Please enable JavaScript.
Coggle requires JavaScript to display documents.
Active Directory Integration in Linux - Coggle Diagram
Active Directory Integration in Linux
Overview
What is Active Directory (AD)
Microsoft directory service
Centralized identity and authentication
Stores users, groups, computers, policies
Uses LDAP, Kerberos, DNS, SMB, Group Policy
Why Integrate Linux with AD
Single Sign-On (SSO)
Centralized authentication
Centralized authorization
Centralized user management
Compliance and auditing
Password policy enforcement
Reduced administrative overhead
Enterprise scalability
Enterprise Architecture
Domain Controllers
Primary Domain Controller
Additional Domain Controllers
Global Catalog
DNS
AD-integrated DNS
Forward and Reverse Lookup Zones
SRV Records
Linux Servers
Application Servers
Web Servers
Database Servers
File Servers
Jump Servers
Monitoring Servers
Authentication Components
Kerberos
LDAP
SSSD
PAM
NSS
Winbind
Certificate Services
Internal CA
LDAPS
PKI
Authentication Flow
User Login
User enters username and password
PAM receives login request
PAM forwards request to SSSD
SSSD contacts Kerberos
Kerberos requests Ticket Granting Ticket
Domain Controller validates credentials
Kerberos issues TGT
SSSD retrieves user information from LDAP
NSS creates Linux identity
User receives shell access
Required Protocols
LDAP
Directory lookup
User information
Group information
LDAPS
Encrypted LDAP
TCP 636
Kerberos
Authentication
TCP UDP 88
DNS
Domain discovery
Service discovery
SRV records
SMB
File sharing
SYSVOL access
NTP
Time synchronization
Required for Kerberos
Linux Components
SSSD
Identity provider
Authentication cache
Offline login
Group resolution
Access control
Realmd
Simplifies domain joining
Auto configuration
adcli
Joins Linux to AD
Computer account creation
Samba
SMB services
Winbind support
Winbind
Alternative to SSSD
NTLM support
Kerberos Client
Ticket management
OpenLDAP Client
LDAP queries
Oddjob
Automatic home directory creation
Enterprise Prerequisites
DNS Resolution
Linux must resolve AD DNS
Time Synchronization
NTP must match Domain Controller
Difference should be less than 5 minutes
Hostname
Static FQDN
Firewall
Allow required AD ports
Network Connectivity
Reachable Domain Controller
Privileges
Domain account allowed to join computers
Required Packages
RHEL Rocky AlmaLinux
realmd
sssd
sssd-tools
oddjob
oddjob-mkhomedir
adcli
samba-common
krb5-workstation
openldap-clients
Ubuntu Debian
realmd
sssd
sssd-tools
adcli
krb5-user
samba-common-bin
packagekit
Enterprise Implementation
Step 1 Verify DNS
hostnamectl
hostname -f
cat /etc/resolv.conf
dig domain.local
nslookup domain.local
Step 2 Verify Time
timedatectl
chronyc sources
chronyc tracking
Step 3 Install Packages
RHEL
dnf install realmd sssd sssd-tools oddjob oddjob-mkhomedir adcli samba-common krb5-workstation openldap-clients
Ubuntu
apt install realmd sssd sssd-tools adcli krb5-user samba-common-bin packagekit
Step 4 Discover Domain
realm discover company.local
Step 5 Join Domain
realm join company.local -U Administrator
Step 6 Verify Join
realm list
hostnamectl
Step 7 Verify Kerberos
kinit administrator
klist
kdestroy
Step 8 Verify User
id
user@company.local
getent passwd
user@company.local
getent group "Domain Users"
Step 9 Login Test
su -
user@company.local
Step 10 Automatic Home Directory
authselect select sssd with-mkhomedir
systemctl restart oddjobd
Important Configuration Files
/etc/sssd/sssd.conf
/etc/krb5.conf
/etc/nsswitch.conf
/etc/pam.d
/etc/resolv.conf
/etc/hosts
/etc/samba/smb.conf
SSSD Configuration
Domain
Cache Credentials
Offline Login
Access Provider
LDAP Provider
Kerberos Provider
Enumeration
Home Directory Template
Default Shell
User Management
View User
id username
getent passwd username
View Group
getent group
List Domain
realm list
Check Login
su username
Home Directory
Automatic creation
Permissions
Group Management
Domain Users
Domain Admins
Linux Admins
Security Groups
Nested Groups
Group Based Access
Restrict Login
Allow Specific Group
realm permit --groups LinuxAdmins
Allow Specific User
realm permit user1
Deny User
realm deny user1
Sudo Integration
Domain Admins
Sudo privileges
Linux Admin Group
Custom sudo permissions
Sudoers
visudo
/etc/sudoers.d
Enterprise Access Control
Least Privilege
Role Based Access Control
Group Based Authorization
Separation of Duties
Just Enough Administration
Kerberos Commands
kinit
klist
kdestroy
kvno
Realm Commands
realm discover
realm join
realm leave
realm list
realm permit
realm deny
SSSD Commands
systemctl status sssd
sss_cache -E
sssctl domain-status
sssctl config-check
sssctl user-checks username
LDAP Commands
ldapsearch
getent passwd
getent group
AD Join Verification
realm list
id username
getent passwd username
getent group
klist
login using AD account
Enterprise Security Best Practices
Use LDAPS
Use Kerberos only
Disable anonymous LDAP
Enforce MFA where supported
Restrict SSH using AD groups
Implement sudo least privilege
Enable audit logging
Synchronize time
Use redundant Domain Controllers
Enable credential caching
Secure DNS
Rotate service account passwords
High Availability
Multiple Domain Controllers
DNS Redundancy
SSSD Cache
Offline Authentication
Failover Domain Controllers
Monitoring
SSSD Logs
Journalctl
Authentication Logs
Auditd
SIEM Integration
Wazuh Monitoring
Troubleshooting
DNS Failure
dig
nslookup
Time Drift
timedatectl
chronyc tracking
Kerberos Failure
kinit
klist
LDAP Failure
ldapsearch
SSSD Failure
systemctl status sssd
journalctl -u sssd
sssctl config-check
Domain Join Failure
realm discover
realm list
realm leave
realm join
Common Enterprise Scenarios
SSH login using AD users
Restrict SSH to LinuxAdmins
Centralized sudo
File server authentication
Apache authentication with AD
Nginx authentication
Docker host authentication
Kubernetes worker authentication
Database authentication
Git server authentication
Jenkins authentication
Monitoring server authentication
Interview Preparation
What is Active Directory
Difference between LDAP and Kerberos
Difference between SSSD and Winbind
Why DNS is mandatory
Why time synchronization is important
What happens during domain join
Authentication flow from login to shell
Purpose of PAM
Purpose of NSS
Purpose of SSSD
Purpose of Kerberos
Purpose of LDAP
Purpose of Realmd
Difference between Authentication and Authorization
What is a TGT
What is SPN
What is a Computer Account
How offline login works
How SSSD cache works
How to restrict AD users
How to give sudo to AD groups
How to troubleshoot domain join failures
Ports required for AD integration
Enterprise security best practices
High availability considerations
Common production issues
Frequently Used Commands
hostnamectl
timedatectl
chronyc tracking
cat /etc/resolv.conf
dig
nslookup
realm discover
realm join
realm list
realm leave
id
getent passwd
getent group
kinit
klist
kdestroy
ldapsearch
systemctl status sssd
journalctl -u sssd
sss_cache -E
sssctl domain-status
sssctl config-check
realm permit
realm deny