I’m curious as to why someone would need to do that short of having a bunch of users and a small office at home. Or maybe managing the family’s computers is easier that way?
I was considering a domain controller (biased towards linux since most servers/VMs are linux) but right now, for the homelab, it just seems like a shiny new toy to play with rather than something that can make life easier/more secure. There’s also the problem of HA and being locked out of your computer if the DC is down.
Tell me why you’re running it and the setup you’ve got that makes having a DC worth it.
I run AD at home but it’s because my job is in enterprise software engineering and so running these programs in my home lab requires AD integrations. It’s also needed for HyperV and SCVMM along with things like SQL server auth and GMSA which I can’t get out of testing. Ironically most of my work is in open source/Linux but Windows servers are all over the Enterprise so I don’t have a choice but to run this stuff. No real users on it and just used for the lab.
There are some SRV and other records which you add for the AD-provided services (kerberos, gc, ldap). This allows your Windows clients to find the domain controllers for authentication via your non-Windows DNS. I think I might have followed a Microsoft or other article when doing the initial setup, but once getting those items in place I haven’t had many issues.
Uh, why use a Microsoft product that doesn’t even tie into the rest of the selfhosted services very well? There are easier and way better solutions for SSO and web services. And I don’t have a pool of 30 windows laptops that’d need to share a set of login credentials and software rollout, at home.
I’d rather use the time I’d put into such a project that is just work and little to no benefit for something else. For example doing backups, deleting the Windows on those laptops and replacing it with free software.
The main idea was to see if AD will bring any benefit to my homelab. The idea of running a domain controller is very intriguing, and it doesn’t need to be AD specifically, although I’d like to get some hands-on time with it too.
Not AD proper but a compatible controller Linux distro to tie the desktops to, plus common credentials across several services. Just simplifies things not having a dozen different logins.
I used to use a Linux based AD replacement years ago but they turned that one into a pay model and if I’m going to pay for something I’ll just use Windows Server
It has all the needed parts plus an interesting plug in app ecosystem if you like that kind of thing. My only real gripe with it though is a pile of high sev vulnerabilities that are picked up by a scanning engine that haven’t been fixed for a long time, so I’m reluctant to recommend it unless you have a solid security/segmentation setup in place.
No, currently univention corporate server (UCS), but I’ll give those a look since I’ve been eyeing a replacement for a while due to some long standing vulns that I’m keen to be rid of.
Thanks, I’m considering FreeIPA too. If I run AD, I might run it in a trust relationship with one of these. I will need to look at the extra features that AD gives me over them, of course, otherwise there wouldn’t be a point in running AD at all.
Learning experience, I’m also heavy Linux, but I try to maintain an OS agnostic philosophy with my skill set so I can have options in my career
I was bored
Again, since I like to maintain an OS agnostic philosophy I have a healthy mix of Windows, Linux and MacOS devices, and you CAN in fact join Linux (w/ SSSD) and MacOS to a domain too
In addition to what others have said with roaming profiles and such:
DO NOT SET YOUR AD DOMAIN AS THE SAME DOMAIN OF A WEB ADDRESS YOU USE
I…er…someone… Found themselves in this situation and have been in a mess since lmao
Indeed, I was hoping to have a good SSO setup alongside learning about AD and domain services (also looking at the *nix alternatives like FreeIPA).
Could you tell me more about the DNS setup with regards to AD? I’d like to use my own DNS and not have AD be the DNS provider in my network. The idea to put it in its own subdomain is excellent and I’ll remember that.
People here also mention an increase in attack surface and security vulnerabilities in running AD/domain services on a network. Now, I agree that letting free access to the domain server and having rogue accounts causing havoc on the network is not great, but I’d like to know more. What has been your experience?
Not the original commenter, but I don’t understand how that would increase your attack surface. The AD is inside the network, and if an attacker is already in, you’re compromised. There might be way to refrence a DNS server with a windows server, but then you’re running windows and your life is now much more difficult.
As per DNS, the AD server must be the DNS provider. If you run something like nethserver in a VM you can use it as a dns & ad server.
