Connecting Kali Linux to Active Directory Made Easy

TL;DR

Joining Kali Machine to AD:

  1. Change DNS Server: Edit `/etc/resolv.conf` to set the AD server as DNS.
  2. Install Tools: Run `sudo apt update` and install required packages.
  3. Join Domain: Discover the domain with `sudo realm discover THEHIVE.LOCAL` and join with `sudo realm join –user=<username> <DOMAIN NAME>

Common Errors:

No Installation Candidate: Add the correct repository to `/etc/apt/sources.list` and update.

Insufficient Privileges:

  • Ensure the AD account used has admin rights or use an admin account.
  • Ensure that `/etc/krb5.conf` If not create one with the content given in this article.

Introduction

This short blog will focus mainly on how to join a Kali Linux machine to AD. During the process we encountered a few issues for which we couldn’t find many good articles that discuss the same. Instead of just giving instructions, this article aims to quickly resolve two common issues you might run into, saving you the trouble of searching through multiple articles for solutions.

Joining a Kali VM to AD

This is the same process that is followed in general for Debian distributions.

Step 1 – Changing the DNS server

1.    Open the “/etc/resolv.conf “ using any text editor. It should be opened using sudo so that it can be edited.

sudo nano /etc/resolv.conf

 

2.   Comment out the initial nameserver entry and add a new entry to configure the AD windows server as the DNS server. You can find the IP in the “DNS” section in the “Server Manager”.

3.      Confirm that the domain is accessible by pinging the domain.

ping thehive.local

Note:
The nameserver settings in /etc/resolv.conf aren’t persistent across reboots, but using any tool like “resolvconf” to manage the file can resolve this issue. An article on configuring DNS in Linux will be posted in the future for more detailed guidance.

Step 2 – Install
required tools

1.      Do a sudo update

sudo apt update

2.      Install all the required tools

sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

Step 3 – Joining AD

1.       This command lists the basic configuration of the AD along with the tools that must be installed in the machine to join the domain. A domain must be discoverable first to join it.

 

sudo realm discover THEHIVE.LOCAL

 

2.       We don’t have to worry about the tools as we have already installed all the tools.

3.       Once we see that the domain is discoverable, we can join this machine to the domain. For this, we need the credentials of an account that belongs to the domain.

4.       We can now join this machine to AD using the below command.

sudo realm join –user=ad-admin THEHIVE.LOCAL

Note that the account mentioned in the user account must be an AD user account, not this machine’s local one. Make sure this account is part of the Administrator group, or it’ll cause an error detailed in the coming section.

Common Errors Encountered

Error – