Reverse engineering the “AADLoginForLinux” in order to tweak proactive user configuration

Introduction

Last summer I posted about taking a look under the hood of the Azure Active Directory integration for a Linux Virtual Machine. For today, let’s take it a bit further… What if we would want to pre-provision a set of UIDs (User IDs) & GIDs (Group IDs) on a range of virtual machines for cross machine consistency. Let’s say, we would want to make use of an NFS drive and use the same UID/GID across all those boxes. Can we do that with the AAD extension? If so, how can we do it? Let’s hope we can… Otherwise it’ll become a rather short blog post.

 

Disclaimer

This post is based upon my personal experience reverse engineering how this extension works. This is by no means a support statement. If you’re a technical nut (like myself) and want to know how you can tweak this at your own doing… Then this post is for you. 😉

 

Deepdive into the mechanics

So let’s start with a VM that’s got the “AADLoginForLinux”-extension installed ;

Let’s try to add our user by using our email ;

Hmm, that’s not working… Dang! Post done… Just kidding! 😉

Let’s delve a bit deeper… You’ll notice that the system has gotten a new package installed called “aadlogin” ;

Which will reconfigure the /etc/pam.d/common-auth & /etc/pam.d/common-account

In addition, you can also notice that two new commands were added ;

So let’s see what the “aaduseradd” offers us…

Did you notice the big “(REQUIRED)”? So if you’re (pro-actively) creating a user, you’re going to need the user’s “oid” from AAD ;

I’ll copy mine, and create my AAD user with UID 70000 ;

Now let’s take a look at the /etc/passwd

Nothing in there… Odd.  Though there is another file, called “aadpasswd” in there ;

Let’s try to login, shall we? Going through the device login experience.

 

And that one failed… Why? Because we forgot to grant us rights on the RBAC role. So let’s do that… Where I’ve added myself to the virtual machine with the “Virtual Machine User Login” role.

And now it works…

Let’s create a file. Nice, it’s showing our user- & groupname.

And our UID/GID is set to the chosen 7000.

 

Closing thoughts

So it’s possible to proactively configure your system with things like a specific UID/GID per user. It does require you to know the user’s OID (from AAD). In addition, if you’re looking to do this, I would recommend provisioning it via your configuration management tooling of choice. As I’m pretty sure you will not want to do this by hand!

One thought on “Reverse engineering the “AADLoginForLinux” in order to tweak proactive user configuration

  1. Greetings,

    Excellent post! Despite Microsoft’s recent efforts of becoming more open source friendly, I was surprised that something like this, (AADLoginForLinux), was not also released. Perhaps it will be once it is out of preview?

    In any case, I have written a set of plugins and modules for libnss, pam, and openvpn to authenticate against the Azure Active Directory. All of which are licensed under the GPLv3.

    https://github.com/CyberNinjas/pam_aad
    https://github.com/CyberNinjas/libnss_aad
    https://github.com/CyberNinjas/openvpn-auth-aad

    I’d appreciate if you could test them out and let me know how they work for you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.