SUSE Linux Enterprise Server, Microsoft Azure

Joining a SUSE Linux Enterprise Server to a Microsoft Azure Active Directory Domain Services Managed Domain

This article will show how to use Azure Active Directory Domain Services, providing Active Directory capabilities as a managed service in Microsoft Azure to enable NTLM, Kerberos, and LDAP capabilities with SUSE Linux Enterprise Server .

Author: Kirk Evans, Principal Program Manager AzureCAT, Microsoft
Publication Date: December 13, 2017

1 Background

If you want to use Microsoft Azure AD Domain Services with Linux to test your product, you will struggle to find easy-to-use documentation. Documentation that shows how to walk through this end to end does not exist. And there is no general step-by-step explanation for Linux distributions available, as the package management systems for the different Linux distributions differ from each other. SUSE Linux Enterprise Server uses zypper, Red Hat Enterprise Linux uses yum, Ubuntu uses apt-get.

In addition, the packages to use and the instructions for configuring are often hard to understand. However, it turns out it is quite easy to domain join a machine using SUSE Linux Enterprise Server.

2 What is Microsoft Azure Active Directory Domain Services

The Azure Active Directory service does not directly provide NTLM, Kerberos, or LDAP services, while by default it provides WS-Trust, OpenID Connect, and OAuth capabilities. Applications hosted in Azure virtual machines however may need these authentication capabilities but cannot afford the latency of communicating back to on-premises infrastructure, requiring domain controllers to be hosted in the cloud. Many customers do not want to install their own domain controllers in cloud-hosted virtual machines, configure a VPN or ExpressRoute, and manage AD replication to on-premises domain controllers.

This is exactly what Azure AD Domain Services (AAD-DS) provides: a managed domain controller with the same users and groups as you have in your Azure Active Directory (AAD).  AAD-DS makes it easy to join a virtual machine to the managed domain so that your application can use NTLM, Kerberos, or LDAP with the same credentials that they use to log in to Office 365 or Azure services.

Azure AD Domain Services will provision managed domain controllers into the Azure Virtual Network that you specify. In the image below, the managed domain controller virtual machines are greyed out. This indicates they are there but you cannot access them or do anything with the virtual machine directly. You simply use the familiar Windows Active Directory Domain Services (ADDS) as a service.

Microsoft Azure AAD-DS Overview
Figure 1: Microsoft Azure AAD-DS Overview

In this picture, you see that AAD-DS is enabled for the directory, creating two virtual machines in the subnet of choice. The application server can now communicate with those domain controllers to domain join the machine and enable authentication and authorization. Azure AD Domain Services works with either cloud-only or hybrid directories. If there is an existing ADDS infrastructure on-premises, you synchronize users to the AAD directory using HTTPS to enable single sign on to cloud resources such as Microsoft Office 365.

3 Getting Started

The documentation how to set up Azure AD Domain Services is easy to follow. You do not need to install any software on your machine, and you do not need to perform any local configuration. Go to the Azure portal and follow the directions given in the article Enable Azure Active Directory Domain Services using the Azure portal at https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-getting-started

As result, you get an Azure classic virtual network with the settings you chose.

Azure Classic Virtual Network Settings
Figure 2: Azure Classic Virtual Network Settings
Note
Note: Classic VNets

At the time of writing this document, AAD-DS only supports classic VNets.

If you need to add users or groups, do this using Azure Active Directory.

Microsoft Azure AD - Adding Users
Figure 3: Microsoft Azure AD - Adding Users

You can also create a group that contains the users who are administrators of the AAD-DS domain, enabling them to configure tasks like service principals and constrained delegation.

Microsoft Azure AD - Adding Groups
Figure 4: Microsoft Azure AD - Adding Groups

Now you can add a Windows virtual machine to the same virtual network and join the machine to the domain blueskyabove.onmicrosoft.com.

Keep in mind that the example at hand is using a cloud-only directory. There are no users sourced from on-premises. When you are prompted by Windows for the credentials to join a machine to the domain, use your cloud-only account abc@blueskyabove.onmicrosoft.com. When you connect to your new Windows VM using Remote Desktop Connection (RDC), use the same credentials:

Windows Virtual Machine - Enter Credentials
Figure 5: Windows Virtual Machine - Enter Credentials

When you are logged in, open PowerShell and run the command:

Add-WindowsFeature -Name RSAT-ADDS-Tools

This command will add the Active Directory tools such as Users and Computers. Now you can view the domain information from your new Windows virtual machine.

Active Directory Users and Computers
Figure 6: Active Directory Users and Computers

Your Windows environment is now prepared and ready. The next chapter explains how to create your Linux virtual machine.

4 Create a SUSE Linux Enterprise Server Virtual Machine

In the Azure portal, create a new SUSE Linux Enterprise Server virtual machine in the same VNet that you used previously. Filter for SUSE and choose your starting ISO image. In this example, SLES 11 SP4 has been chosen.

Select SUSE Linux Enterprise Server ISO Image
Figure 7: Select SUSE Linux Enterprise Server ISO Image
Important
Important: Classic Deployment

Make sure to create a VM using the Classic deployment model so that it can be placed in the same Vnet!

