Skip to content

Latest commit

 

History

History
413 lines (276 loc) · 19.6 KB

sql-server-linux-active-directory-join-domain.md

File metadata and controls

413 lines (276 loc) · 19.6 KB
title titleSuffix description author ms.author ms.reviewer ms.date ms.service ms.subservice ms.topic ms.custom
Join SQL Server on Linux to Active Directory
SQL Server
This article provides guidance joining a SQL Server Linux host machine to an Active Directory domain. You can use a built-in SSSD package or use third-party Active Directory providers.
amitkh-msft
amitkh
vanto, randolphwest
01/21/2025
sql
linux
how-to
linux-related-content

Join SQL Server on a Linux host to an Active Directory domain

[!INCLUDE SQL Server - Linux]

This article provides general guidance on how to join a [!INCLUDE ssnoversion-md] Linux host machine to an Active Directory domain. There are two methods: use a built-in SSSD package, or use third-party Active Directory providers. Examples of third-party domain join products are PowerBroker Identity Services (PBIS), One Identity, and Centrify.

This guide includes steps to check your Active Directory configuration. However, it isn't intended to provide instructions on how to join a machine to a domain when using third-party utilities.

Note

For information on configuring Active Directory with newer versions of Ubuntu, RHEL, or SLES, see Tutorial: Use adutil to configure Active Directory authentication with SQL Server on Linux.

Prerequisites

Before you configure Active Directory authentication, you need to set up an Active Directory domain controller, Windows, on your network. Then join your [!INCLUDE ssnoversion-md] on Linux host to an Active Directory domain.

The sample steps described in this article are for guidance only and refer to Ubuntu 16.04, Red Hat Enterprise Linux (RHEL) 7.x, and SUSE Linux Enterprise Server (SLES) 12 operating systems. Actual steps might slightly differ in your environment depending on how your overall environment is configured and operating system version. For example, Ubuntu 18.04 uses netplan while Red Hat Enterprise Linux (RHEL) 8.x uses nmcli among other tools to manage and configure network. You should engage your system and domain administrators for your environment for specific tooling, configuration, customization, and any required troubleshooting.

Reverse DNS (rDNS)

When you set up a computer running Windows Server as a domain controller, you might not have a rDNS zone by default. Ensure that an applicable rDNS zone exists for both the domain controller and the IP address of the Linux machine that will be running [!INCLUDE ssnoversion-md].

Also ensure that a PTR record that points to your domain controllers exists.

Check the connection to a domain controller

Check that you can contact the domain controller by using both the short and the fully qualified names of the domain, and by using the hostname of the domain controller. The IP of the domain controller also should resolve to the FQDN of the domain controller:

ping contoso
ping contoso.com
ping dc1.contoso.com
nslookup <IP address of dc1.contoso.com>

Tip

This tutorial uses contoso.com and CONTOSO.COM as example domain and realm names, respectively. It also uses DC1.CONTOSO.COM as the example fully qualified domain name of the domain controller. You must replace these names with your own values.

To ensure proper domain name resolution, it's crucial to update the /etc/resolv.conf file if any discrepancies are found during name checks. The update procedure varies across distributions; hence, consulting the official documentation is advisable for accurate guidance. The following list provides links for some distributions and their key versions:

Distribution Reference article
RHEL 8 Manually configuring the /etc/resolv.conf
RHEL 9 Manually configuring the /etc/resolv.conf
SLES 15 NETCONFIG_DNS_STATIC_SEARCHLIST and NETCONFIG_DNS_STATIC_SERVERS settings
Ubuntu Name Resolution section

The objective is to configure /etc/resolv.conf correctly for your distribution to facilitate domain name resolution. For instance, if your domain is contoso.com and the Active Directory IP address is 10.0.0.4, the /etc/resolv.conf should be set up accordingly to ensure successful name resolution from the host.

cat /etc/resolv.conf

[!INCLUDE ssresult-md]

# Generated by NetworkManager
search contoso.com com
nameserver 10.0.0.4

RHEL

RHEL 7.x

  1. Edit the /etc/sysconfig/network-scripts/ifcfg-eth0 file, so that your Active Directory domain is in the domain search list. Or edit another interface config file as appropriate:

    sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0

    The contents should look similar to the following example:

    PEERDNS=no
DNS1=<Domain controller IP address>
DOMAIN="contoso.com com"

  2. After editing this file, restart the network service:

    sudo systemctl restart network

  3. Now check that your /etc/resolv.conf file contains a line like the following example:

    sudo vi /etc/resolv.conf

    The contents should look similar to the following example:

    search contoso.com com
nameserver <Domain controller IP address>

  4. If you still can't ping the domain controller, find the fully qualified domain name and IP address of the domain controller. An example domain name is DC1.CONTOSO.COM. Add the following entry to /etc/hosts:

    sudo vi /etc/hosts

    The contents should look similar to the following example:

