Transcription of Joining a SUSE Linux Enterprise Server to a Microsoft ...
1 SUSE Best PracticesJoining a SUSE Linux Enterprise Serverto a Microsoft Azure active directory Do-main services Managed DomainSUSE Linux Enterprise Server , Microsoft AzureKirk Evans, Principal Program Manager AzureCAT, Microsoft1 Joining a SUSE Linux Enterprise Server to a Microsoft Azure active directory domain ServicesManaged DomainThis article will show how to use Azure active directory domain services ,providing active directory capabilities as a managed service in MicrosoftAzure to enable NTLM, Kerberos, and LDAP capabilities with SUSE LinuxEnterprise Server .Publication Date: January 23, 2018 Contents1 Background32 What is Microsoft Azure active directory domain Services33 Getting Started54 Create a SUSE Linux Enterprise Server Virtual Machine75 Connect Via SSH Using Your Certificate116 domain Join SUSE Linux Enterprise Server Using YaST137 More Information168 Legal Notice179 GNU Free Documentation License182 Joining a SUSE Linux Enterprise Server to a Microsoft Azure active directory domain ServicesManaged Domain1 BackgroundIf you want to use Microsoft Azure AD domain services with Linux to test your product, you willstruggle to nd easy-to-use documentation.
2 Documentation that shows how to walk through thisend to end does not exist. And there is no general step-by-step explanation for Linux distributionsavailable, as the package management systems for the different Linux distributions differ fromeach other. SUSE Linux Enterprise Server uses zypper, Red Hat Enterprise Linux uses yum,Ubuntu uses addition, the packages to use and the instructions for configuring are often hard to , it turns out it is quite easy to domain join a machine using SUSE Linux is Microsoft Azure active directory DomainServicesThe Azure active directory service does not directly provide NTLM, Kerberos, or LDAP services ,while by default it provides WS-Trust, OpenID Connect, and OAuth capabilities. Applicationshosted in Azure virtual machines however may need these authentication capabilities but can-not afford the latency of communicating back to on-premises infrastructure, requiring domaincontrollers to be hosted in the cloud.
3 Many customers do not want to install their own domaincontrollers in cloud-hosted virtual machines, configure a VPN or ExpressRoute, and manage ADreplication to on-premises domain is exactly what Azure AD domain services (AAD-DS) provides: a managed domain con-troller with the same users and groups as you have in your Azure active directory (AAD). AAD-DS makes it easy to join a virtual machine to the managed domain so that your application canuse NTLM, Kerberos, or LDAP with the same credentials that they use to log in to Office 365or Azure AD domain services will provision managed domain controllers into the Azure VirtualNetwork that you specify. In the image below, the managed domain controller virtual machinesare greyed out. This indicates they are there but you cannot access them or do anything withthe virtual machine directly. You simply use the familiar Windows active directory DomainServices (ADDS) as a a SUSE Linux Enterprise Server to a Microsoft Azure active directory domain ServicesManaged DomainFIGURE 1: Microsoft AZURE AAD-DS OVERVIEWIn this picture, you see that AAD-DS is enabled for the directory , creating two virtual machinesin the subnet of choice.
4 The application Server can now communicate with those domain con-trollers to domain join the machine and enable authentication and authorization. Azure AD Do-main services works with either cloud-only or hybrid directories. If there is an existing ADDS infrastructure on-premises, you synchronize users to the AAD directory using HTTPS to enablesingle sign on to cloud resources such as Microsoft Office a SUSE Linux Enterprise Server to a Microsoft Azure active directory domain ServicesManaged Domain3 Getting StartedThe documentation how to set up Azure AD domain services is easy to follow. You do not needto install any software on your machine, and you do not need to perform any local configura-tion. Go to the Azure portal and follow the directions given in the article Enable Azure ActiveDirectory domain services using the Azure portal at result, you get an Azure classic virtual network with the settings you 2: AZURE CLASSIC VIRTUAL NETWORK SETTINGSNote: Classic VNetsAt the time of writing this document, AAD-DS only supports classic you need to add users or groups, do this using Azure active 3: Microsoft AZURE AD - ADDING USERS5 Joining a SUSE Linux Enterprise Server to a Microsoft Azure active directory domain ServicesManaged DomainYou can also create a group that contains the users who are administrators of the AAD-DSdomain, enabling them to configure tasks like service principals and constrained 4.
5 Microsoft AZURE AD - ADDING GROUPSNow you can add a Windows virtual machine to the same virtual network and join the machineto the domain in mind that the example at hand is using a cloud-only directory . There are no userssourced from on-premises. When you are prompted by Windows for the credentials to join a ma-chine to the domain , use your cloud-only account Whenyou connect to your new Windows VM using Remote Desktop Connection (RDC), use the samecredentials:FIGURE 5: WINDOWS VIRTUAL MACHINE - ENTER CREDENTIALSWhen you are logged in, open PowerShell and run the command:Add-WindowsFeature -Name RSAT-ADDS-Tools6 Joining a SUSE Linux Enterprise Server to a Microsoft Azure active directory domain ServicesManaged DomainThis command will add the active directory tools such as Users and Computers . Now you canview the domain information from your new Windows virtual 6: active directory USERS AND COMPUTERSYour Windows environment is now prepared and ready.
