Join VMware Photon to Active Directory
Quick and simple task I assumed, get an individual VMware Photon instance to host one container for specific purpose and plug it into Active Directory for proper management. After all it's the baseline image for most of VMware appliances and all of those plug into AD very nicely.
As it turns out, not so simple. Not so simple before you know how it's done that is, it took a bit reverse engineering to figure out how to do it.
First Googling resulted in solution called Lightwave, which actually looks like a very nice solution but eventually it's for a different purpose. More for replacing Active Directory than integrating into it. Which is actually an activity that I've been looking for to my home lab, AD functionality but running on raspberry pi. So definitely worth looking into, but that in detail is a story for another day.
By trying to do the integration with Lightwave, I accidentally then also stumbled into the right approach. Which is likewise.
Firstly installing it is simple, it's found in the default repo, so just
tdnf install likewise-open -y
Then we get to the problems, or fixing them. First issue is that by default it tries to utilize SMBv1, which for security reasons is hopefully disabled for everyone. If you don't run into this issue, then you have other problems :)
SMBv2 can be enabled with
/opt/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\rdr]' Smb2Enabled 1
Then you need to configure your hostname, not fqdn, host just netbios name
/opt/likewise/bin/domainjoin-cli setname servername
Where servername is your actual hostname. There's also a requirement that your node must reverse lookup it's name to an fqdn which equals above servername.domain.name
Domain name here is the active directory domain name. You can do this in many ways, one is supposedly with dns but I had a bit problems with that since it seems to do the reverse lookup with 127.0.0.1 ip for some reason. If we skip dns option, there's still two options. One is to edit /etc/hosts manually and put in the fqdn before the short name in 127.0.0.1, or other is to use hostname module in the domain join which does this automatically.
Domain join can be done with following command
/opt/likewise/bin/lwsm restart lwio
/opt/likewise/bin/domainjoin-cli join --enable hostname ad.domain.name.fi adusername
First command restarts the service, which is needed after the previous changes. Second command does the actual domain join, if your reverse lookup is already fixed before running the command you must remove the --enable hostname part. And yes, it's literally hostname, not the hostname of the server.
Presuming it gives success, then the actual join is done. Next step is to enable login and restrict the permissions.
The following two commands will enable likewise as an identity source in both pam and nsswitch
/opt/likewise/bin/domainjoin-cli configure --enable pam
/opt/likewise/bin/domainjoin-cli configure --enable nsswitch
/opt/likewise/bin/lwsm restart lwio
Restart is included here, as it's required after all config changes. Now that this is done, you can login to the node with SSH using full domain username like firstname.lastname@example.org. This format is a bit weird to myself, as I've used to providing the connection parameters in username@host format. But this works just fine, like this
ssh -l email@example.com server.fqdn.name
Or it can be done with netbios format, which is maybe a bit more traditional
Need to remember that backslash is an escape character so above always needs the double backslash.
So far all this was somehow documented in my searches, but the next part I really couldn't find anywhere. And that is the permission management with groups. By default this doesn't limit anything, any domain account can login. All domain groups are visible as local groups to the user when typing id for example, but key things is that those can't be used for login access limitations. I first tried configuring AllowGroups in ssh, but I realized that these group memberships are only evaluated and updated after login. After some searching I found couple useful registry command that shows quite a bunch of relevant config parameters.
/opt/likewise/bin/lwregshell list_values '[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers]'
/opt/likewise/bin/lwregshell list_values '[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]'
This is a multi_sz parameter, so you can include multiple groups. Just add all in same command. And here, as it's in hyphens, the backslash doesn't need to be double :)
Not sure how popular activity joining Photon to AD is, but at least I have this now documented for myself in the future.