0

I am working on a PHP application that uses Active Directory for authentication. I am trying to use the Windows Subsystem for Linux (WSL) to do development. When you start WSL, you create a local user with a different password. I am trying to figure out how to use AD instead. I found one question (https://superuser.com/questions/1248278/wsl-and-ad-domain-account), but the only response was a comment that doesn't quite connect the dots for me. It mentions configuring a IdM provider, but it isn't clear to me how this is done in WSL.

Does anyone know how I can use Active Directory for users/logins in the WSL?

Erick T
  • 7,009
  • 9
  • 50
  • 85
  • Do you want to run the _service_ or the _client_ in WSL? – Samson Scharfrichter Aug 08 '18 at 09:31
  • 1
    You don't need to "enable" anything at OS level - unless you want SSO. Linux user `johndoe` can get a Kerberos TGT as `svc_account@AD.DOMAIN` if the sub-system can reach the AD domain controller for "ad.domain" (acting as Kerberos KDC) and the Kerberos client config is correct and the user has the password for that account. Then another round-trip to get a service ticket for `HTTP/some.server.fqdn@AD.DOMAIN`. Then SPNego auth to the web service. – Samson Scharfrichter Aug 08 '18 at 09:39
  • 1
    SSO is what I was looking for. On a number of our Linux systems, we have Kerberos set up to handle logins, so we can SSH into any box using our AD credentials. I'd like a similar approach to WSL, so I don't need to maintain a separate linux user – Erick T Aug 15 '18 at 21:03
  • Does WSL support SSSD? If yes, then ask your SysAdmins how to bind your "Linux authentication service" to AD. But I would be surprised -- that's something you do with a full-fledged OS, not for an emulation. – Samson Scharfrichter Aug 16 '18 at 10:30

1 Answers1

0

This is not a full answer, but wsl 1 doesn't have the socket support needed to do it with sssd. A snippet from strace on sssd -i is found below. So in theory I would assume you should be able to do this with wsl 2.

11:12:22 bind(14, {sa_family=AF_NETLINK, nl_pid=-2092926910, nl_groups=00000000}, 12) = 0
11:12:22 getsockname(14, {sa_family=AF_NETLINK, nl_pid=-2092926910, nl_groups=00000000}, [12]) = 0
11:12:22 setsockopt(14, SOL_SOCKET, SO_PASSCRED, [1], 4) = 0
11:12:22 setsockopt(14, SOL_NETLINK, NETLINK_ADD_MEMBERSHIP, [1], 4) = -1 EINVAL (Invalid argument)
(2021-08-09 11:12:22): [sssd] [nlw_group_subscribe] (0x0020): Unable to add membership: Invalid input data or parameter

Though I haven't tested with enrolling with something like realm on wsl 1.0.

linuxgeek
  • 57
  • 8