    <IP address> DC1.CONTOSO.COM CONTOSO.COM CONTOSO

SLES

SLES 12

  1. Edit the /etc/sysconfig/network/config file, so that your domain controller IP is used for DNS queries and your Active Directory domain is in the domain search list:

    sudo vi /etc/sysconfig/network/config

    The contents should look similar to the following example:

    NETCONFIG_DNS_STATIC_SEARCHLIST=""
NETCONFIG_DNS_STATIC_SERVERS="<Domain controller IP address>"

  2. After editing this file, restart the network service:

    sudo systemctl restart network

  3. Next, check that your /etc/resolv.conf file contains a line like the following example:

    sudo vi /etc/resolv.conf

    The contents should look similar to the following example:

    search contoso.com com
nameserver <Domain controller IP address>

Ubuntu

Ubuntu 18.04

  1. Edit the /etc/netplan/******.yaml file, so that your Active Directory domain is in the domain search list:

    sudo vi /etc/netplan/******.yaml

    The contents should look similar to the following example:

    network:
  ethernets:
    eth0:
            dhcp4: true

            dhcp6: true
            nameservers:
                    addresses: [<Domain controller IP address>]
                    search: [<Active Directory domain name>]
  version: 2

    [!NOTE]
    The network interface, eth0, might differ for different machines. To find out which one you're using, run ifconfig. Then copy the interface that has an IP address and transmitted and received bytes.

  2. After editing this file, restart the network service:

    sudo netplan apply

  3. Next, check that your /etc/resolv.conf file contains a line like the following example:

    /etc/resolv.conf

    The contents should look similar to the following example:

    search contoso.com com
nameserver <Domain controller IP address>

Ubuntu 16.04

  1. Edit the /etc/network/interfaces file, so that your Active Directory domain is in the domain search list:

    sudo vi /etc/network/interfaces

    The contents should look similar to the following example:

    # The primary network interface
auto eth0
iface eth0 inet dhcp
dns-nameservers <Domain controller IP address>
dns-search <Active Directory domain name>

    [!NOTE]
    The network interface, eth0, might differ for different machines. To find out which one you're using, run ifconfig. Then copy the interface that has an IP address and transmitted and received bytes.

  2. After editing this file, restart the network service:

    sudo ifdown eth0 && sudo ifup eth0

  3. Next, check that your /etc/resolv.conf file contains a line like the following example:

    sudo vi /etc/resolv.conf

    The contents should look similar to the following example:

    search contoso.com com
nameserver <Domain controller IP address>

Join to the Active Directory domain

After the basic configuration and connectivity with domain controller is verified, there are two options for joining a [!INCLUDE ssnoversion-md] Linux host machine with the Active Directory domain controller:

Option 1: Use SSSD package to join Active Directory domain

This method joins the [!INCLUDE ssnoversion-md] host to an Active Directory domain using realmd and sssd packages.

This is the preferred method of joining a Linux host to an Active Directory domain controller.

For the most current instructions, refer to the official documentation provided by the distribution partners.

Distribution Reference article
RHEL 8 Discovering and joining an AD Domain using SSSD
RHEL 9 Discovering and joining an AD Domain using SSSD
SLES Joining Active Directory using Windows domain membership
Ubuntu How to set up SSSD with Active Directory

Use the following steps to join a [!INCLUDE ssnoversion-md] host to an Active Directory domain:

  1. Use realmd to join your host machine to your Active Directory Domain. You must first install both the realmd and Kerberos client packages on the [!INCLUDE ssnoversion-md] host machine using your Linux distribution's package manager:

    RHEL

    RHEL:

    sudo yum install realmd krb5-workstation

    SLES

    SLES 12:

    These steps are specific for SLES 12.

    sudo zypper addrepo https://download.opensuse.org/repositories/network/SLE_12/network.repo
sudo zypper refresh
sudo zypper install realmd krb5-client sssd-ad

    Ubuntu

    Ubuntu 18.04

    sudo apt-get install realmd krb5-user software-properties-common python3-software-properties packagekit
sudo apt-get install adcli libpam-sss libnss-sss sssd sssd-tools

    Ubuntu 16.04

    sudo apt-get install realmd krb5-user software-properties-common python-software-properties packagekit

  2. If the Kerberos client package installation prompts you for a realm name, enter your domain name in uppercase.

  3. After you confirm that your DNS is configured properly, join the domain by running the following command. You must authenticate using an Active Directory account that has sufficient privileges in Active Directory to join a new machine to the domain. This command creates a new computer account in Active Directory, creates the /etc/krb5.keytab host keytab file, configures the domain in /etc/sssd/sssd.conf, and updates /etc/krb5.conf.