6 The next chapter explains how to createyour Linux virtual a SUSE Linux Enterprise Server VirtualMachineIn the Azure portal, create a new SUSE Linux Enterprise Server virtual machine in the sameVNet that you used previously. Filter for SUSE and choose your starting ISO image. In thisexample, SLES 11 SP4 has been a SUSE Linux Enterprise Server to a Microsoft Azure active directory domain ServicesManaged DomainFIGURE 7: SELECT SUSE Linux Enterprise Server ISO IMAGEI mportant: Classic DeploymentMake sure to create a VM using the Classic deployment model so that it can be placedin the same Vnet!FIGURE 8: SELECT DEPLOYMENT MODEL8 Joining a SUSE Linux Enterprise Server to a Microsoft Azure active directory domain ServicesManaged DomainThe next step enables you to provide your SSH login information and SSH public key. For moreinformation about SSH keys, refer to the article How to create and use an SSH public andprivate key pair for Linux VMs in Azure at 9: ADD SSH PUBLIC KEYC hoose a size for the Virtual Machine.
7 For the example at hand, a DS1_v2 machine is big a SUSE Linux Enterprise Server to a Microsoft Azure active directory domain ServicesManaged DomainFIGURE 10: VIRTUAL MACHINE SIZENow create or choose a storage account and cloud service. For the example at hand, the samecloud service is used as with the Windows Virtual machine : Virtual NetworkUse the same virtual network that is configured for Azure AD domain a SUSE Linux Enterprise Server to a Microsoft Azure active directory domain ServicesManaged DomainFIGURE 11: STORAGE AND NETWORK SETTINGSA fter a few minutes, the VM is created and you can connect to it via SSH. Use the WindowsSubsystem for Linux , open a command prompt and type bash to open the bash shell. Then youcan run your SSH Via SSH Using Your CertificateYou have not yet joined the new SUSE Linux Enterprise Server VM to the domain . To do so,connect to it via SSH using the details you provided when creating the Azure the VM is created, open the VM to see its public IP a SUSE Linux Enterprise Server to a Microsoft Azure active directory domain ServicesManaged DomainFIGURE 12: VIRTUAL MACHINE OVERVIEWNote: Public IPThe public IP can change if you restart the Azure virtual to the Endpoints property of the VM to see which port to use for 13: VIRTUAL MACHINE ENDPOINTSNow type the following SSH command to access your virtual machine:ssh -i azure_ssh -p 6025212 Joining a SUSE Linux Enterprise Server to a Microsoft Azure active directory domain ServicesManaged DomainFIGURE 14: CONNECT VIA SSH6 domain Join SUSE Linux Enterprise Server UsingYaSTNow that you can access the SUSE Linux Enterprise Server virtual machine, you need to jointo the domain controller that Azure AD domain services provides.
8 Since the VM is in the sameVNet and you have updated the DNS settings for the VNet, the new Linux machine can locatethe domain controller by name without any further configuration with the command sudo /sbin/yast:myadmin@kirke-suse-aad:~> sudo /sbin/yastThis command opens the YaST Control Center. Choose Network services and Windows Do-main Membership .13 Joining a SUSE Linux Enterprise Server to a Microsoft Azure active directory domain ServicesManaged DomainFIGURE 15: YAST CONTROL CENTER - OVERVIEWYou are prompted to install the Samba client 16: YAST CONTROL CENTER - SAMBA CLIENT PACKAGESNext, provide your domain as all capital letters, and enable the settings in the top section toenable users to SSH to the machine using their credentials from Azure : Custom DomainFor the example at hand, a cloud-only directory without a custom domain is used. If youadded and verified a custom domain , and have users from that custom domain in yourAAD directory from a synchronization, then you should use your custom a SUSE Linux Enterprise Server to a Microsoft Azure active directory domain ServicesManaged DomainFIGURE 17: YAST CONTROL CENTER - WINDOWS domain MEMBERSHIPNote: BackspaceIf Backspace does not work, use CTRL+H to you are done, exit and reboot the : YaSTIf you want to understand in detail what the YaST tool did in the background,read the article How to integrate SUSE Linux Enterprise 11 with Windows ActiveDirectory at />.
9 This article provides a comprehensive lookat the les it edited and the values it can now log in using the same credentials that you use to log in to Azure AD:ssh -p 62075 Connect via SSH using your credentials from Azure AD. A home directory has been created forthe a SUSE Linux Enterprise Server to a Microsoft Azure active directory domain ServicesManaged DomainFIGURE 18: CONNECT FROM AZURE AD VIA SSHThe user is not contained in the sudo-ers group. It is possible to enable users from aparticular active directory group to use sudo. For more information regarding this top-ic, read the article Adding AD domain groups to /etc/sudoers at .7 More InformationFor more detailed information, have a look at the following articles:Enable Azure active directory domain services Using the Azure Por-tal ( )How to create and use an SSH public and private key pair for Linux VMs in Azure ( )Join a Red Hat Enterprise Linux 7 virtual machine to a managed do-main ( )16 Joining a SUSE Linux Enterprise Server to a Microsoft Azure active directory domain ServicesManaged DomainHow to integrate SUSE Linux Enterprise 11 with Windows Ac-tive directory ( )Adding AD domain Groups to /etc/sudoers ( )8 Legal NoticeCopyright 2006 2017 SUSE LLC and contributors.
10 All rights is granted to copy, distribute and/or modify this document under the terms of theGNU Free Documentation License, Version or (at your option) version ; with the InvariantSection being this copyright notice and license. A copy of the license version is included inthe section entitled GNU Free Documentation License .SUSE, the SUSE logo and YaST are registered trademarks of SUSE LLC in the United Statesand other countries. For SUSE trademarks, see Linuxis a registered trademark of Linus Torvalds. All other names or trademarks mentioned in thisdocument may be trademarks or registered trademarks of their respective article is part of a series of documents called "SUSE Best Practices". The individual docu-ments in the series were contributed voluntarily by SUSE's employees and by third articles are intended only to be one example of how a particular action could be taken.
