Jul 3, 2025

Adding a linux device to an AD domain using LDAP only

Tweaking uid/gid in a funny way

Florian Maurer

projectsldapadlinux

460 Words

2025-07-03

A typical setup of a corporation is to have a few linux computers in a majority of Windows devices. Because this one department does not want to use Microsoft for development or something.

Adding a Linux device which allows all domain users to login is possible utilizing a workaround.

While this is possible using Kerberos ticketing service to register the device itself into the domain (the recommended way), this is not always the best way, if you only want to allow login of multiple users to this device.

This is possible using libpam-ldapd which is the recommended way as libpam-ldap is deprecated (see here).

The mapping of the linux user id is not possible as the attribute “user id” is missing on the Microsoft Active Directory and not available directly. Only a group id (gidNumber) is available with the primaryGroupID. A workaround to the missing uid is to use the timestamp of the user creation uSNCreated as an alternative (with the assumption that no two user were created in the same second). This is done with a mapping of the uidNumber like map passwd uidNumber uSNCreated.

The final newly created /etc/nslcd.conf now looks like this

uri ldaps://ad.example.com
base ou=Users,dc=ad,dc=example,dc=com

map     passwd          uid             sAMAccountName
map     passwd          gidNumber       primaryGroupID
map     passwd          homeDirectory   "/home/$sAMAccountName"
map     passwd          gecos           displayName
map     passwd          loginShell      "/bin/bash"
map     passwd          uidNumber      uSNCreated

ldap_version 3
filter  passwd          (&(objectClass=organizationalPerson)(memberof=CN=mygroup,OU=Groups,DC=ad,DC=example,DC=com))

pagesize 900
# page size is important here to not query everything at once

# The DN to bind with for normal lookups.
binddn CN=myuser,OU=Users,DC=ad,DC=example,DC=com
bindpw bind_password

If we would omit the uSNCreated map, we would have a new user on every restart of nslcd, rendering a broken system, if you can’t edit the files in your home directory anymore.

Now we need to add ldap to /etc/nsswitch.conf to add the lookup to ldap on login.

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd:         files systemd
-group:          files systemd
-shadow:         files systemd
+passwd:         files systemd ldap
+group:          files systemd ldap
+shadow:         files systemd ldap
gshadow:        files systemd

hosts:          files myhostname mdns4_minimal [NOTFOUND=return] dns
networks:       files ldap

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Add the following to the /etc/pam.d/common-session file to enable the creation of a default home dir for every LDAP-user:

session	required	pam_unix.so 
+session	[success=ok default=ignore]	pam_ldap.so minimum_uid=1000
session	optional	pam_systemd.so 
# end of pam-auth-update config
+session required pam_mkhomedir.so silent umask=0022 skel=/etc/skel

Finally restart nslcd using systemctl restart nslcd.

Now, logging into your system using the ldap credentials should be working fine.

This is especially useful for headless devices or a shared file server using SSHFS

See Also