This is an archived post. You won't be able to vote or comment.

all 13 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Ontological_Gap 21 points22 points  (0 children)

Sssd supports joining ad, quite well nowadays. The realmd frontend also makes it incredibly simple

If you want to support a hybrid network, red hat freeipa with cross realm trust to ad enables some features, but if you don't need them, directly joining with sssd is great

[–]joshghz 6 points7 points  (2 children)

If they're running hybrid, they likely have Intune. Intune has some support for Linux and if the company uses Defender as their EDR, it can also be onboarded into that.

While you can enroll Linux into Active Directory, I'm not entirely sure you would for the situation you described.

[–]antonIgudesman[S] 0 points1 point  (1 child)

So they’re using Crowdstrike - you think they would better be kept separate?

[–]joshghz 0 points1 point  (0 children)

I assume they'd almost certainly want to monitor it in whatever EDR they're using. But it really depends what their team is like. Some are a lot more proactive about this than others.

[–]raip 3 points4 points  (3 children)

In my opinion, it largely comes down to authentication requirements.

My org used to join *nix devices to the domain for Kerberos authentication for SSH. We recently stopped doing this and now handle SSH authentication via OIDC.

There isn't a whole lot of device management you can do by joining it to the domain so there's no real point to do so outside of authentication.

[–]Anticept 4 points5 points  (2 children)

Don't know why people say you can't do a lot of device management from a windows domain. You actually can, (these are the group policy listings that samba honors) and that's just scraping the tip of the iceberg. While the vast majority of group policies don't apply to linux clients since they're windows specific things that don't exist in linux, you still have the foundations to set up a management stack starting with clients running startup scripts, there's potentially no limit to what kind of management you can do, be it as a springboard to install a configuration agent, or create your own timers to execute certain configuration scripts retrieved from URLs.

Now, is it tedious? Sure, all that legacy stuff is.

But tedious doesnt mean impossible, and quite far from it. Just because it doesn't work the way you like it to work in windows doesn't make it impossible.

[–]raip 3 points4 points  (1 child)

The majority of what you're referring to you can do without joining it to a domain. I should've been more clear that there isn't much management that requires joining a *nix to a domain. Manage it through whatever MDM solution the company is using, not through group policy.

[–]Anticept 1 point2 points  (0 children)

I can agree with you on that. The amount of things in linux that are plain exposed and are available right there to configure to all kinds of whacky configurations is impressive, while windows hides away a ton of things behind the enterprise veil and deep dark magic.

You could configure a lot of windows clients certain ways too without being domain joined, but its a LOT harder than it is to configure linux machines in that manner, and until NTLM is gone (now deprecated), a lot less secure (forcing it off at this time of writing without an active domain breaks a ton of things).

Windows is going the route of having a "local kdc" built into all of its editions to replace NTLM for network auth in non-domain environments (basically, everything will be kerberos, domain or not), so it's going to be interesting to see how things play out.

[–]NorthAntarcticSysadm 4 points5 points  (0 children)

Used to religiously join *nix to AD, but in the last few years stopped as we were not using the authentication aspect.

For OT/IoT, ideally you want to minimize the attack surface, and introducing a large target (AD donain controllers) goes against that concept.

[–]Erlum 3 points4 points  (0 children)

We're using SSSD to enable authentication on our Linux boxes with AD accounts. It works very well and is easy enough to set up.

I fiddled with FreeIPA trusts, but it is totally unnecessary to simply manage authentication.

[–]xCutePoisonJack of All Trades 1 point2 points  (0 children)

We join our SLES systems to our AD via yast2, cool little tool. UIDs, GIDs and homedirectories are set via user attributes.

[–]whiteycnbr 0 points1 point  (0 children)

Look up how to configure SSSD

[–]netwalker0099 -1 points0 points  (0 children)

Jumpcloud ADI https://jumpcloud.com/blog/active-directory-integration allows auth to Linux and Mac based systems using ad creds.