Join SQL Server on a Linux host to an Active Directory domain
Applies to: SQL Server (all supported versions) — Linux
This article provides general guidance on how to join a SQL Server Linux host machine to an Active Directory (AD) domain. There are two methods: use a built-in SSSD package or use third-party Active Directory providers. Examples of third-party domain join products are PowerBroker Identity Services (PBIS), One Identity, and Centrify. This guide includes steps to check your Active Directory configuration. However, it is not intended to provide instructions on how to join a machine to a domain when using third-party utilities.
Prerequisites
Before you configure Active Directory authentication, you need to set up an Active Directory domain controller, Windows, on your network. Then join your SQL Server on Linux host to an Active Directory domain.
The sample steps described in this article are for guidance only and refer to Ubuntu 16.04, Red Hat Enterprise Linux (RHEL) 7.x and SUSE Enterprise Linux (SLES) 12 operating systems. Actual steps may slightly differ in your environment depending on how your overall environment is configured and operating system version. For example, Ubuntu 18.04 uses netplan while Red Hat Enterprise Linux (RHEL) 8.x uses nmcli among other tools to manage and configure network. It is recommended to engage your system and domain administrators for your environment for specific tooling, configuration, customization, and any required troubleshooting.
Check the connection to a domain controller
Check that you can contact the domain controller with both the short and fully qualified names of the domain:
This tutorial uses contoso.com and CONTOSO.COM as example domain and realm names, respectively. It also uses DC1.CONTOSO.COM as the example fully qualified domain name of the domain controller. You must replace these names with your own values.
If either of these name checks fail, update your domain search list. The following sections provide instructions for Ubuntu, Red Hat Enterprise Linux (RHEL), and SUSE Linux Enterprise Server (SLES) respectively.
Ubuntu 16.04
Edit the /etc/network/interfaces file, so that your Active Directory domain is in the domain search list:
The network interface, eth0 , might differ for different machines. To find out which one you’re using, run ifconfig. Then copy the interface that has an IP address and transmitted and received bytes.
After editing this file, restart the network service:
Next, check that your /etc/resolv.conf file contains a line like the following example:
RHEL 7.x
Edit the /etc/sysconfig/network-scripts/ifcfg-eth0 file, so that your Active Directory domain is in the domain search list. Or edit another interface config file as appropriate:
After editing this file, restart the network service:
Now check that your /etc/resolv.conf file contains a line like the following example:
If you still cannot ping the domain controller, find the fully qualified domain name and IP address of the domain controller. An example domain name is DC1.CONTOSO.COM. Add the following entry to /etc/hosts:
SLES 12
Edit the /etc/sysconfig/network/config file, so that your Active Directory domain controller IP is used for DNS queries and your Active Directory domain is in the domain search list:
After editing this file, restart the network service:
Next, check that your /etc/resolv.conf file contains a line like the following example:
Join to the AD domain
After the basic configuration and connectivity with domain controller is verified, there are two options for joining a SQL Server Linux host machine with Active Directory domain controller:
Option 1: Use SSSD package to join AD domain
This method joins the SQL Server host to an AD domain using realmd and sssd packages.
This is the preferred method of joining a Linux host to an AD domain controller.
Use the following steps to join a SQL Server host to an Active Directory domain:
Use realmd to join your host machine to your AD Domain. You must first install both the realmd and Kerberos client packages on the SQL Server host machine using your Linux distribution’s package manager:
RHEL:
SUSE:
Ubuntu:
If the Kerberos client package installation prompts you for a realm name, enter your domain name in uppercase.
After you confirm that your DNS is configured properly, join the domain by running the following command. You must authenticate using an AD account that has sufficient privileges in AD to join a new machine to the domain. This command creates a new computer account in AD, creates the /etc/krb5.keytab host keytab file, configures the domain in /etc/sssd/sssd.conf, and updates /etc/krb5.conf.
You should see the message, Successfully enrolled machine in realm .