Select Deployment Model
Figure 8: Select Deployment Model

The next step enables you to provide your SSH login information and SSH public key. For more information about SSH keys, refer to the article How to create and use an SSH public and private key pair for Linux VMs in Azure at https://docs.microsoft.com/en-us/azure/virtual-machines/linux/mac-create-ssh-keys.

Add SSH Public Key
Figure 9: Add SSH Public Key

Choose a size for the Virtual Machine. For the example at hand, a DS1_v2 machine is big enough.

Virtual Machine Size
Figure 10: Virtual Machine Size

Now create or choose a storage account and cloud service. For the example at hand, the same cloud service is used as with the Windows Virtual machine above.

Important
Important: Virtual Network

Use the same virtual network that is configured for Azure AD Domain Services.

Storage and Network Settings
Figure 11: Storage and Network Settings

After a few minutes, the VM is created and you can connect to it via SSH. Use the Windows Subsystem for Linux, open a command prompt and type bash to open the bash shell. Then you can run your SSH commands.

5 Connect Via SSH Using Your Certificate

You have not yet joined the new SUSE Linux Enterprise Server VM to the domain. To do so, connect to it via SSH using the details you provided when creating the Azure VM.

When the VM is created, open the VM to see its public IP address.

Virtual Machine Overview
Figure 12: Virtual Machine Overview
Note
Note: Public IP

The public IP can change if you restart the Azure virtual machine.

Go to the Endpoints property of the VM to see which port to use for SSH.

Virtual Machine Endpoints
Figure 13: Virtual Machine Endpoints

Now type the following SSH command to access your virtual machine:

ssh -i azure_ssh myadmin@52.173.77.97 -p 60252
Connect Via SSH
Figure 14: Connect Via SSH

6 Domain Join SUSE Linux Enterprise Server Using YaST

Now that you can access the SUSE Linux Enterprise Server virtual machine, you need to join to the domain controller that Azure AD Domain Services provides. Since the VM is in the same VNet and you have updated the DNS settings for the VNet, the new Linux machine can locate the domain controller by name without any further configuration with the command sudo /sbin/yast:

myadmin@kirke-suse-aad:~> sudo /sbin/yast

This command opens the YaST Control Center. Choose Network Services and Windows Domain Membership.

YaST Control Center - Overview
Figure 15: YaST Control Center - Overview

You are prompted to install the Samba client packages.

YaST Control Center - Samba Client Packages
Figure 16: YaST Control Center - Samba Client Packages

Next, provide your domain as all capital letters, and enable the settings in the top section to enable users to SSH to the machine using their credentials from Azure AD.

Note
Note: Custom Domain

For the example at hand, a cloud-only directory without a custom domain is used. If you added and verified a custom domain, and have users from that custom domain in your AAD directory from a synchronization, then you should use your custom domain.

YaST Control Center - Windows Domain Membership
Figure 17: YaST Control Center - Windows Domain Membership
Note
Note: Backspace

If Backspace does not work, use CTRL+H to backspace.

When you are done, exit and reboot the VM.

Note
Note: YaST

If you want to understand in detail what the YaST tool did in the background, read the article How to integrate SUSE Linux Enterprise 11 with Windows Active Directory at https://jreypo.wordpress.com/2012/02/01/how-to-integrate-suse-linux-enterprise-11-with-windows-active-directory/ />.This article provides a comprehensive look at the files it edited and the values it used.

You can now log in using the same credentials that you use to log in to Azure AD:

ssh blueskyabove\\kirkevans@52.173.77.97 -p 62075

Connect via SSH using your credentials from Azure AD. A home directory has been created for the user.

Connect from Azure AD Via SSH
Figure 18: Connect from Azure AD Via SSH

The user is not contained in the sudo-ers group. It is possible to enable users from a particular Active Directory group to use sudo. For more information regarding this topic, read the article Adding AD domain groups to /etc/sudoers at https://derflounder.wordpress.com/2012/12/14/adding-ad-domain-groups-to-etcsudoers/ .

8 Legal Notice

Copyright ©2006– 2017 SUSE LLC and contributors. All rights reserved.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled GNU Free Documentation License.

SUSE, the SUSE logo and YaST are registered trademarks of SUSE LLC in the United States and other countries. For SUSE trademarks, see http://www.suse.com/company/legal/. Linux is a registered trademark of Linus Torvalds. All other names or trademarks mentioned in this document may be trademarks or registered trademarks of their respective owners.

This article is part of a series of documents called "SUSE Best Practices". The individual documents in the series were contributed voluntarily by SUSE's employees and by third parties.

The articles are intended only to be one example of how a particular action could be taken. They should not be understood to be the only action and certainly not to be the action recommended by SUSE. Also, SUSE cannot verify either that the actions described in the articles do what they claim to do or that they don't have unintended consequences.

Therefore, we need to specifically state that neither SUSE LLC, its affiliates, the authors, nor the translators may be held liable for possible errors or the consequences thereof. Below we draw your attention to the license under which the articles are published.

Print this page