The System Security Services Daemon (SSSD) authentication method is one of the supported solutions for performing an offline domain join on an instant-cloned Linux virtual machine (VM).

System Security Services Daemon (SSSD) Authentication supports offline domain join with Active Directory for instant-cloned desktops running the following Linux distributions.

  • Ubuntu 18.04/20.04/22.04
  • Debian 10.x/11.x
  • RHEL 7.9/8.x/9.x
  • CentOS 7.9
  • SLED/SLES 15.x

Use the guidelines described in the following procedure to offline domain-join an instant-cloned Linux VM to Active Directory (AD) using SSSD authentication.

Procedure

  1. On the golden-image Linux VM, perform the domain join using SSSD authentication. Ensure that the golden image uses the same domain as the instant clones.
    For detailed domain-join instructions, refer to the documentation for your Linux distribution.
    • (Ubuntu) Go to https://ubuntu.com/server/docs and search for information related to "SSSD and Active Directory".
    • (RHEL/CentOS) Go to the Red Hat customer portal and find the documentation page for your release version. For example, you can find English documentation at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/.
      • For RHEL 9.x, find the "Configuring authentication and authorization in RHEL" document and search for information related to SSSD.
      • For RHEL 8.x, find the "Integrating RHEL Systems Directly With Windows Active Directory" document and search for information related to "connecting RHEL systems directly to AD using SSSD".
      • For RHEL/CentOS 7.x, find the "Windows Integration Guide" and search for information related to "discovering and joining identity domains".
    • (SLED/SLES) Go to the SUSE documentation portal at https://documentation.suse.com/ and search for information related to "integrating Linux and Active Directory environments".
  2. Install the krb5 support libraries.
    • (Ubuntu) Run the following command.
      sudo apt-get install krb5-user
    • (RHEL/CentOS) Run the following command.
      sudo yum install krb5-workstation
    • (SLED/SLES) Run the following command sequence.
      sudo zypper install krb5-client
      sudo ln -s /usr/lib/mit/bin/ktutil /usr/bin/ktutil
      sudo ln -s /usr/lib/mit/bin/kvno /usr/bin/kvno
  3. Install Horizon Agent for Linux, as described in Install Horizon Agent on a Linux Virtual Machine.
  4. Modify the /etc/sssd/sssd.conf configuration file, using the following example as reference.
    Replace the placeholder values in the example with information specific to your configuration:
    • Replace mydomain.com with the DNS name of your AD domain.
    • Replace MYDOMAIN.COM with the DNS name of your AD domain, in all capital letters
    [sssd]
    domains = mydomain.com
    config_file_version = 2
    services = nss, pam
     
    [domain/mydomain.com]
    ad_domain = mydomain.com
    krb5_realm = MYDOMAIN.COM
    realmd_tags = manages-system joined-with-adcli
    cache_credentials = True
    id_provider = ad
    krb5_store_password_if_offline = True
    default_shell = /bin/bash
    ldap_id_mapping = True
    use_fully_qualified_names = False        #Use short name for user
    fallback_homedir = /home/%u@%d
    access_provider = ad
    ad_gpo_map_interactive = +gdm-vmwcred    #Add this line for SSO
    ad_gpo_access_control = permissive       #Deactivate GPO access control in the cloned VM
  5. (RHEL/CentOS 7.x, Ubuntu 18.04) Modify the /etc/krb5.conf configuration file to use only the rc4-hmac encryption algorithm.
    This is the only encryption algorithm supported when using SSSD authentication to domain-join an instant-cloned RHEL/CentOS 7.x, or Ubuntu 18.04 VM.
    [libdefaults]
     dns_lookup_realm = false
     ticket_lifetime = 24h
     renew_lifetime = 7d
     forwardable = true
     rdns = false
     pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
     default_realm = MYDOMAIN.COM
     default_ccache_name = KEYRING:persistent:%{uid}
     default_tkt_enctypes = rc4-hmac       #Add this line to use rc4-hmac encryption only
     default_tgs_enctypes = rc4-hmac       #Add this line to use rc4-hmac encryption only
  6. To ensure that Horizon Agent recognizes the Linux VM as domain-joined using SSSD authentication, add the following line to the /etc/vmware/viewagent-custom.conf configuration file.
    OfflineJoinDomain=sssd
  7. Restart the golden-image Linux VM and take a snapshot of the VM in vCenter Server.