The domain thing, the AD server is the authorative for its domain. So if you set it as top level, like myhouse.c()m, it will refrence all dns requests to itself, and any subdomains will not appear. The reccomended way to get around this is to use a subdomain, like ad.myhouse.c()m. Or, maybe you have a domain name to burn and you just want to use that?
Thanks, you’re the second person who spoke about Neth server to me. I’ll take a look.
I was planning to create a subdomain for it anyway, it’s just that I was misled that if I didn’t give it control over DNS for the network it wouldn’t function properly. That doesn’t seem to be case (which I’m glad for).
I do not quite understand how the attack surface is increased other than running Windows on my network. I will have to look deeper into it myself.
It may have been me both times. I went down a deep AD hole recently, and was trying to find an easy open source way to do it.
My advice is to put whatever you choose into a vm and snapshot it right before you configure the AD. I think I reconfigured mine 8 times before I was happy.
Can you explain your disclaimer? You suggest not setting your AD domain to a web address you use, like one for self hosted sites? So you buy 2 domains, one for AD and one for sites? Or you use an internal domain for AD?
AD is heavily reliant on the DNS protocol, so heavily in fact that a large component of an AD deployment is a DNS server.
So basically, when the AD DNS server takes over on your network It’ll do DNS things as you’d expect, when it gets a DNS call with the AD domain it will answer with the AD server every time
If your AD domain and your web address domain are domain.com then whenever the AD DNS server gets theh call it won’t answer with the IP address of the web server, it’ll answer with the AD server, even when you are trying to access a web service like domain.com/Plex or something.
You can change the DNS server used on the host, but then you’ll be borkin domain functionality in weird ways
Yea, you’d want an entirely different domain or an internal like domain.lan or in my case what I should have done is made it a subdomain like ad.domain.com
And also it’s a bitch to change the AD domain once you get it all setup hence I’ve been procrastinating with hosts file workarounds lmfao
.local is reserved for mDNS responses, don’t use that.
It’s more than best practice. Your active directory controllers want to be the resolvers for their members, separate from other zones such as external MX records or the like. Your AD domain should always be a separate zone, aka a subdomain. “ad.example.com”.
If your DCs are controlling members at the top level, you’ll eventually run into problems with Internet facing services and public NS records.
Also per below. You can’t get commercially signed certificates for fake domains. Self hosting certificate authorities is a massive pain in the ass. Don’t try unless you have a real need, like work-related learning.
All the descriptions are right and techniques. Microsoft sometimes refers to this is split-brain and their documentation.
Organizations that choose not to do that use an active directory specific subdomain like some of the other comments mentioned. Example: adds. Company.tld.
In shorter terms to what the other comment said, your website won’t work in networks that use DNS served by your DC. The website is fine on the Internet, but less so at home or at an office/on a VPN if you’re an enterprise.
“I can’t go to example.com on the VPN!” was a semi common ticket at my last company 🙃
I ran it previously because I came from that world and I just thought that’s what you did. I was less Linux-y then. It’s really overkill for such a small network but if you want to learn AD then it might be worth it. Personally I hope to never look at AD again but alas I need moneyz.
If you do decide to run it make sure you enable profile caching in group policy, it will prevent you from being locked out when your DC is down. Also if you have laptops you can safely bring them outside your network and they will still be able to log in.
Oh, that’s a great idea. I always wondered how I would be able to log into my work laptop even without being connected to the company network; now I know why!
Would love more tips if you would have them for someone very new to AD!
You could look at freeIPA or something similar to stay on Linux.
I’m an AD specialist, starting when it came out with server 2000, and can tell you it’s a waste of time for a home network unless you are doing this just because you want to learn it.
It will definitly not make your life any easier, and will increase attack vectors, especially if you don’t know how to secure and protect it.
Thank you. I was planning to keep my domain controller offline (not connected to the internet) and run a WSUS to update it, but I’ll keep that in mind. Indeed, I could use FreeIPA too, and I’ll probably need to consider if it’s even worth it to run a DC at all. It just seemed like a really solid idea for learning more about DCs, but indeed, now that I think about it, it doesn’t have much use in a homelab other than the people running mini datacenters in their labs.
I agree that for this size of network AD is definitely not something you want to deal with unless you want to learn how it works.
