共用方式為


Join a SUSE Linux Enterprise Server to an Azure AD Domain Services Managed Domain

This post will show how to use Azure AD Domain Services (AAD-DS) with SUSE Linux Enterprise Server (SLES).

Background

A customer asked how they might use AAD-DS with SLES 11 SP4 to test their product.  I am very familiar with Windows but still very much a Linux novice, and there seems to be no easy documentation that shows how to walk through this end to end.  There are steps for Red Hat Enterprise Linux (https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-join-rhel-linux-vm), but I couldn’t find steps to do this on other Linux distros. The package managers are different (SLES uses zypper, RHEL uses yum, Ubuntu uses apt-get), and the packages to use and instructions for configuring are cryptic and archaic.  Turns out it’s really easy to domain join a machine using SLES.

What is Azure Active Directory Domain Services

The Azure Active Directory service does not directly provide NTLM, Kerberos, or LDAP, it provides WS-Trust, OpenID Connect, and OAuth capabilities.  Applications hosted in Azure virtual machines may need these legacy authentication capabilities but can’t afford the latency of communicating back to on-premises infrastructure, requiring domain controllers to be hosted in the cloud.  Many customers do not want to install their own domain controllers in cloud-hosted virtual machines, configure a VPN or ExpressRoute, and manage AD replication to on-premises domain controllers.  This is exactly what Azure AD Domain Services (AAD-DS) provides: a managed domain controller with the same users and groups as your AAD directory.  AAD-DS makes it easy to join a virtual machine to the managed domain so that your application can use NTLM, Kerberos, or LDAP with the same credentials that they use to log into Office 365 or Azure services.

Azure AD Domain Services will provision managed domain controllers into the Azure Virtual Network that you specify.  In this image, the managed domain controller virtual machines are greyed out, indicating they are there but you can’t access them or do anything with the virtual machine directly, you simply use the familiar Windows Active Directory Domain Services (ADDS) as a service. 

image

In this picture, AAD-DS is enabled for the directory, creating two virtual machines in the subnet of my choice.  My application server can now communicate with those domain controllers to domain join the machine and enable authentication and authorization.  Azure AD Domain Services works with either cloud-only or hybrid directories.  If there is an existing ADDS infrastructure on-premises, you sync users to the AAD directory using HTTPS to enable single sign on to cloud resources such as O365. 

Getting Started

The documentation to set up Azure AD Domain Services is pretty easy to follow, including screen shots.  Nothing to install on your machine, nothing to configure locally, just go to the Azure portal and follow the directions:

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-getting-started 

The result is an Azure classic virtual network with the settings you chose.

image

Editor: At the time of this writing, AAD-DS only supports classic vnets. I don’t have insight to the product team’s plans if they are going to enable ARM-based VNets, but I sure hope so.

If I need to add users or groups, I do this using Azure AD. 

image

I also have a group that contains the users who are administrators of the AAD-DS domain, enabling them to configure things like service principals and constrained delegation.

image

I can now add a Windows virtual machine to the same virtual network and join the machine to the domain blueskyabove.onmicrosoft.com.  Note that I am using a cloud-only directory, there are no users sourced from on-premises, so when I am prompted by Windows for the credentials to join a machine to the domain, I use my cloud-only account kirkevans@blueskyabove.onmicrosoft.com, and when I RDP to my new WIndows VM I use the same credentials.

image

Once logged in, open PowerShell and run the command:

 Add-WindowsFeature -Name RSAT-ADDS-Tools

This command will add the Active Directory tools such as Users and Computers.  Now you can view the domain information from your new Windows virtual machine.

image

OK, enough Windows, let’s go look at the Linux stuff we promised in the beginning of the post!

Create a SUSE Linux Enterprise Server Virtual Machine

In the Azure portal, create a new SUSE Linux Enterprise Server virtual machine in the same VNet that you used previously.  Filter for “SUSE” and choose your starting image.  I chose SLES 11 SP4. 

image

IMPORTANT!!! Make sure to create a VM using the Classic deployment model so that it can be placed in the same VNet!

image

The next step enables you to provide your SSH login information and SSH public key (for more information, see https://docs.microsoft.com/en-us/azure/virtual-machines/linux/mac-create-ssh-keys). 

image

Choose a size.  A DS1_v2 machine is plenty for my quick demo.

image

Create or choose a storage account and cloud service (I used the same cloud service I used with my Windows VM above).  The important point here is that you use the same virtual network that is configured for Azure AD Domain Services.

image

After a few minutes, the VM is created and I can SSH into it.  I am using the Windows Subsystem for Linux, just open a command prompt and type “bash” to open the bash shell, and then I can run my SSH commands.

Editor: I received a few weird errors while trying to provision the VM, mentioning something about a certificate thumbprint cannot be found. I kept trying and it finally worked. Sometimes I guess you have to click harder.

SSH Using Your Certificate

We haven’t yet joined the VM to the domain, so we will SSH using the details we provided when creating the Azure VM.  Once the VM is created, open the VM to see its public IP address.

image

Note that the public IP can change if you restart the Azure virtual machine.  Now, go to the Endpoints property of the VM to see which port to use for SSH.

image

Finally, SSH:  ssh -i azure_ssh myadmin@52.173.77.97 -p 60252

image

We’re in!

Domain Join SLES Using YaST

The last bit we need to do is to join to the domain controller that Azure AD Domain Services provides for us.  Since the VM is in the same VNet and we have updated the DNS settings for the VNet, the new Linux machine can locate the domain controller by name without any further configuration with “sudo /sbin/yast”.

image

This opens up the YaST control center.  Choose Network Services / Windows Domain Membership.

image

You are prompted to install the Samba client packages.

image

Next, provide your domain as all capital letters, and enable the settings in the top section to enable users to SSH to the machine using their credentials from Azure AD.  Note that I am using a cloud-only directory without a custom domain.  If you added and verified a custom domain, and have users from that custom domain in your AAD directory from a sync, then you should use your custom domain. 

image

Editor: Backspace doesn’t work for me, I had to use CTRL+H to backspace. Dunno.

Once you are done, exit and reboot the VM. 

You may be wondering what the YaST tool just did for us.  For a comprehensive look at the files it edited and the values it used, see https://jreypo.wordpress.com/2012/02/01/how-to-integrate-suse-linux-enterprise-11-with-windows-active-directory/

You can now log in using the same credentials that you use to log into Azure AD.

 ssh blueskyabove\\kirkevans@52.173.77.97 -p 62075

You can now SSH using your credentials from Azure AD and the user has a home directory that was created.

image

The user is not in the sudoers group.  It is possible to enable users from a particular Active Directory group to use sudo.

https://derflounder.wordpress.com/2012/12/14/adding-ad-domain-groups-to-etcsudoers/

For More Information

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-getting-started

How to create and use an SSH public and private key pair for Linux VMs in Azure

Join a Red Hat Enterprise Linux 7 virtual machine to a managed domain

https://jreypo.wordpress.com/2012/02/01/how-to-integrate-suse-linux-enterprise-11-with-windows-active-directory/

https://derflounder.wordpress.com/2012/12/14/adding-ad-domain-groups-to-etcsudoers/