Last summer I posted about taking a look under the hood of the Azure Active Directory integration for a Linux Virtual Machine. For today, let’s take it a bit further… What if we would want to pre-provision a set of UIDs (User IDs) & GIDs (Group IDs) on a range of virtual machines for cross machine consistency. Let’s say, we would want to make use of an NFS drive and use the same UID/GID across all those boxes. Can we do that with the AAD extension? If so, how can we do it? Let’s hope we can… Otherwise it’ll become a rather short blog post.
This post is based upon my personal experience reverse engineering how this extension works. This is by no means a support statement. If you’re a technical nut (like myself) and want to know how you can tweak this at your own doing… Then this post is for you. 😉
Deepdive into the mechanics
So let’s start with a VM that’s got the “AADLoginForLinux”-extension installed ;
Let’s try to add our user by using our email ;
Hmm, that’s not working… Dang! Post done… Just kidding! 😉
Let’s delve a bit deeper… You’ll notice that the system has gotten a new package installed called “aadlogin” ;
Which will reconfigure the /etc/pam.d/common-auth & /etc/pam.d/common-account
In addition, you can also notice that two new commands were added ;
So let’s see what the “aaduseradd” offers us…
Did you notice the big “(REQUIRED)”? So if you’re (pro-actively) creating a user, you’re going to need the user’s “oid” from AAD ;
I’ll copy mine, and create my AAD user with UID 70000 ;
Now let’s take a look at the /etc/passwd
Nothing in there… Odd. Though there is another file, called “aadpasswd” in there ;
Let’s try to login, shall we? Going through the device login experience.
And that one failed… Why? Because we forgot to grant us rights on the RBAC role. So let’s do that… Where I’ve added myself to the virtual machine with the “Virtual Machine User Login” role.
And now it works…
Let’s create a file. Nice, it’s showing our user- & groupname.
And our UID/GID is set to the chosen 7000.
So it’s possible to proactively configure your system with things like a specific UID/GID per user. It does require you to know the user’s OID (from AAD). In addition, if you’re looking to do this, I would recommend provisioning it via your configuration management tooling of choice. As I’m pretty sure you will not want to do this by hand!
3 thoughts on “Reverse engineering the “AADLoginForLinux” in order to tweak proactive user configuration”
Excellent post! Despite Microsoft’s recent efforts of becoming more open source friendly, I was surprised that something like this, (AADLoginForLinux), was not also released. Perhaps it will be once it is out of preview?
In any case, I have written a set of plugins and modules for libnss, pam, and openvpn to authenticate against the Azure Active Directory. All of which are licensed under the GPLv3.
I’d appreciate if you could test them out and let me know how they work for you.
I tried to take ssh -l firstname.lastname@example.org XX.XX.XX
Its asking password. I couldn’t get the device login option. Can you help with this?
Is there way to delete user from linux aadpasswd?