Posted inArchitecture Cloud & Virtualization

Ubuntu Domain Join – Common Errors and Solution

No Comments

With more workloads moving to cloud, a centralised directory services managing your EC2 instance makes sense. Of course if you are public cloud only each CSP have their own services to setup a Managed Active Directory solution on the cloud. However for hybrid infrastructure, where your legacy domain controllers are on premise, we have two options.

  • Cloud Managed Domain controller integrated with routable On-prem domain
  • Self Managed Domain Controller on VM as secondary domain on the existing forest

My Design

Looks neat right? I am not covering part where I created this new domain controller as part of my existing domain and forest. However, it was pretty straightforward if you follow microsoft website.

Domain Join

Now Ubuntu domain join itself is pretty well documented. I mean its even part of Microsoft official guidelines as well and like the domain controller configuration, it works pretty smooth as well. For your reference link below,

https://learn.microsoft.com/en-us/entra/identity/domain-services/join-ubuntu-linux-vm

Error # 1

Now domain join itself, didn’t go pretty smooth when I encounterd below error while running command, 

sudo realm join TECHNOKOFE.COM -U 'dc_admin@AADDSCONTOSO.COM' --install=/

User don't have permission to join

Quite odd, since I know user is a domain admin and there is no way it doesn’t have permission.

Solution

Resolution is interesting, though need a bit of background behind domain joining linux machines. Basically, error is not clear as this issue is not really around user’s permission but user itself is not found by the virtual machine. I have checked all the ports as ist level of connectivity check and understanding that issue might not be related to networking, I looked for other solutions. Digging through, I realised it was part of microsoft guidelines, but for solving a different issue. However, it fits my case upfront, because I am not using directly on-prem DNS to resolve the domain but AWS route 53 resolvers. Hence I need to disable reverse lookup, because there is no reverse lookup zone create for my VPC range in new DC.

vi /etc/krb5.conf 
[libdefaults] 
rdns=false

Error # 2

My domain join system was now reflected on the cloud DC and it took sometime to sync it up with on-prem machine. Although I realised that machine populated in the Active directory is not having FQDN and instead coming up with only hostname. Additionally, DNS on the domain controller was not having any entry, which is wrong as DNS record should be created right away, once a machine joins the domain.

Solution

Fortunately, this issue got resolved when I set my hostname to full FQDN on the EC2 instance.

realm leave

sudo hostnamectl set-hostname ec2-domain@technokofe.com

realm join

Error # 3

Below error was encountered post domain join, where I was still not able to perform a simple ldapsearch for my user configured on AD. 

id devesh
no such user

Solution

Well error seems pretty generic but one thing is sure that there is disconnect between EC2 instance and domain controller on cloud. We also have to keep in mind that secondary domain controller while act as first point of contact for DNS resolutions, domain join still require a connection back on relevant ports to on-prem DC.

I had ensured connectivity on relevant ports, but missed simple parameter in my sssd.conf file. Since I have created a new site in my Domain for the existing forest, I have to specify that in the file as well so that my domain joined machine is recognised as part of the forest.

[realm/technokofe]
ad_site=AWS

Well my machine was properly domain join now. I even tested ssh access and as expected it worked right away.

The sssd.conf & krb5.conf file for my working machine is below, 

[sssd]
config_file_version = 2
domains = technokofe.com
services = nss, pam, ssh
dns_lookup_realm = false
dns_lookup_kdc = true

[nss]
filter_groups = root
filter_users = root, docker

[domain/technokofe.com]
access_provider = ad
default_shell = /bin/bash
ad_domain = technokofe.com
ad_site=AWS
auto_private_groups = true
krb5_store_password_if_offline = false
cache_credentials = false
krb5_realm = TECHNOKOFE.COM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
krb5_realm = TECHNOKOFE.COM
ldap_id_mapping = false
ldap_group_name = cn
ldap_use_tokengroups = false
ldap_user_extra_attrs = altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
realmd_tags = manages-system joined-with-adcli
use_fully_qualified_names = false
[libdefaults]
udp_preference_limit = 0
rdns=false
default_realm = TECHNOKOFE.COM

dev_ves

Tags:

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *