Bonjour,
Voici comment réaliser une jonction à un Active Directory avec NixOS.
La première partie reviens à activer krb5 :
nixos-rebuild switch
Voici la configuration complète :
{ config, pkgs, ... }:
{
networking.hostName = "myserver";
networking.domain = "server.com";
services.realmd.enable = true;
programs.oddjobd.enable = true;
# Enable SSSD
services.sssd = {
enable = false;
config = ''
[sssd]
config_file_version = 2
domains = server.com
services = nss, pam
[domain/server.com]
default_shell = /run/current-system/sw/bin/bash
krb5_store_password_if_offline = true
cache_credentials = true
krb5_realm = SERVER.COM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u
ad_domain = server.com
use_fully_qualified_names = false
ldap_id_mapping = true
access_provider = simple
simple_allow_groups = admins@server.com
auth_provider = ad
'';
};
environment.etc."krb5.conf".mode = "0644";
# Enable Kerberos
security.krb5 = {
enable = true;
settings = {
libdefaults = {
default_realm = "SERVER.COM";
ticket_lifetime = "24h";
renew_lifetime = "7d";
dns_lookup_realm = false;
udp_preference_limit = "0";
};
};
};
# Enable PAM
security.pam.krb5.enable = false;
security.pam.services = {
sshd.sssdStrictAccess = true;
sshd.makeHomeDir = true;
login.sssdStrictAccess = true;
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
# Core
vim
# AD
adcli
krb5
realmd
samba
sssd
];
# Enable SSH
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = true;
KbdInteractiveAuthentication = true;
UsePAM = true;
PermitEmptyPasswords = false;
};
};
}
La deuxième partie c'est d'initier l’authentification :
adcli join server.com -U administrator@SERVER.COM
kinit administrator@SERVER.COM
La troisième partie c'est l'activation de SSSD :
Maintenant vous pouvez modifier la configuration pour passer sssd en true.
services.sssd = {
enable = false;
vers
services.sssd = {
enable = true;
puis terminer pouvez appliquer le changement
nixos-rebuild switch
Vous pouvez maintenant tester avec :
realm list
server.com
type: kerberos
realm-name: SERVER.COM
domain-name: server.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy: allow-permitted-logins
permitted-logins:
permitted-groups: admins@server.com
et
id my.userad
uid=1994001241(my.userad) gid=1994000513(domain users) groups=1994000513(domain users)