Join VMware Photon to Active Directory

 Quick and simple task I assumed, get an individual VMware Photon instance to host one container for specific purpose and plug it into Active Directory for proper management. After all it's the baseline image for most of VMware appliances and all of those plug into AD very nicely.

As it turns out, not so simple. Not so simple before you know how it's done that is, it took a bit reverse engineering to figure out how to do it.

First Googling resulted in solution called Lightwave, which actually looks like a very nice solution but eventually it's for a different purpose. More for replacing Active Directory than integrating into it. Which is actually an activity that I've been looking for to my home lab, AD functionality but running on raspberry pi. So definitely worth looking into, but that in detail is a story for another day.

By trying to do the integration with Lightwave, I accidentally then also stumbled into the right approach. Which is likewise.

Firstly installing it is simple, it's found in the default repo, so just

tdnf install likewise-open -y

Then we get to the problems, or fixing them. First issue is that by default it tries to utilize SMBv1, which for security reasons is hopefully disabled for everyone. If you don't run into this issue, then you have other problems :)

SMBv2 can be enabled with

/opt/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\rdr]' Smb2Enabled 1

Then you need to configure your hostname, not fqdn, host just netbios name

/opt/likewise/bin/domainjoin-cli setname servername

Where servername is your actual hostname. There's also a requirement that your node must reverse lookup it's name to an fqdn which equals above servername.domain.name

Domain name here is the active directory domain name. You can do this in many ways, one is supposedly with dns but I had a bit problems with that since it seems to do the reverse lookup with 127.0.0.1 ip for some reason. If we skip dns option, there's still two options. One is to edit /etc/hosts manually and put in the fqdn before the short name in 127.0.0.1, or other is to use hostname module in the domain join which does this automatically.

Domain join can be done with following command

/opt/likewise/bin/lwsm restart lwio

/opt/likewise/bin/domainjoin-cli join --enable hostname ad.domain.name.fi adusername

First command restarts the service, which is needed after the previous changes. Second command does the actual domain join, if your reverse lookup is already fixed before running the command you must remove the --enable hostname part. And yes, it's literally hostname, not the hostname of the server.

Presuming it gives success, then the actual join is done. Next step is to enable login and restrict the permissions.

The following two commands will enable likewise as an identity source in both pam and nsswitch

/opt/likewise/bin/domainjoin-cli configure --enable pam

/opt/likewise/bin/domainjoin-cli configure --enable nsswitch

/opt/likewise/bin/lwsm restart lwio

Restart is included here, as it's required after all config changes. Now that this is done, you can login to the node with SSH using full domain username like username@domain.name. This format is a bit weird to myself, as I've used to providing the connection parameters in username@host format. But this works just fine, like this

ssh -l username@domain.name server.fqdn.name

Or it can be done with netbios format, which is maybe a bit more traditional

ssh domain\\username@server.fqdn.name

Need to remember that backslash is an escape character so above always needs the double backslash.

So far all this was somehow documented in my searches, but the next part I really couldn't find anywhere. And that is the permission management with groups. By default this doesn't limit anything, any domain account can login. All domain groups are visible as local groups to the user when typing id for example, but key things is that those can't be used for login access limitations. I first tried configuring AllowGroups in ssh, but I realized that these group memberships are only evaluated and updated after login. After some searching I found couple useful registry command that shows quite a bunch of relevant config parameters.

/opt/likewise/bin/lwregshell list_values '[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers]'

/opt/likewise/bin/lwregshell list_values '[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]'

First command shows the identity sources that likewise is using, for me at least the default was ActiveDirectory, VmDir, Local. First and last are obvious, not sure what the middle one is, but didn't the touch this at all. Second command shows specifically the Active Directory identity source parameters, where I then found a paramater that allows limiting the authentication only to specific groups. The following command restricts so that authentication is only possible for members of specific Active Directory group
/opt/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]' RequireMembershipOf "DOMAIN\Group_Name"

This is a multi_sz parameter, so you can include multiple groups. Just add all in same command. And here, as it's in hyphens, the backslash doesn't need to be double :)

Not sure how popular activity joining Photon to AD is, but at least I have this now documented for myself in the future.

Comments

  1. Great work! It really helps for people who wants to have vmware photon join to windows Active Directory.

    ReplyDelete
  2. The Gaming Control Board of Gaming Commission to suspend
    The 의왕 출장안마 Gaming Control Board of Gaming Commission (GCCB) has suspended 상주 출장마사지 gaming at 남양주 출장샵 its 사천 출장샵 casinos nationwide as it seeks to Feb 18, 2022 계룡 출장샵 - Feb 19, 2022

    ReplyDelete

Post a Comment

Popular posts from this blog

Why is three nines better than four in cloud availability?

reverse engineering VMware Cloud Director API