Phanirithvij: imported from old wiki

2025-03-13T03:22:33Z

imported from old wiki

← Older revision		Revision as of 03:22, 13 March 2025
Line 140:		Line 140:
	</syntaxhighlight>		</syntaxhighlight>

	2) <code>nix-channel --update ; nixos-switch rebuild --upgrade</code>		3) <code>nix-channel --update ; nixos-switch rebuild --upgrade</code>

	'''Note'''		'''Note'''
Line 146:		Line 146:
	* These commands presume that you're using the classic NixOS channels and not the experimental flakes configuration.		* These commands presume that you're using the classic NixOS channels and not the experimental flakes configuration.
	* These commands will freshen all installed packages and configuration settings.		* These commands will freshen all installed packages and configuration settings.
	* If you experience an error from systemd/sssd, disregard it. You will fix that error, by joining the domain.		* If you experience an error from systemd/sssd, disregard it. You will fix that error by joining the domain.

	3) Join your domain		4) Join your domain

	<code>sudo adcli join --domain=your.domain.com --user=administrator</code>		<code>sudo adcli join --domain=your.domain.com --user=administrator</code>

	4) Restart SSSD		5) Restart SSSD

	<code>sudo systemctl restart sssd</code>		<code>sudo systemctl restart sssd</code>

	5) Confirm that you have successfully joined your AD		6) Confirm that you have successfully joined your AD

	<code>realm discover your_domain_lowercase</code>		<code>realm discover your_domain_lowercase</code>
Line 162:		Line 162:
	<code>id user_in_AD</code>		<code>id user_in_AD</code>

	6) Optional: You may reboot to ensure that your machine sustains its domain binding and that end users can login. As of 2024, the adcli join and sssd restart seem to be sufficient.		7) Optional: You may reboot to ensure that your machine sustains its domain binding and that end users can login. As of 2024, the adcli join and sssd restart seem to be sufficient.

	7) Optional: If the computer is a laptop, you may add a named user to the NixOS local networkmanager group so that person can add a WiFI network, switch between wireless/wired, and so on.		8) Optional: If the computer is a laptop, you may add a named user to the NixOS local networkmanager group so that person can add a WiFI network, switch between wireless/wired, and so on.

	<syntaxhighlight lang="nix">		<syntaxhighlight lang="nix">

Mic92: imported from old wiki

2024-10-30T22:16:54Z

imported from old wiki

New page

Active Directory (AD) is a directory service that enables you to provide login to computers and other useful purposes.

== Basic Setup ==

1) Create /etc/nixos/nixos-ad.nix and add the following. Replace your_domain_lowercase and YOUR_DOMAIN_UPPERCASE with something like ad.foobar.com and AD.FOOBAR.COM.

<syntaxhighlight lang="nix">
#
# nixos-ad.nix -- Active Directory Client
#
# Join AD: sudo adcli join --domain=your.domain.com --user=administrator
#
{
config,
pkgs,
...
}: {
#
# Packages
#
environment.systemPackages = with pkgs; [
adcli # Helper library and tools for Active Directory client operations
oddjob # Odd Job Daemon
samba4Full # Standard Windows interoperability suite of programs for Linux and Unix
sssd # System Security Services Daemon
krb5 # MIT Kerberos 5
realmd # DBus service for configuring Kerberos and other
];

#
# Security
#
security = {
krb5 = {
enable = true;
settings = {
libdefaults = {
udp_preference_limit = 0;
default_realm = "YOUR_DOMAIN_UPPERCASE";
};
};
};

pam = {
makeHomeDir.umask = "077";
services.login.makeHomeDir = true;
services.sshd.makeHomeDir = true;
};

sudo = {
extraConfig = ''
%domain\ admins ALL=(ALL:ALL) NOPASSWD: ALL
Defaults:%domain\ admins env_keep+=TERMINFO_DIRS
Defaults:%domain\ admins env_keep+=TERMINFO
'';

# Use extraConfig because of blank space in 'domain admins'.
# Alternatively, you can use the GID.
# extraRules = [
# { groups = [ "domain admins" ];
# commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; }
# ];
};
};

#
# Services
#
services = {
nscd = {
enable = true;
config = ''
server-user nscd
enable-cache hosts yes
positive-time-to-live hosts 0
negative-time-to-live hosts 0
shared hosts yes
enable-cache passwd no
enable-cache group no
enable-cache netgroup no
enable-cache services no
'';
};

sssd = {
enable = true;
config = ''
[sssd]
domains = your_domain_lowercase
config_file_version = 2
services = nss, pam

[domain/your_domain_lowercase]
override_shell = /run/current-system/sw/bin/zsh
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = YOUR_DOMAIN_UPPERCASE
realmd_tags = manages-system joined-with-samba
id_provider = ad
fallback_homedir = /home/%u
ad_domain = your_domain_lowercase
use_fully_qualified_names = false
ldap_id_mapping = false
auth_provider = ad
access_provider = ad
chpass_provider = ad
ad_gpo_access_control = permissive
enumerate = true
'';
};
};

#
# Systemd
#
systemd = {
services.realmd = {
description = "Realm Discovery Service";
wantedBy = ["multi-user.target"];
after = ["network.target"];
serviceConfig = {
Type = "dbus";
BusName = "org.freedesktop.realmd";
ExecStart = "${pkgs.realmd}/libexec/realmd";
User = "root";
};
};
};
}
</syntaxhighlight>

2) Update your configuration.nix to import ./nixos-ad.nix

<syntaxhighlight lang="nix">
imports =
[
./hardware-configuration.nix
./nixos-ad.nix
]
</syntaxhighlight>

2) <code>nix-channel --update ; nixos-switch rebuild --upgrade</code>

'''Note'''

* These commands presume that you're using the classic NixOS channels and not the experimental flakes configuration.
* These commands will freshen all installed packages and configuration settings.
* If you experience an error from systemd/sssd, disregard it. You will fix that error, by joining the domain.

3) Join your domain

<code>sudo adcli join --domain=your.domain.com --user=administrator</code>

4) Restart SSSD

<code>sudo systemctl restart sssd</code>

5) Confirm that you have successfully joined your AD

<code>realm discover your_domain_lowercase</code>

<code>id user_in_AD</code>

6) Optional: You may reboot to ensure that your machine sustains its domain binding and that end users can login. As of 2024, the adcli join and sssd restart seem to be sufficient.

7) Optional: If the computer is a laptop, you may add a named user to the NixOS local networkmanager group so that person can add a WiFI network, switch between wireless/wired, and so on.

<syntaxhighlight lang="nix">
users.groups.networkmanager.members = ["user_in_AD"];
</syntaxhighlight>

Unfortunately, Linux local groups do not support nesting of AD groups. You have to grant this access to individual users.

[[Category:Cookbook]]

Active Directory Client - Revision history

Phanirithvij: imported from old wiki

Mic92: imported from old wiki