However, I’m not sure it really increases attack vectors to have it running, outside of the fact that it’s a new network service on the LAN. The out of the box default configuration is not bad these days, security-wise
The attack vectors I’m thinking of just come from the inherent complexity and centralization. I’m just considering the amount of damage that can be done with a compromised DA account for example vs a non directory environment.
It’s complicated. Done right it can be more secure, not done right it’s less secure.
I also only get brought in for problems for the last however many years, so I’m probaby a bit biased at this point haha.
I have had to tell companies they are going to have to rebuild thier AD from scratch because they didn’t know what thier DSRM password was (usually after a ransomware attack). These are the sort of hassles I think about vs non AD.
I don’t have a ton of users, but I have a ton of computers. AD keeps them in sync. Plus I can point services like gitea and vCenter at it for even more. Guacamole highly benefits from this arrangement since I can set the password to match the AD password, and all users on all devices subsequently auto-login, even after a password change.
Used to run single domain controller, now I have two (leftover free forever licenses from college). I plan to upgrade them as a tick/tock so I’m not spending a fortune on licensing frequently
With native Windows clients and I believe sssd realmd joins, the default config is to cache the last hash you used to log in. So if you log in regularly to a server it should have an up to date cache should your DC cluster become unavailable. This feature is also used on corporate laptops that need to roam from the building without an always-on VPN. Enterprises will generally also ensure a backup local account is set up (and optionally auto-rotated) in case the domain becomes unavailable in a bad way so that IT can recover your computer.
I used to run in homemade a Free IPA and a MS AD in a cross forest trust when I started ~5-6y ago on the directory stuff. Windows and Mac were joined to AD, Linux was joined to IPA. (I tried to join Mac to IPA but there was only a limited LDAP connector and AD was more painless and less maintenance). One user to rule them all still. IPA has loads of great features - I especially enjoyed setting my shell, sudoers rules, and ssh keys from the directory to be available everywhere instantly.
But, I had some reliability problems (which may be resolved, I have not followed up) with the update system of IPA at the time, so I ended up burning it down and rejoining all the Linux servers to AD. Since then, the only feature I’ve lost is centralized sudo and ssh keys (shell can be set in AD if you’re clever). sssd handles six key MS group policies using libini, mapping them into relevant PAM policies so you even have some authorization that can be pushed from the DC like in Windows, with some relatively sane defaults.
I will warn - some MS group policies violate Linux INI spec (especially service definitions and firewall rules) can coredump libini, so you should put your Linux servers in a dedicated OU with their own group policies and limited settings in the default domain policy.
Using AD for SSO in git-frontends and other applications is a fantastic idea. I will probably also run FreeIPA (that’s a name I hadn’t heard in a while till this thread, from another commenter) and have a trust relationship.
You’re right, this is probably better for learning rather than actually using at home, since most of my computers are linux/BSD, so if I needed a central auth server, I’d probably be better off using something made for *nix.
With that said, I had a curious idea - can I spin up temporary credentials, using something akin to service/machine accounts, rotate credentials and invalidate credentials freely etc? In essence, I’m wondering if this can be a way to implement a sort of homegrown “AWS STS” alternative, for app secrets, workers and the like. I was initially looking at secret management suites like Vault and Conjur but what if this can do it?
Also, can AD encrypt the DB? Can FreeIPA do it? I’d like such an option for security.
I don’t have an immediate answer for you on encryption. I know most of the communication is encrypted in flight for AD, and on disk passwords are stored hashed unless the “use reversible encryption field is checked”. There are (in Microsoft terms) gMSAs (group-managed service accounts) but other than using one for ADFS (their oath provider), I have little knowledge of how it actually works on the inside.
AD also provides encryption key backup services for Bitlocker (MS full-partition encryption for NTFS) and the local account manager I mentioned, LAPS. Recovering those keys requires either a global admin account or specific permission delegation. On disk, I know MS has an encryption provider that works with the TPM, but I don’t have any data about whether that system is used (or where the decryptor is located) for these accounts types with recoverable credentials.
I did read a story recently about a cyber security firm working with an org who had gotten their way all the way down to domain admin, but needed a biometric unlocked Bitwarden to pop the final backup server to “own” the org. They indicated that there was native windows encryption going on, and managed to break in using a now-patched vulnerability in Bitwarden to recover a decryption key achievable by resetting the domain admin’s password and doing some windows magic. On my DC at home, all I know is it doesn’t need my password to reboot so there’s credentials recovery somewhere.
Directly to your question about short term use passwords: I’m not sure there’s a way to do it out of the box in MS AD without getting into some overcomplicated process. Accounts themselves can have per-OU password expiration policies that are nanosecond accurate (I know because I once accidentally set a password policy to 365 nanoseconds instead of a year), and you can even set whole account expiry (which would prevent the user from unlocking their expired password with a changed one). Theoretically, you could design/find a system that interacts with your domain to set, impound/encrypt, and manage the account and password expiration of a given set of users, but that would likely be add on software.
I in fact run a AD domain controller *and *a rhel IDM controller. For me other then it is fun to play with, makes it a load more simple to manage the user accounts of my famalie. Also auto mounting network shares and setting a few policys for updates and security is great to from a central location. having SSO for many if my services also makes it more easy to use for the fam. The rhel IDM controller I use to manage a few user accounts. I also use it to manage the ssh keys and set sudo rules on all my servers.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
selfh.st Newsletter and index of selfhosted software and apps
Im out of the loop here. What’s an AD? 🤔
Active Directory. Manages users, devices, and permissions.
I run AD at home but it’s because my job is in enterprise software engineering and so running these programs in my home lab requires AD integrations. It’s also needed for HyperV and SCVMM along with things like SQL server auth and GMSA which I can’t get out of testing. Ironically most of my work is in open source/Linux but Windows servers are all over the Enterprise so I don’t have a choice but to run this stuff. No real users on it and just used for the lab.
deleted by creator
I do. 4 or 5 users and several computers plus virtual server members. I still use Linux for DNS which works surprisingly well after the initial setup.
I did it half for practice and half for fun, but having the authentication backend makes it good enough to keep around.
Could you tell me how you use your own DNS server with AD? I was under the impression that AD wanted to control DNS in the network.
There are some SRV and other records which you add for the AD-provided services (kerberos, gc, ldap). This allows your Windows clients to find the domain controllers for authentication via your non-Windows DNS. I think I might have followed a Microsoft or other article when doing the initial setup, but once getting those items in place I haven’t had many issues.
Uh, why use a Microsoft product that doesn’t even tie into the rest of the selfhosted services very well? There are easier and way better solutions for SSO and web services. And I don’t have a pool of 30 windows laptops that’d need to share a set of login credentials and software rollout, at home.
I’d rather use the time I’d put into such a project that is just work and little to no benefit for something else. For example doing backups, deleting the Windows on those laptops and replacing it with free software.
Sometimes it’s for career progression or familiarity.
Just for SSO, might be easier ways, sure.
The main idea was to see if AD will bring any benefit to my homelab. The idea of running a domain controller is very intriguing, and it doesn’t need to be AD specifically, although I’d like to get some hands-on time with it too.
Not AD proper but a compatible controller Linux distro to tie the desktops to, plus common credentials across several services. Just simplifies things not having a dozen different logins.
What is that controller distro you use?
I used to use a Linux based AD replacement years ago but they turned that one into a pay model and if I’m going to pay for something I’ll just use Windows Server
https://www.univention.com/
It has all the needed parts plus an interesting plug in app ecosystem if you like that kind of thing. My only real gripe with it though is a pile of high sev vulnerabilities that are picked up by a scanning engine that haven’t been fixed for a long time, so I’m reluctant to recommend it unless you have a solid security/segmentation setup in place.
Do you mean something like FreeIPA/389DS? Seems like a good way to maintain identity across services in the homelab.
No, currently univention corporate server (UCS), but I’ll give those a look since I’ve been eyeing a replacement for a while due to some long standing vulns that I’m keen to be rid of.
It seems cool but it’s just going to be a big headache man. I would just spin up a domain controller and maybe some workstations to play around with.
I can see that. I will probably do the same before I even think of integrating a DC in my homelab - that goes for both AD and FreeIPA. Thanks
I set up FreeIPA at home. Similar in principle to AD.
Thanks, I’m considering FreeIPA too. If I run AD, I might run it in a trust relationship with one of these. I will need to look at the extra features that AD gives me over them, of course, otherwise there wouldn’t be a point in running AD at all.
I do, for a multitude of reasons
In addition to what others have said with roaming profiles and such:
DO NOT SET YOUR AD DOMAIN AS THE SAME DOMAIN OF A WEB ADDRESS YOU USE
I…er…someone… Found themselves in this situation and have been in a mess since lmao
Thank you for the wonderful comment.
Indeed, I was hoping to have a good SSO setup alongside learning about AD and domain services (also looking at the *nix alternatives like FreeIPA).
Could you tell me more about the DNS setup with regards to AD? I’d like to use my own DNS and not have AD be the DNS provider in my network. The idea to put it in its own subdomain is excellent and I’ll remember that.
People here also mention an increase in attack surface and security vulnerabilities in running AD/domain services on a network. Now, I agree that letting free access to the domain server and having rogue accounts causing havoc on the network is not great, but I’d like to know more. What has been your experience?
Not the original commenter, but I don’t understand how that would increase your attack surface. The AD is inside the network, and if an attacker is already in, you’re compromised. There might be way to refrence a DNS server with a windows server, but then you’re running windows and your life is now much more difficult.
As per DNS, the AD server must be the DNS provider. If you run something like nethserver in a VM you can use it as a dns & ad server.
The domain thing, the AD server is the authorative for its domain. So if you set it as top level, like myhouse.c()m, it will refrence all dns requests to itself, and any subdomains will not appear. The reccomended way to get around this is to use a subdomain, like ad.myhouse.c()m. Or, maybe you have a domain name to burn and you just want to use that?
Thanks, you’re the second person who spoke about Neth server to me. I’ll take a look.
I was planning to create a subdomain for it anyway, it’s just that I was misled that if I didn’t give it control over DNS for the network it wouldn’t function properly. That doesn’t seem to be case (which I’m glad for).
I do not quite understand how the attack surface is increased other than running Windows on my network. I will have to look deeper into it myself.
Thanks
It may have been me both times. I went down a deep AD hole recently, and was trying to find an easy open source way to do it.
My advice is to put whatever you choose into a vm and snapshot it right before you configure the AD. I think I reconfigured mine 8 times before I was happy.
Will do
Can you explain your disclaimer? You suggest not setting your AD domain to a web address you use, like one for self hosted sites? So you buy 2 domains, one for AD and one for sites? Or you use an internal domain for AD?
AD is heavily reliant on the DNS protocol, so heavily in fact that a large component of an AD deployment is a DNS server.
So basically, when the AD DNS server takes over on your network It’ll do DNS things as you’d expect, when it gets a DNS call with the AD domain it will answer with the AD server every time
If your AD domain and your web address domain are domain.com then whenever the AD DNS server gets theh call it won’t answer with the IP address of the web server, it’ll answer with the AD server, even when you are trying to access a web service like domain.com/Plex or something.
You can change the DNS server used on the host, but then you’ll be borkin domain functionality in weird ways
Yea, you’d want an entirely different domain or an internal like domain.lan or in my case what I should have done is made it a subdomain like ad.domain.com
And also it’s a bitch to change the AD domain once you get it all setup hence I’ve been procrastinating with hosts file workarounds lmfao
That is the correct answer.
If I remember correctly that is best practise, no? It was something.local or *.intern for years, until TLDs could be whatever you wanted them to be.
Do not use made up domains for anything these days. It will make it a pain if you ever need a certificate for that domain that isn’t self-signed.
.local is reserved for mDNS responses, don’t use that.
It’s more than best practice. Your active directory controllers want to be the resolvers for their members, separate from other zones such as external MX records or the like. Your AD domain should always be a separate zone, aka a subdomain. “ad.example.com”.
If your DCs are controlling members at the top level, you’ll eventually run into problems with Internet facing services and public NS records.
Also per below. You can’t get commercially signed certificates for fake domains. Self hosting certificate authorities is a massive pain in the ass. Don’t try unless you have a real need, like work-related learning.
All the descriptions are right and techniques. Microsoft sometimes refers to this is split-brain and their documentation.
Organizations that choose not to do that use an active directory specific subdomain like some of the other comments mentioned. Example: adds. Company.tld.
Computer1.adds.company.tld. Dc1.adds.cimoany.tld.
Others doing split domain are
Adds.company.internal
In shorter terms to what the other comment said, your website won’t work in networks that use DNS served by your DC. The website is fine on the Internet, but less so at home or at an office/on a VPN if you’re an enterprise.
“I can’t go to example.com on the VPN!” was a semi common ticket at my last company 🙃
deleted by creator
Is there costs associated with this?
To deploy AD, that depends.
If you like to sail the high seas AND aren’t trying to use it for a business, then no.
If you don’t want to sail the high seas or need to use it for a business, then yes, you’ll need to buy a Windows Server license
Samba v4 has been able to be a domain server forever and it’s free. You can also use Synology if you want it off the shelf.
Windows server license and CALs… don’t forget that extra little cost just because from MS
You can have ad dc on samba, without windows. Nice all in one solution is UCS univention, works really well and free: https://www.univention.com/products/ucs/
Even in docker, last time i tried this, it was buggy: https://github.com/Fmstrat/samba-domain
Some of the best and worst decisions people have made started with, “I was bored.” Ha!
I had it running in a genuine small office environment with 8 employees, who all need to run Windows due to some software constraints.
Policy management and user account controls are great for security, and remote management via rdp is also neat.
Plus if you use Samba AD DC you can install it on Debian which will run no issues for years without anything but unattended upgrades.
Indeed, it makes a lot of sense if you have a lot of desktops/laptops at home or at work. Thanks, and those are great points!
I ran it previously because I came from that world and I just thought that’s what you did. I was less Linux-y then. It’s really overkill for such a small network but if you want to learn AD then it might be worth it. Personally I hope to never look at AD again but alas I need moneyz.
If you do decide to run it make sure you enable profile caching in group policy, it will prevent you from being locked out when your DC is down. Also if you have laptops you can safely bring them outside your network and they will still be able to log in.
Oh, that’s a great idea. I always wondered how I would be able to log into my work laptop even without being connected to the company network; now I know why!
Would love more tips if you would have them for someone very new to AD!
You could look at freeIPA or something similar to stay on Linux.
I’m an AD specialist, starting when it came out with server 2000, and can tell you it’s a waste of time for a home network unless you are doing this just because you want to learn it.
It will definitly not make your life any easier, and will increase attack vectors, especially if you don’t know how to secure and protect it.
Thank you. I was planning to keep my domain controller offline (not connected to the internet) and run a WSUS to update it, but I’ll keep that in mind. Indeed, I could use FreeIPA too, and I’ll probably need to consider if it’s even worth it to run a DC at all. It just seemed like a really solid idea for learning more about DCs, but indeed, now that I think about it, it doesn’t have much use in a homelab other than the people running mini datacenters in their labs.
Thanks!
I agree that for this size of network AD is definitely not something you want to deal with unless you want to learn how it works.
However, I’m not sure it really increases attack vectors to have it running, outside of the fact that it’s a new network service on the LAN. The out of the box default configuration is not bad these days, security-wise
The attack vectors I’m thinking of just come from the inherent complexity and centralization. I’m just considering the amount of damage that can be done with a compromised DA account for example vs a non directory environment.
It’s complicated. Done right it can be more secure, not done right it’s less secure.
I also only get brought in for problems for the last however many years, so I’m probaby a bit biased at this point haha.
I have had to tell companies they are going to have to rebuild thier AD from scratch because they didn’t know what thier DSRM password was (usually after a ransomware attack). These are the sort of hassles I think about vs non AD.
For the rest of us: DSRM
I’ll keep that in mind, thank you
Yes I do - MS AD DC
I don’t have a ton of users, but I have a ton of computers. AD keeps them in sync. Plus I can point services like gitea and vCenter at it for even more. Guacamole highly benefits from this arrangement since I can set the password to match the AD password, and all users on all devices subsequently auto-login, even after a password change.
Used to run single domain controller, now I have two (leftover free forever licenses from college). I plan to upgrade them as a tick/tock so I’m not spending a fortune on licensing frequently
With native Windows clients and I believe sssd realmd joins, the default config is to cache the last hash you used to log in. So if you log in regularly to a server it should have an up to date cache should your DC cluster become unavailable. This feature is also used on corporate laptops that need to roam from the building without an always-on VPN. Enterprises will generally also ensure a backup local account is set up (and optionally auto-rotated) in case the domain becomes unavailable in a bad way so that IT can recover your computer.
I used to run in homemade a Free IPA and a MS AD in a cross forest trust when I started ~5-6y ago on the directory stuff. Windows and Mac were joined to AD, Linux was joined to IPA. (I tried to join Mac to IPA but there was only a limited LDAP connector and AD was more painless and less maintenance). One user to rule them all still. IPA has loads of great features - I especially enjoyed setting my shell, sudoers rules, and ssh keys from the directory to be available everywhere instantly.
But, I had some reliability problems (which may be resolved, I have not followed up) with the update system of IPA at the time, so I ended up burning it down and rejoining all the Linux servers to AD. Since then, the only feature I’ve lost is centralized sudo and ssh keys (shell can be set in AD if you’re clever). sssd handles six key MS group policies using libini, mapping them into relevant PAM policies so you even have some authorization that can be pushed from the DC like in Windows, with some relatively sane defaults.
I will warn - some MS group policies violate Linux INI spec (especially service definitions and firewall rules) can coredump libini, so you should put your Linux servers in a dedicated OU with their own group policies and limited settings in the default domain policy.
Thanks for the great answer.
Using AD for SSO in git-frontends and other applications is a fantastic idea. I will probably also run FreeIPA (that’s a name I hadn’t heard in a while till this thread, from another commenter) and have a trust relationship.
You’re right, this is probably better for learning rather than actually using at home, since most of my computers are linux/BSD, so if I needed a central auth server, I’d probably be better off using something made for *nix.
With that said, I had a curious idea - can I spin up temporary credentials, using something akin to service/machine accounts, rotate credentials and invalidate credentials freely etc? In essence, I’m wondering if this can be a way to implement a sort of homegrown “AWS STS” alternative, for app secrets, workers and the like. I was initially looking at secret management suites like Vault and Conjur but what if this can do it?
Also, can AD encrypt the DB? Can FreeIPA do it? I’d like such an option for security.
Thanks!
I don’t have an immediate answer for you on encryption. I know most of the communication is encrypted in flight for AD, and on disk passwords are stored hashed unless the “use reversible encryption field is checked”. There are (in Microsoft terms) gMSAs (group-managed service accounts) but other than using one for ADFS (their oath provider), I have little knowledge of how it actually works on the inside.
AD also provides encryption key backup services for Bitlocker (MS full-partition encryption for NTFS) and the local account manager I mentioned, LAPS. Recovering those keys requires either a global admin account or specific permission delegation. On disk, I know MS has an encryption provider that works with the TPM, but I don’t have any data about whether that system is used (or where the decryptor is located) for these accounts types with recoverable credentials.
I did read a story recently about a cyber security firm working with an org who had gotten their way all the way down to domain admin, but needed a biometric unlocked Bitwarden to pop the final backup server to “own” the org. They indicated that there was native windows encryption going on, and managed to break in using a now-patched vulnerability in Bitwarden to recover a decryption key achievable by resetting the domain admin’s password and doing some windows magic. On my DC at home, all I know is it doesn’t need my password to reboot so there’s credentials recovery somewhere.
Directly to your question about short term use passwords: I’m not sure there’s a way to do it out of the box in MS AD without getting into some overcomplicated process. Accounts themselves can have per-OU password expiration policies that are nanosecond accurate (I know because I once accidentally set a password policy to 365 nanoseconds instead of a year), and you can even set whole account expiry (which would prevent the user from unlocking their expired password with a changed one). Theoretically, you could design/find a system that interacts with your domain to set, impound/encrypt, and manage the account and password expiration of a given set of users, but that would likely be add on software.
Thanks!
If you do go for samba ad dc
I in fact run a AD domain controller *and *a rhel IDM controller. For me other then it is fun to play with, makes it a load more simple to manage the user accounts of my famalie. Also auto mounting network shares and setting a few policys for updates and security is great to from a central location. having SSO for many if my services also makes it more easy to use for the fam. The rhel IDM controller I use to manage a few user accounts. I also use it to manage the ssh keys and set sudo rules on all my servers.