd.conf`
4. Enables `sssd` as NSS backend and PAM module
## Start sssd
In a container, systemd may be absent. Start sssd directly:
```
sssd --daemon
```
## Validation
NSS resolution:
```
id pmartin@corp.lab
getent passwd pmartin@corp.lab
getent group 'GG_Teaching@corp.lab'
```
You should see:
- a UID assigned by sssd (large number derived from the SID)
- the AD groups of the user, including AGDLP-nested ones
Kerberos auth:
```
kinit pmartin@CORP.LAB
klist
```
`klist` must show a valid TGT.
## SSH with an AD account
If you enabled SSH in the container (default with the provided Dockerfile):
```
ssh pmartin@lab-linux01
# or the container IP
```
The home directory is auto-created on first login via `pam_mkhomedir`
configured by the entrypoint.
## Restrict access to specific AD groups
By default, any AD user can log in. To restrict:
```
realm permit -g "GG_Teaching@corp.lab"
```
Or the opposite (deny-all with exceptions) via `/etc/sssd/sssd.conf`.
## Notes
- `realm join` fails with bad DNS, or if clock drift > 5 minutes vs the DC.
Fresh containers inherit the host clock, that's fine.
- In this lab, DNS resolution is tricky: the DC advertises a non-routable
internal IP. We work around via `/etc/hosts`. In production, the DC is
directly reachable on the network.
- `sssd` caches users for 6h by default. To flush: `sss_cache -E` or restart
`sssd`.
## Leave the domain
```
realm leave corp.lab
```
Removes the computer account on the DC, the keytab, disables sssd.
## Next
The lab is fully operational. See `troubleshooting.md` for issues.
Reference in a new issue View git blame Copy permalink