The following table lists some error messages that you could receive and suggestions on resolving them:
| Error message | Recommendation |
|---|---|
| Necessary packages are not installed | Install those packages using your Linux distribution’s package manager before running the realm join command again. |
| Insufficient permissions to join the domain | Check with a domain administrator that you have sufficient permissions to join Linux machines to your domain. |
| KDC reply did not match expectations | You may not have specified the correct realm name for the user. Realm names are case-sensitive, usually uppercase, and can be identified with the command realm discover contoso.com. |
SQL Server uses SSSD and NSS for mapping user accounts and groups to security identifiers (SIDs). SSSD must be configured and running for SQL Server to create AD logins successfully. realmd usually does this automatically as part of joining the domain, but in some cases, you must do this separately.
Verify that you can now gather information about a user from the domain, and that you can acquire a Kerberos ticket as that user. The following example uses id, kinit, and klist commands for this.
If id user@contoso.com returns, No such user , make sure that the SSSD service started successfully by running the command sudo systemctl status sssd . If the service is running and you still see the error, try enabling verbose logging for SSSD. For more information, see the Red Hat documentation for Troubleshooting SSSD.
If kinit user@CONTOSO.COM returns, KDC reply did not match expectations while getting initial credentials , make sure you specified the realm in uppercase.
For more information, see the Red Hat documentation for Discovering and Joining Identity Domains.
Option 2: Use third-party openldap provider utilities
You can use third-party utilities such as PBIS, VAS, or Centrify. This article does not cover steps for each individual utility. You must first use one of these utilities to join the Linux host for SQL Server to the domain before continuing forward.
SQL Server does not use third-party integrator’s code or library for any AD-related queries. SQL Server always queries AD using openldap library calls directly in this setup. The third-party integrators are only used to join the Linux host to AD domain, and SQL Server does not have any direct communication with these utilities.
Please see the recommendations for using the mssql-conf network.disablesssd configuration option in the Additional configuration options section of the article Use Active Directory authentication with SQL Server on Linux.
Verify that your /etc/krb5.conf is configured correctly. For most third-party Active Directory providers, this configuration is done automatically. However, check /etc/krb5.conf for the following values to prevent any future issues:
Check that the reverse DNS is properly configured
The following command should return the fully qualified domain name (FQDN) of the host that runs SQL Server. An example is SqlHost.contoso.com.
The output of this command should be similar to ** **.in-addr.arpa domain name pointer SqlHost.contoso.com . If this command does not return your host’s FQDN, or if the FQDN is incorrect, add a reverse DNS entry for your SQL Server on Linux host to your DNS server.
Next steps
This article covers the prerequisite of how to configure a SQL Server on a Linux host machine with Active Directory Authentication. To finish configuring SQL Server on Linux to support Active Directory accounts, follow the instructions at Use Active Directory authentication with SQL Server on Linux.
Linux active directory join
If nothing happens, download GitHub Desktop and try again.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching Xcode
If nothing happens, download Xcode and try again.
Launching Visual Studio
Latest commit
Git stats
Files
Failed to load latest commit information.
README.md
Linux-Active-Directory-join-script By Pierre 2017-2020
New: Added support for readfile for Ubuntu.
: removed line failing SASL config and blocking user to update password.: investigation started 03/11 : For users beeing unable to update password please do a git pull and run option 4: Reauthenticate to fix.
Supported OS’s: Ubuntu 14-20 + mate, Debian ,Cent OS,Rasbian ,Fedora, Linux Mint, Kali and Elemantary OS
Added support to Perform a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind with request signing (integrity verification) on-SSL-encrypted) LDAP connection. see more in wiki.
This is a script for Active Directory join with realmd. and is a result of a lot of small upgrades according as needs has emerged.
