Configure SSSD Offline Domain Join for Linux Desktops

The System Security Services Daemon (SSSD) authentication method is one of the supported solutions for performing an offline domain join on an instant-cloned Linux virtual machine (VM).

System Security Services Daemon (SSSD) Authentication supports offline domain join with Active Directory for instant-cloned desktops running the following Linux distributions.

Ubuntu 20.04/22.04
Debian 10.x/11.x/12.x
RHEL 7.9/8.x/9.x
Rocky Linux 8.x/9.x
CentOS 7.9
SLED/SLES 15.x

Use the guidelines described in the following procedure to offline domain-join an instant-cloned Linux VM to Active Directory (AD) using SSSD authentication.

Procedure

On the golden-image Linux VM, perform the domain join using SSSD authentication. Ensure that the golden image uses the same domain as the instant clones.
For detailed domain-join instructions, refer to the documentation for your Linux distribution.
- (Ubuntu) Go to https://ubuntu.com/server/docs and search for information related to SSSD and Active Directory.
- (RHEL/CentOS) Go to the Red Hat customer portal and find the documentation page for your release version. For example, you can find English documentation at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/.
  - For RHEL 9.x, find the "Configuring authentication and authorization in RHEL" document and search for information related to SSSD.
  - For RHEL 8.x, find the "Integrating RHEL Systems Directly With Windows Active Directory" document and search for information related to connecting RHEL systems directly to AD using SSSD.
  - For RHEL/CentOS 7.x, find the "Windows Integration Guide" and search for information related to discovering and joining identity domains.
- (Rocky Linux) Go to the Rocky Linux documentation portal at https://docs.rockylinux.org/ and search for information related to SSSD.
- (SLED/SLES) Go to the SUSE documentation portal at https://documentation.suse.com/ and search for information related to integrating Linux and Active Directory environments.

Install the krb5 support libraries.

(Ubuntu) Run the following command.
```
sudo apt-get install krb5-user
```
(RHEL/CentOS and Rocky Linux) Run the following command.
```
sudo yum install krb5-workstation
```

(SLED/SLES) Run the following command sequence.

sudo zypper install krb5-client
sudo ln -s /usr/lib/mit/bin/ktutil /usr/bin/ktutil
sudo ln -s /usr/lib/mit/bin/kvno /usr/bin/kvno

Install Horizon Agent for Linux, as described in Install Horizon Agent on a Linux Machine.

Modify the /etc/sssd/sssd.conf configuration file, using the following example as reference.

Replace the placeholder values in the example with information specific to your configuration:

Replace mydomain.com with the DNS name of your AD domain.
Replace MYDOMAIN.COM with the DNS name of your AD domain, in all capital letters

[sssd]
domains = mydomain.com
config_file_version = 2
services = nss, pam
 
[domain/mydomain.com]
ad_domain = mydomain.com
krb5_realm = MYDOMAIN.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False        #Use short name for user
fallback_homedir = /home/%u@%d
access_provider = ad
ad_gpo_map_interactive = +gdm-vmwcred    #Add this line for SSO
ad_gpo_access_control = permissive       #Deactivate GPO access control in the cloned VM

(RHEL/CentOS 7.x) Modify the /etc/krb5.conf configuration file to use only the rc4-hmac encryption algorithm.

This is the only encryption algorithm supported when using SSSD authentication to domain-join an instant-cloned RHEL/CentOS 7.x VM.

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
 default_realm = MYDOMAIN.COM
 default_ccache_name = KEYRING:persistent:%{uid}
 default_tkt_enctypes = rc4-hmac       #Add this line to use rc4-hmac encryption only
 default_tgs_enctypes = rc4-hmac       #Add this line to use rc4-hmac encryption only

To ensure that Horizon Agent recognizes the Linux VM as domain-joined using SSSD authentication, add the following line to the /etc/vmware/viewagent-custom.conf configuration file.
```
OfflineJoinDomain=sssd
```
Restart the golden-image Linux VM and take a snapshot of the VM in vCenter Server.