Linux/Windows VMs integration with Active Directory


(Alex W) #1

Hello,

We already have Sunstone authenticating against AD no problem, now I’m working on the next step: having our VMs (Linux/Windows) login session being authenticated against AD.

For Windows VMs, I’m assuming that the AD bind process can be handled by the contextualization PowerShell scripts and for that I’d need to hard-code an AD account/password with admin-like powers in the scripts.
Is that right? There would be a better option? Like keeping the account/password pair as context variables and passing them to the PowerShell script? (Our users will not have access to the VM templates.)

How about Ubuntu/CentOS VMs?
The Linux/AD integration solutions that I’ve found so far, rely on binding the VM to AD by means of Kerberos, which requires a admin-like AD account to interactively handle the binding process and, in the end, an actual computer account gets created on AD. This, I think, defies the purpose of “self-service” provisioning and could cause garbage machine accounts on AD…
I’m trying to find a possible solution, maybe using the LDAP client, where the Linux machine would just forward authentication requests to AD without actually having to create a computer account.

Would anybody be able to share his/her experience regarding my Linux/AD “issue”? Or, reference me to a document that would help me figure out how to implement a solution?

By the way: we have OpenNebula 5.4.6 (with plans to update to 5.4.12 soon).

Thanks a lot for any insight,

Alex


(Alex W) #2

So, nobody in this community had ever to work on or implement a similar solution??

It’s hard to think that we are the only one trying to have something like this working…

Regards,

Alex


(Ulrich P.) #3

Hi AlexW,

we are using Ansible and a dynamic inventory running against OpenNebula Frontend (but any other CM tool should be able to do the same) to pick up the VMs and join it to our domain. All Password Management is being done within Ansible (Vault). To be honest it takes a little effort to learn it, but if you have the chance and time I would highly recommend to look into it…
Ansible works for Windows, Ubuntu and CentOS.

Best Regards
Uli


(Alex W) #4

Hello Ulrich,

Thank you for the tip…!
I’ll start reading about that (Ansible) and see how it could help us.

The way you’re using it, is it capable of detecting when a VM is instantiated/deleted by one of the self-serving portal users and then bind/unbind the VM to/from Active Directory?

Regards,

Alex


(Vadim Tsaplin) #5

Hello.
We use Unix Attributes in Active Directory, and pam-ldap, libnss-ldap package on Linux VM’s. This procedure doesn’t require to add machine to Active Directory. We provide it by Ansible.


(Alex W) #6

Hello Vadim,

Could you share what documentation did you follow to achieve the pam-ldap/libnss-ldap solution? (And which flavor of Linux you have it working? - We have CentOS/Ubuntu.)

Like I said on my first message, I would prefer not having to join the VMs to ADD, for the sake of make the whole process cleaner/simpler.

Thanks a lot,

Alex


(Igor) #7

Hi,
read documentation about FreeIPA, a good solution for linux VMS.

Bye


(Vadim Tsaplin) #8

Sorry for long answer.
We use Ubuntu 14-16 and Debian 8-9.
You need to fill unix attributes in Active Directory, we use RFC3207 Shema.
For group:
gidNumber
MemberUid
For user:
uidNumber
loginshell
unixHomeDirectory
gidNumber

  1. Now, you can work with its.

root@host:~# apt-get install libnss-ldap libpam-ldap nscd

/etc/ldap/ldap.conf
BASE dc=domain, dc=ru
URI ldap://ldap.domain.ru/

/etc/ldap.conf (Ubuntu) or /etc/libnss-ldap.conf и /etc/pam_ldap.conf for Debian
base dc=domain,dc=ru
uri ldap://ldap.domain.ru/
ldap_version 3
#Useraccount for binding
binddn ldaprequest@domain.ru
#Not secret for all employees
bindpw *********
scope one
bind_policy hard
nss_base_passwd ou=domain,dc=ru?sub
nss_base_group ou=domain,dc=ru?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
ssl no
nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,landscape,libuuid,list,lp,mail,man,messagebus,news,proxy,puppet,root,sshd,sync,sys,syslog,uucp,www-data

etc/nsswitch.conf
passwd: compat ldap [UNAVAIL=return]
group: compat ldap [UNAVAIL=return]
shadow: compat ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis

/usr/share/pam-configs/ldap
Name: LDAP Authentication
Default: yes
Priority: 128
Auth-Type: Primary
Auth-Initial:
[success=end default=ignore] pam_ldap.so
Auth:
[success=end default=ignore] pam_ldap.so use_first_pass
Account-Type: Primary
Account:
[success=end default=ignore] pam_ldap.so
Password-Type: Primary
Password-Initial:
[success=end user_unknown=ignore default=die] pam_ldap.so
Password:
[success=end user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
Session-Type: Additional
Session:
optional pam_mkhomedir.so skel=/etc/skel
optional pam_ldap.so

/etc/pam.d/login
auth optional pam_faildelay.so delay=3000000
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
auth requisite pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth optional pam_group.so
session required pam_limits.so
session optional pam_lastlog.so
session optional pam_mail.so standard
@include common-account
@include common-session
@include common-password
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open

root@host:~# pam-auth-update
root@host:~# service nscd restart
root@host:~# id USERNAME

You can add this in template or use ansible.