I will add support for an (answer file) in early 2020 in progress 2020-02-13
Major rework of the script will be made during 2020 right now it is very messy but working, (a lot of parts that are uneccessary repeated in the script
Joining to a domain is fairly easy, but then you have all the configuration around it to get everything to work as you expect, like:
Getting an «empty login prompt for new ADusers» at the login promt
Setting sudo permissions
Settings for mobile account in sam
Better security with ssh login allowence
Additional configuration to sssd.conf
this script allows you to join a domain very easly just awnsering a couple of questions
. It autodetects 7 different distros
. It autodetects your domain
. It generates and/or edit nessesery files
built in failcheck
What is the setup then?
update: Added flag options no minimize the menu and add logging: see sudo sh ADconnection.sh —help Usage: sh ADconnection.sh [—help] [-d (ubuntu debug mode)] [-j admin domain (Simple direct join) [-l (script output to log file)] [-s (Discover domain)]
Usage of the script: sudo sh ADconnection.sh or sudo ./ADconnection.sh for ./ADconnection.sh do a sudo chmod +x ADconnection.sh first.
remember to set a hostname on the client or server, the AD will set computer object itself named after the hostname of the machine = «linuxcomputer» as example
At this point you have 2 options. you already have a Group i AD example:»ADMINS» here you have your users with sudo rights. then you need to edit /etc/sudoers.d/sudoers and add %ADMINS ALL(ALL:ALL) ALL if you want to give this group sudo rights. In this script there is a magic word added for groups in AD and it is sudoers, it always adds sudoers after hostname, like linuxcomputersudoers administrator will always be added to sudoers as a failsafe for sysadmins.
and also /etc/ssh/login.allow if you have selected this option for security.
Or if you want to manage sudo users by a new group then create a group name LINUXCOMPUTERsudoers and LINUXCOMPUTER as hostname, they are not related, but Computer object in AD will be created and named after hostname and naming the ADgroup simmilar makes search easier in the future, therefore the script by defaut will add «LINUXCOMPUTERsudoers» as default in sudoers.d/sudoers, in this step you don’t need to edit files, the script will allow you to choose if you want users to be sudoers or not and if yes the script will autogenerate «LINUXCOMPUTERsudoers» in sudoers . 3. set hostname on you computer to «linuxcomputer» (hostname and hosts files) and reboot ( in/etc/hosts it should look like 127.0.1.1 LINUXCOMPUTER01 LINUXCOMPUTER01.domain.com also in resolv.conf you should have search domain.com)
- git clone this script and run
Execute the script with sudo sh ADconnection.sh, It will detect if it is a client or a server, it will also detect if client is running ubuntu 14,16,17, 18, 19,20, mate,Debian ,Cent OS,Rasbian ,Fedora, Linux Mint or Kali the script will find your domain name if existing, and your networkconfig is correct.. if not a promt will let you type the domain name. «domain.com» If there are issues finding the domain please dubblecheck your dns configuration on the domain controller.
after that authorise with a admin user. make sure to read the questions carefully and also read built in help in the script.
For security this script creates an ssh allow file so users that are not in the correct AD group can’t login, this also «blocks» users from creating local accounts ( they can create them if the are sudoers, but will never be able to login) NOTICE! if your local user is not administrator you MUST edit and add current local user in the (/etc/ssh/login.group.allowed) file. If you current local user is not in the SSH-ALLOW file it will be BANNED from the computer!
