The System Security Services Daemon (SSSD) authentication method is one of the supported solutions for performing an offline domain join on an instant-cloned Linux virtual machine (VM).
System Security Services Daemon (SSSD) Authentication supports offline domain join with Active Directory for instant-cloned desktops running the following Linux distributions.
- Ubuntu 18.04/20.04/22.04
- RHEL 7.x/8.x
- CentOS 7.x
- SLED/SLES 12.x/15.x
Use the guidelines described in the following procedure to offline domain-join an instant-cloned Linux VM to Active Directory (AD) using SSSD authentication.
Procedure
- On the golden-image Linux VM, perform the domain join using SSSD authentication. Ensure that the golden image uses the same domain as the instant clones.
For detailed domain-join instructions, refer to the documentation for your Linux distribution.
- (Ubuntu) Go to https://ubuntu.com/server/docs and search for information related to "SSSD and Active Directory".
- (RHEL/CentOS) Go to the Red Hat customer portal and find the documentation page for your release version. For example, you can find English documentation at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/.
- For RHEL/CentOS 7.x, find the "Windows Integration Guide" and search for information related to "discovering and joining identity domains".
- For RHEL 8.x, find the "Integrating RHEL Systems Directly With Windows Active Directory" document and search for information related to "connecting RHEL systems directly to AD using SSSD".
- (SLED/SLES) Go to the SUSE documentation portal at https://documentation.suse.com/ and search for information related to "integrating Linux and Active Directory environments".
- Install the krb5 support libraries.
- (Ubuntu) Run the following command.
sudo apt-get install krb5-user
- (RHEL/CentOS) Run the following command.
sudo yum install krb5-workstation
- (SLED/SLES) Run the following command sequence.
sudo zypper install krb5-client
sudo ln -s /usr/lib/mit/bin/ktutil /usr/bin/ktutil
sudo ln -s /usr/lib/mit/bin/kvno /usr/bin/kvno
- Install Horizon Agent for Linux, as described in Install Horizon Agent on a Linux Virtual Machine.
- Modify the /etc/sssd/sssd.conf configuration file, using the following example as reference.
Replace the placeholder values in the example with information specific to your configuration:
- Replace mydomain.com with the DNS name of your AD domain.
- Replace MYDOMAIN.COM with the DNS name of your AD domain, in all capital letters
[sssd]
domains = mydomain.com
config_file_version = 2
services = nss, pam
[domain/mydomain.com]
ad_domain = mydomain.com
krb5_realm = MYDOMAIN.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False #Use short name for user
fallback_homedir = /home/%u@%d
access_provider = ad
ad_gpo_map_interactive = +gdm-vmwcred #Add this line for SSO
ad_gpo_access_control = permissive #Deactivate GPO access control in the cloned VM
- (RHEL/CentOS 7.x, Ubuntu 18.04, SLED/SLES 12.x) Modify the /etc/krb5.conf configuration file to use only the rc4-hmac encryption algorithm.
This is the only encryption algorithm supported when using SSSD authentication to domain-join an instant-cloned RHEL/CentOS 7.x, Ubuntu 18.04, or SLED/SLES 12.x VM.
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_realm = MYDOMAIN.COM
default_ccache_name = KEYRING:persistent:%{uid}
default_tkt_enctypes = rc4-hmac #Add this line to use rc4-hmac encryption only
default_tgs_enctypes = rc4-hmac #Add this line to use rc4-hmac encryption only
- To ensure that Horizon Agent recognizes the Linux VM as domain-joined using SSSD authentication, add the following line to the /etc/vmware/viewagent-custom.conf configuration file.
- Restart the golden-image Linux VM and take a snapshot of the VM in vCenter Server.