    Because of an issue with realmd, first set the machine hostname to the FQDN instead of to the machine name. Otherwise, realmd might not create all required SPNs for the machine and DNS entries won't automatically update, even if your domain controller supports dynamic DNS updates.

    sudo hostname <old hostname>.contoso.com

    After you run this command, your /etc/hostname file should contain <old hostname>.contoso.com.

    sudo realm join contoso.com -U '[email protected]' -v

    You should see the message, Successfully enrolled machine in realm.

    The following table lists some error messages that you could receive and suggestions on resolving them:

    Error message Recommendation
    Necessary packages are not installed Install those packages using your Linux distribution's package manager before running the realm join command again.
    Insufficient permissions to join the domain Check with a domain administrator that you have sufficient permissions to join Linux machines to your domain.
    KDC reply did not match expectations You might not have specified the correct realm name for the user. Realm names are case-sensitive, usually uppercase, and can be identified with the command realm discover contoso.com.

    [!INCLUDE ssnoversion-md] uses SSSD and NSS for mapping user accounts and groups to security identifiers (SIDs). SSSD must be configured and running for [!INCLUDE ssnoversion-md] to create Active Directory logins successfully. realmd usually does this automatically as part of joining the domain, but in some cases, you must do this separately.

    For more information, see how to configure SSSD manually, and configure NSS to work with SSSD.

  4. Verify that you can now gather information about a user from the domain, and that you can acquire a Kerberos ticket as that user. The following example uses id, kinit, and klist commands for this.

    id [email protected]

uid=1348601103([email protected]) gid=1348600513(domain [email protected]) groups=1348600513(domain [email protected])

kinit [email protected]

Password for [email protected]:

klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]

    If id user\@contoso.com returns, No such user, make sure that the SSSD service started successfully by running the command sudo systemctl status sssd. If the service is running and you still see the error, try enabling verbose logging for SSSD. For more information, see the Red Hat documentation for Troubleshooting SSSD.

    If kinit user\@CONTOSO.COM returns, KDC reply didn't match expectations while getting initial credentials, make sure you specified the realm in uppercase.

For more information, see the Red Hat documentation for Discovering and Joining Identity Domains.

Option 2: Use third-party OpenLDAP provider utilities

You can use third-party utilities such as PBIS, VAS, or Centrify. This article doesn't cover steps for each individual utility. You must first use one of these utilities to join the Linux host for [!INCLUDE ssnoversion-md] to the domain before continuing forward.

[!INCLUDE ssnoversion-md] doesn't use third-party integrator's code or library for any Active Directory-related queries. [!INCLUDE ssnoversion-md] always queries Active Directory using OpenLDAP library calls directly in this setup. The third-party integrators are only used to join the Linux host to Active Directory domain, and [!INCLUDE ssnoversion-md] doesn't have any direct communication with these utilities.

Important

See the recommendations for using the mssql-conf network.disablesssd configuration option in the Additional configuration options section of the article Use Active Directory authentication with SQL Server on Linux.

Verify that your /etc/krb5.conf is configured correctly. For most third-party Active Directory providers, this configuration is done automatically. However, check /etc/krb5.conf for the following values to prevent any future issues:

sudo vi /etc/krb5.conf

The contents should look similar to the following example:

[libdefaults]
default_realm = CONTOSO.COM

[realms]
CONTOSO.COM = {
}

[domain_realm]
contoso.com = CONTOSO.COM
.contoso.com = CONTOSO.COM

Check that the reverse DNS is properly configured

The following command should return the fully qualified domain name (FQDN) of the host that runs [!INCLUDE ssnoversion-md]. An example is SqlHost.contoso.com.

host <IP address of SQL Server host>

The output of this command should be similar to <reversed IP address>.in-addr.arpa domain name pointer SqlHost.contoso.com. If this command doesn't return your host's FQDN, or if the FQDN is incorrect, add a reverse DNS entry for your [!INCLUDE ssnoversion-md] on Linux host to your DNS server.

Next step

In this article, you covered how to configure a [!INCLUDE ssnoversion-md] on a Linux host machine with Active Directory Authentication. To finish configuring [!INCLUDE ssnoversion-md] on Linux to support Active Directory accounts, follow these instructions.

[!div class="nextstepaction"] Tutorial: Use Active Directory authentication with SQL Server on Linux