Updated. :Added the ability to choose if you want to dissable SSH-allow, note: if ssh is disabled users in other groups will be able to ssh to the client, but will not have sudo rights if they are not members in the group LINUXCOMPUTERsudoers
Updated. : also the ability to choose if clients should have sudo rights or not. if you seclect no on this option there is no need for an AD group «LINUXCOMPUTERsudoers» in active directory, all domain users will have nonsudo access. «notice this option can NOT be combined with the option YES on ssh-allow»
Updates: added join to ubuntu clients with debug mode. debugmode will open 2 terminals and will post information while you run the script. (does not work over SSH)
Comming updates: the option to paste a path for a correct OU were the machine will me setup. ( the defoult OU is CN=Computers,DC=domain,DC=com ) (still in progress) Comming updates: Option to rejoin ( leave realm and join realm and keep all configuration )
This will make the cleanest setup possible. no @ in names or in home folder home folder will be /home/domain.com/user User name will be only set as «user» without /myad/you or you@domain.com. just clean!. this is to prevent complications for developers when building code After reboot just login with you AD account «user» and password. again.. no @ or domain.com/user is needed, just «user» to test access and permissions of a user execute in terminal from administrator account: id user or id user | grep -i groupname (LINUXCOMPUTERsudoers)
For best security. I restricted ssh to only domainadmins and local administrator, also clients will be allowed to login from assigned group ( «LINUXCOMPUTERsudoers» ) (with option YES on SSH-allow) (with option YES on sudo rights )
How do i update my password? ( changed password but Linux is still on old password ) This should read new info from AD when you are on «AD» network First time you login your «user» caches on the computer ( means that you can login beeing disconected to «office network» If you are having problems with the computer not fetching the new password. On office network.. open a terminal and execute sudo service sssd restart, this will reload information, logout and login with the new password.
After reboot I cant login at all. (local or AD)
«This is problably caused by failed SSH-allow configuration, make sure to have correct users in the configuration or disable SSH-allow when running the script»
I rebooted the computer but i still can not login with the AD user!
«did you wait 5 min for AD to sync? check that the computer object is created in the AD Login with your local account and execute in terminal » sudo sssd service restart and the try to see if you can see the user by executing id yourADusername, if you can see the user and all the groups the user is member of in AD then it works. if you have it set up with an ADgroup then you can execute: id yourADusername | grep -i LINUXCOMPUTERsudoers (the groupname or hostname depending on you setup)
Damn i got the wrong hostname and its not created as a computerobject in AD
«Login with local admin and change your hostname to this files so it matches groupobject in AD /etc/sudoers.d/sudoes (if configured) /etc/ssh/login.group.allowed (if configured) /etc/hostname and /etc/hosts then run sudo realm leave domain.com reboot and rejoin running the script again, the script will not override files if they have been configured before. If the computerobject is existing in AD but you wish to replace it, just delete the computerobject and join/rejoin with computer/server with the same hostname as the computerobject. reboot and wait 5 min before login
If you have issues with slow replies from the domain controller i have added lines to nsswitch an sssd to prevent hangs, slow logins and slow repy from sudo commands in a teminal. this was added 2017/11 so if you have and older «join» than 2017/11 you should do a rejoin.
- I am a member of sudores but programs require administrator to login.. you are sudo user if added to sudoes file, but the account is a standard account. to give full administration priviligies run in terminal: sudo usermod -a -G sudo user
I have added the option for readfie and also a way to encrypt ADadmin password for those that don´t want to use one-time passwords. sudo sh ADconnection.sh -p will promt you for a password that will be encrypted. pubic key, privat.key and a encrypted.dat files will be generated. find a way to store a least your private key and only place them in Linux-Active-Directory-join-script folder during join.
Note. make sure dns works so it can properly find ldap server If you are using multiple domain servers or have a backup domain server, see example below [sssd] services = nss, pam config_file_version = 2 domains = ad.example.com
[domain/ad.example.com] id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad ad_server = dc1.ad.example.com ad_backup_server = dc2.ad.example.com filter_users = root at ad.example.com filter_groups = root at ad.example.com ldap_id_mapping = false dyndns_update = true dyndns_update_ptr = false enumerate = true subdomain_enumerate = all cache_credentials = trueHow to change AD password in linux (ubuntu example): open settings, users click on password field, set new password.
On linux client install git = sudo apt-get install git -y (or) sudo yum install git
To update repo to latest version = in the folder Linux-Active-Directory-join-script/ run: sudo git pull
About
Active directory Join script for Ubuntu, Debian, CentOS, Linux Mint, Fedora, Kali, Elementary OS and Raspbian with built in failchcheck and debugmode for Ubuntu. «The most advanced and updated AD join script on GITHUB for Linux»