| title | description | services | documentationcenter | author | manager | editor | ms.assetid | ms.service | ms.component | ms.workload | ms.tgt_pltfrm | ms.devlang | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Azure Active Directory Domain Services: Join a CoreOS Linux VM to a managed domain | Microsoft Docs |
Join a CoreOS Linux virtual machine to Azure AD Domain Services |
active-directory-ds |
eringreenlee |
mtillman |
curtand |
5db65f30-bf69-4ea3-9ea5-add1db83fdb8 |
active-directory |
domain-services |
identity |
na |
na |
conceptual |
06/22/2018 |
ergreenl |
This article shows you how to join a CoreOS Linux virtual machine in Azure to an Azure AD Domain Services managed domain.
[!INCLUDE active-directory-ds-prerequisites.md]
To perform the tasks listed in this article, you need:
- A valid Azure subscription.
- An Azure AD directory - either synchronized with an on-premises directory or a cloud-only directory.
- Azure AD Domain Services must be enabled for the Azure AD directory. If you haven't done so, follow all the tasks outlined in the Getting Started guide.
- Ensure that you have configured the IP addresses of the managed domain as the DNS servers for the virtual network. For more information, see how to update DNS settings for the Azure virtual network
- Complete the steps required to synchronize passwords to your Azure AD Domain Services managed domain.
Provision a CoreOS virtual machine in Azure, using any of the following methods:
This article uses the CoreOS Linux (Stable) virtual machine image in Azure.
Important
- Deploy the virtual machine into the same virtual network in which you have enabled Azure AD Domain Services.
- Pick a different subnet than the one in which you have enabled Azure AD Domain Services.
The CoreOS virtual machine has been provisioned in Azure. The next task is to connect remotely to the virtual machine using the local administrator account created while provisioning the VM.
Follow the instructions in the article How to log on to a virtual machine running Linux.
In your SSH terminal, edit the /etc/hosts file and update your machine’s IP address and hostname.
sudo vi /etc/hosts
In the hosts file, enter the following value:
127.0.0.1 contoso-coreos.contoso100.com contoso-coreos
Here, 'contoso100.com' is the DNS domain name of your managed domain. 'contoso-coreos' is the hostname of the CoreOS virtual machine you are joining to the managed domain.
Next, update your SSSD configuration file in ('/etc/sssd/sssd.conf') to match the following sample:
[sssd]
config_file_version = 2
services = nss, pam
domains = CONTOSO100.COM
[domain/CONTOSO100.COM]
id_provider = ad
auth_provider = ad
chpass_provider = ad
ldap_uri = ldap://contoso100.com
ldap_search_base = dc=contoso100,dc=com
ldap_schema = rfc2307bis
ldap_sasl_mech = GSSAPI
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
fallback_homedir = /home/%d/%u
krb5_server = contoso100.com
krb5_realm = CONTOSO100.COM
Replace 'CONTOSO100.COM' with the DNS domain name of your managed domain. Make sure you specify the domain name in capital case in the conf file.
Now that the required packages are installed on the Linux virtual machine, the next task is to join the virtual machine to the managed domain.
sudo adcli join -D CONTOSO100.COM -U [email protected] -K /etc/krb5.keytab -H contoso-coreos.contoso100.com -N coreos
Note
Troubleshooting: If adcli is unable to find your managed domain:
- Ensure that the domain is reachable from the virtual machine (try ping).
- Check that the virtual machine has indeed been deployed to the same virtual network in which the managed domain is available.
- Check to see if you have updated the DNS server settings for the virtual network to point to the domain controllers of the managed domain.
Start the SSSD service. In your SSH terminal, type the following command:
sudo systemctl start sssd.service
Verify whether the machine has been successfully joined to the managed domain. Connect to the domain joined CoreOS VM using a different SSH connection. Use a domain user account and then check to see if the user account is resolved correctly.
-
In your SSH terminal, type the following command to connect to the domain joined CoreOS virtual machine using SSH. Use a domain account that belongs to the managed domain (for example, '[email protected]' in this case.)
ssh -l [email protected] contoso-coreos.contoso100.com -
In your SSH terminal, type the following command to see if the home directory was initialized correctly.
pwd -
In your SSH terminal, type the following command to see if the group memberships are being resolved correctly.
id
Refer to the Troubleshooting domain join article.