[TUTORIAL] How to join a Proxmox cluster to an Active Directory Domain

[hackinthebox]

This tutorial will walk through the steps necessary to join your Proxmox server to Microsoft Active Directory on a Windows 2019 Server.
You will be able to sync your users and groups into the Proxmox Permissions Panel in the GUI, and log into the web console with active directory credentials.

Here are the general steps:

1. Set basic settings
2. Add Active Directory Realm & Sync Users
3. Configure Permissions
4. Install packages from the repository
5. Join the Active Directory domain
6. Test your config

In this tutorial, our realm/domain will be infraredhat.com
Two domain controllers have been configured, and are acting as DNS servers.
Our subnet is 192.168.11.0/24

The Proxmox node a single network interface with a static IP of 192.168.11.10/24
The Domain Controllers (and DNS servers) have IP's of 192.168.11.11 and 192.168.11.12.

Set the search domain to infraredhat.com, and set the DNS servers to the IP addresses of the Domain Controllers, 192.168.11.11 and 192.168.11.12.



Configure hosts file with your Proxmox server's FQDN (and hostname) following the example below.



Navigate to the "Time" panel below "Hosts" currently selected in the menu and verify the correct time and Time Zone.

Add Active Directory Server

Next, Select "Datacenter" or the name of your cluster, and Navigate to Permissions > Realms > Add Realm > Active Directory Server.
Populate your domain and domain controller IP's like the example below.



Click on the "Sync Options" Tab.
You'll need Active Directory credentials to access domain controller users and groups. You can simply use the Administrator Account, but for more security, you can create a user account with read-only access to the domains objects instead. For demonstration, let's use the built in "Administrator".

For the "Bind User", you'll need to enter it a very specific way.
Navigate to your domain controller and open a powershell window as admin.

SUPER IMPORTANT!!! (AND NOT VERY WELL DOCUMENTED!!!)

For the correct string to enter for the Adminstrator in the infraredhat.com domain, you would enter the following command:

dsquery user dc=infraredhat,dc=com -name Administrator

This is the output, and you can copy and paste it directly into the field, "Bind User"

CN=Administrator,CN=Users,DC=infraredhat,DC=com

Enter the password for this user. For now you can ignore the remainder of the fields. I've set my default sync preferences in the screenshot.



Click OK to close and save.
You can now select your Active Directly Realm from the list (listed alongside PAM and PVE). Click SYNC from the menu and you should see your AD Users and Groups populate.

Configure permissions to tell Proxmox what access to give each user/group

Next, Navigate to the "Permissions" Menu > Add > Group Permission
I've selected the Administrators Group from Active directory, and assigned the PVE Administrator Role to this Group.
This way, any user in the AD Administrator group will also be a PVE Administrator.
Select '/' to give full access as well.
Click OK.



Install additional packages needed for system security

Next, Navigate to a shell window on your PVE Node. There are a few packages to install and configure.
Update your packages, and install adcli, packagekit, samba-common-bin realmd
The remainder of the required packages will be auto-installed and configured.

apt update
apt dist-upgrade

# install the following packages (use apt list to see if they are needed)
apt install adcli packagekit samba-common-bin

# install realmd
apt install realmd

Join the node to the domain

Next, test connection with the domain controller, and then join the domain. For additional options, see the man pages by running the command man realm. Since we're doing a high level walkthrough, I'm keeping it simple. Because no user is specified in the join command, realmd defaults to "Administrator" for this action.

# test realmd
realm -v discover infraredhat.com

You'll see an output with information about your DC and domain, along with additional required packages. Installing these in advance will cause the configurations to fail. Simply enter this command, substituting your own domain.

#join the domain
realm -v join infraredhat.com

Follow the prompts, enter the Active Directory Admin password when prompted and allow the sssd and additional packages install.
You are now joined to the domain and you should see your Proxmox node appear as a computer in Active Directory Users and Computers. Congrats!

Configure additional settings and test your config

You can edit the config in /etc/sssd/sssd.conf. Run

pam-auth-update

and select the appropriate option if you would like home directories created for AD users. There is more information available on the internet about sssd.conf. Test your configuration with the command

id administrator@infraredhat.com

- you should see UID and GID from your domain controller.

Finally, log out of Proxmox in the menu in the upper right hand corner, and test by logging in as Administrator@infraredhat.com in the login menu by selecting the Active Directory domain from the login drop-down instead of PAM. You should successfully authenticate and log in. Beware, you will not have shell access to Proxmox in the console... that's only available to root, logged in under local PAM. For shell access, you'll need to configure ssh separately.

Thank you!

Remember to add permissions to users and groups who need access in the PVE menu.
Repeat the package-install and domain-join process for each additional node that exists in a cluster. User and group sync and permissions are managed cluster-wide and only has to be configured once.

Please post your comments below!

 

[pietroaretino]

Great post, thank you for this it really helped.
If anyone needs a way to filter only specific users from specific groups, this is how I got it to work.

1. When configuring the sync options for Active Directory, under "user filter" use these search parameters:
   
   

   (&(objectclass=user)(samaccountname=*)(MemberOf=CN=group_name_here,OU=name,DC=domain,DC=tld))

   
   
2. If DOMAIN.COM, is my root Active Directory tree, and USERS is a subfolder, which contains my users, you need to add a security group inside of the subfolder. In this example I will call my security group "TECHS", this is a group inside the "USERS" folder under the DOMAIN.COM tree.
   
   
3. Make sure your users are inside this "USERS" folder along with the "TECHS" group. Add your users to the "TECHS" group. Done.
   
   
4. Now in proxmox your query should be as follows (using the example parameters above):
   
   

   (&(objectclass=user)(samaccountname=*)(MemberOf=CN=TECHS,OU=USERS,DC=DOMAIN,DC=COM))

   
   
5. Done. Now inside of proxmox datacenter view, if you go to "Users" you should see your Active Directory users, that were part of whatever group you added them too.
   
   
6. Select "Permissions" and click on "Add" above, click "Add user permissions" give them whatever permission they need to have.

When they login, they just need to use their username, at least thats how it worked for me. If you add their full mail address, e.g. "user@domain.com" proxmox appends the domain anyways, so itll try to login as "user@domain.com@domain.com", hence why you just need to put your username, e.g. "user" and thats it.

 

[dimangelid]

Thanks for the detailed instructions!

I want to fetch at Proxmox only users of a specific group, so i tried to follow filtering instructions from @pietroaretino post.

For example, my active directory domain is testad.test.com and my users are located under group TESTGROUP and TESTGROUP is located under group TEST . So based at @pietroaretino instructions i created filter (&(objectclass=user)(samaccountname=*)(MemberOf=CN=TESTGROUP,OU=TEST,DC=testad,DC=test,DC=com)) .

When i do a sync preview, it does not fetch any user. I adjusted the filter and made (&(objectclass=user)(samaccountname=*)(MemberOf=OU=TESTGROUP,OU=TEST,DC=testad,DC=test,DC=com)) , however even in this case, sync preview does not fetch any user.

If i remove the User Filter and do a sync preview, it fetches all users from my active directory.
Can anyone assist?

In additional, ideally i would like to fetch users from two groups: TESTGROUP and TESTGROUP2 . In this case what is the correct filter syntax?

 

[pietroaretino]

So this is how it should look in Active Directory tree:

• ROOT AD - TEST.COM
  • Company Folder TESTAD - Folder should contain global security group TESTGROUP
    • Folder containing users - TESTUSERS
      • User1
      • User2

Now make sure all your users are added as "members" of TESTGROUP

Now the LDAP filter lookup should work as follows:

(&(objectclass=user)(samaccountname=*)(MemberOf=CN=TESTGROUP,OU=TESTAD,DC=TEST,DC=COM))

Should find only the users inside the TEST folder, who are members of the TESTGROUP.

As for searching for two separate groups, I'm not sure how to create a filter for that off the top of my head.

One way to mess around and figure it out is by using the "query" ability in Active Directory, you can create custom queries, that allow you to go and build search parameters. It'll then spit out the search parameter you built in LDAP syntax that you can then copy and paste. It'll also allow you to test your query to make sure the correct users and groups are appearing.

Mine looks like this:

• Top Domain Name (TEST.COM) -> At this level I have a non-admin user account called "ldapservice" that I use to connect and synchronize AD.
  • Company folder (TESTAD) - At this level, inside the TESTAD folder, create your global security group TESTGROUP
    • Below your company folder have another folder - User folder (TESTUSERS)
      • user1
      • user2
      • user3 etc.

 

[leandro.lourenco]

Amazing! Good work! I got it thanks to your tutorial!

 

[Unbent3949]

Hello guys, im still having some issues on my side trying to set this all up, i followed the directions to the T and my nodes say that they are connected to the domain controller but when i try to login i keep getting a error saying the credentials are invalid and when i check the windows server i dont see my nodes in the computers folder at all

edit: it shows up in my active directory now but it still does not work do i need to make a user for it to sync?

 

[Diyaa]

This is an amazing tutorial. Thank you so much for spending the time to make this!

 

[pietroaretino]

Hello guys, im still having some issues on my side trying to set this all up, i followed the directions to the T and my nodes say that they are connected to the domain controller but when i try to login i keep getting a error saying the credentials are invalid and when i check the windows server i dont see my nodes in the computers folder at all

edit: it shows up in my active directory now but it still does not work do i need to make a user for it to sync?

Where are you logging into? Into Proxmox? When you login as root do you see your users synchronized from AD to Proxmox?

How are you logging in, do you have AD selected as authentication mechanism/type and are you ensuring youre only using the username not the full email?

example; user
Not: user@domain.com

You should create a dedicated user for example, ldap-service, with a password, in your active directory, that can see youre entire active directory tree.

If you put this user in the root of your active directory they should be able to see the entire structure.

use this user to connect your proxmox ve to your active directory.

 

[TechLaw]

Hello, when trying to SYNC, I receive:
"starting sync for realm ####.##
TASK ERROR: 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52e, v3839 at /usr/share/perl5/PVE/LDAP.pm line 55.

Is anyone able to assist?

 

[alasdairc]

Fantastic guide - works like a charm. Thank you!

 

[alasdairc]

Hello, when trying to SYNC, I receive:
"starting sync for realm ####.##
TASK ERROR: 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52e, v3839 at /usr/share/perl5/PVE/LDAP.pm line 55.

Is anyone able to assist?

Did you add the full DN in the 'Sync Options > Bind User' ?

 

[TechLaw]

Did you add the full DN in the 'Sync Options > Bind User' ?

Where is this located?

 

[del111]

Great Tutorial!
Although I found that I had the same error like

TASK ERROR: 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52e, v3839 at /usr/share/perl5/PVE/LDAP.pm line 55.

if the "Bind User" has any space in it, for example,

"CN=Lukie Skywalkie,CN=Users,DC=ad,DC=example,DC=com"

------------> this will fail even if the user has admin permission (I tested it on the node using realm join, the admin "Lukie Skywalkie" works).
I had to use Administrator to join the realm.

This is caused by #bug 2929 and #bug 3748, which have been almost 3 years and no fix. The work around is to use a bind user with no space in the name.

 

[Pete_79]

This is a great tutorial. Thank you so much for the time spent to make this!
Is it possible to register the cluster name in dns? Would be nice to have one "name" to connect to via the browser. for instance "cluster1" and end up on any node. for instance when one node is down or restarting or whatever.

 

[nebular]

This was very helpful, but I thought I'd add something. Pietroaretino post explaining how to add only user from a particular group was very helpful, but it didn't address adding only the group itself. With a large enough AD you could end up with an unwieldly number of groups added.

After some trial and error I found a very simple filter to do just that. Put the following under Group Filter

(&(objectclass=group)(CN=group_common_name))

Of course changing group_common_name to your groups actual common name. A quick preview in the sync windows should show it successfully adding only the one group.

Very simple and easy and keeps your configuration much easier to administer.

 

[nebular]

This is a great tutorial. Thank you so much for the time spent to make this!
Is it possible to register the cluster name in dns? Would be nice to have one "name" to connect to via the browser. for instance "cluster1" and end up on any node. for instance when one node is down or restarting or whatever.

In order to do this you would probably need a completely separate server with it's own networking, much like the VCSA in VMware vSphere. Without it you would have to have the cluster IP address configured on each node and that obviously would cause conflicts. However DNS can be configured to allow multiple IPs to a domain or subdomain for load spreading or geographical area. Something like that might be able to be repurposed with the IPs of your nodes.

 

[szakes1]

Hi, guys!

I just wanted to share an application that really helped me at work to query Active Directory resources. With this app you can see organization units, common names etc.

Have a look here: https://learn.microsoft.com/en-us/sysinternals/downloads/adexplorer

 

[dream2038]

Thanks for your teaching, I have completed the settings

 

[dream2038]

感謝您的幫助，已經可以使用了

 

[rotor-head]

We use Univention Corporate Servers for AD compatible services and can confirm this tutorial is effective for binding the servers and for user/group auth.

Thanks for your post!