Acesss Active Directoy from Linux

%3CLINGO-SUB%20id%3D%22lingo-sub-1483520%22%20slang%3D%22en-US%22%3EAcesss%20Active%20Directoy%20from%20Linux%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1483520%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20confronted%20with%20the%20task%20to%20change%20AD%20information%20from%20a%20Linux%20server.%20As%20the%20ability%20to%20load%20the%20AD%20module%20is%20not%20implemented%20in%20PS%20Core%207%20on%20Linux%20machines%20(as%20mentioned%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fwindows-powershell%2Fpowershell-7-preview-and-load-on-prem-ad-module%2Fm-p%2F885984%3Fsearch-action-id%3D195412639819%26amp%3Bsearch-result-uid%3D885984%22%20target%3D%22_self%22%3Ehere%3C%2FA%3E)%20we%20created%20a%20remote%20session%20to%20one%20of%20our%20terminal%20servers%20and%20executed%20the%20script%20on%20that%20machine.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20do%20so%2C%20we%20created%20a%20credential%20object%20for%20that%20user%20on%20the%20terminal%20server%20and%20loaded%20it%20in%20the%20script%20before%20executing%20the%20AD%20commands.%20This%20works%20perfectly%2C%20as%20long%20as%20the%20user%20in%20whose%20context%20we%20are%20running%20the%20script%20is%20logged%20into%20the%20terminal%20server.%20It%20stops%20working%20with%20a%20CryptographicException%20as%20soon%20as%20this%20user%20is%20logged%20out.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20know%20of%20any%20way%20to%20correctly%20access%20stored%20credential%20information%20for%20remoting%20when%20coming%20from%20a%20linux%20powershell%3F%20We've%20tried%20to%20open%20the%20session%20using%20Credssp%20authentication%2C%20but%20this%20is%20not%20working%20either.%20We%20know%20that%20we%20can%20pass%20the%20password%20to%20the%20remote%20session%20and%20create%20a%20new%20credential%20object%2C%20but%20we%20would%20rather%20not%20go%20that%20way.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAll%20help%20is%20appreciated.%3C%2FP%3E%3CP%3EThanks%2C%20Morodin.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1483520%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EWindows%20PowerShell%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1493734%22%20slang%3D%22en-US%22%3ERe%3A%20Acesss%20Active%20Directoy%20from%20Linux%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1493734%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F707747%22%20target%3D%22_blank%22%3E%40Morodin%3C%2FA%3E%3C%2FP%3E%3CP%3EShould%20explain%20better%20what%20do%20you%20want%20to%20do%3F%3C%2FP%3E%3CP%3ECan%20you%20post%20the%20script%3F%3C%2FP%3E%3CP%3EHas%20the%20user%20the%20permission%20to%20logon%20locally%20%3F%3C%2FP%3E%3CP%3EBye%20Gas%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1500729%22%20slang%3D%22en-US%22%3ERe%3A%20Acesss%20Active%20Directoy%20from%20Linux%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1500729%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F383049%22%20target%3D%22_blank%22%3E%40gastone%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20we%20ultimately%20want%20to%20do%20is%20to%20add%20a%20user%20to%20an%20AD-Group%20triggered%20from%20a%20Linux-Host.%20The%20Linux-Host%20has%20installed%20the%20latest%20Powershell.%20As%20far%20as%20we%20learned%2C%20the%20AD%20module%20is%20not%20available%20to%20be%20loaded%20on%20the%20Powershell%20in%20the%20Linux%20host.%3C%2FP%3E%3CP%3ESo%2C%20we%20relied%20on%20'new-pssession'%20and%20'invoke-command'%20to%20a%20windows%20server.%20The%20invoke%20command%20calls%20a%20script%20on%20the%20windows%20server%2C%20supplying%20the%20correct%20arguments.%20The%20script%20itself%20does%20all%20the%20necessary%20actions%20to%20add%20the%20user%20to%20the%20desired%20AD%20group.%20It%20does%20this%20by%20first%20loading%20a%20stored%20credentials%20file%20and%20then%20calling%20the%20method%20with%20that%20credentials%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%24cred%3Dimport-clixml%20-path%20%24credentialFileName%0A...%0AAdd-ADGroupMember%20-credential%20%24cred%20-server%20%24aServer%20-identity%20%24aGroup%20-members%20%24aUser%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20works%20perfectly%2C%20as%20long%20as%20the%20user%20that%20we%20are%20using%20to%20run%20the%20script%20(the%20same%20user%20we%20use%20to%20open%20the%20new-pssession%20from%20the%20linux%20host)%20is%20logged%20in%20locally%20as%20the%20Windows%20server.%20If%20that%20user%20logs%20out%2C%20the%20credentials%20file%20cannot%20be%20imported%20anymore.%3C%2FP%3E%3CP%3EAs%20an%20alternative%2C%20we%20tried%20to%20pass%20the%20credentials%20opening%20the%20session%20with%20-Authentication%20'Credssp'%20instead%20of%20'Negotiate'%2C%20but%20that%20fails%20coming%20from%20a%20Linux%20host.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1623553%22%20slang%3D%22en-US%22%3ERe%3A%20Acesss%20Active%20Directoy%20from%20Linux%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1623553%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F707747%22%20target%3D%22_blank%22%3E%40Morodin%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20chaghethe%20approach%3F%3C%2FP%3E%3CP%3EUsing%20%3CSPAN%20class%3D%22st%22%3E%3CEM%3ESSH%3C%2FEM%3E%20and%20%3CEM%3Epublic%20key%3C%2FEM%3E%20authentication%3C%2FSPAN%3E%20and%20then%20run%20the%20script%20on%20the%20remote%20windows%20server...%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

We are confronted with the task to change AD information from a Linux server. As the ability to load the AD module is not implemented in PS Core 7 on Linux machines (as mentioned here) we created a remote session to one of our terminal servers and executed the script on that machine.

 

To do so, we created a credential object for that user on the terminal server and loaded it in the script before executing the AD commands. This works perfectly, as long as the user in whose context we are running the script is logged into the terminal server. It stops working with a CryptographicException as soon as this user is logged out.

 

Do you know of any way to correctly access stored credential information for remoting when coming from a linux powershell? We've tried to open the session using Credssp authentication, but this is not working either. We know that we can pass the password to the remote session and create a new credential object, but we would rather not go that way.

 

All help is appreciated.

Thanks, Morodin.

3 Replies

@Morodin

Should explain better what do you want to do?

Can you post the script?

Has the user the permission to logon locally ?

Bye Gas

@gastone 

What we ultimately want to do is to add a user to an AD-Group triggered from a Linux-Host. The Linux-Host has installed the latest Powershell. As far as we learned, the AD module is not available to be loaded on the Powershell in the Linux host.

So, we relied on 'new-pssession' and 'invoke-command' to a windows server. The invoke command calls a script on the windows server, supplying the correct arguments. The script itself does all the necessary actions to add the user to the desired AD group. It does this by first loading a stored credentials file and then calling the method with that credentials:

 

$cred=import-clixml -path $credentialFileName
...
Add-ADGroupMember -credential $cred -server $aServer -identity $aGroup -members $aUser

 

This works perfectly, as long as the user that we are using to run the script (the same user we use to open the new-pssession from the linux host) is logged in locally as the Windows server. If that user logs out, the credentials file cannot be imported anymore.

As an alternative, we tried to pass the credentials opening the session with -Authentication 'Credssp' instead of 'Negotiate', but that fails coming from a Linux host.

@Morodin 

And chaghethe approach?

Using SSH and public key authentication and then run the script on the remote windows server...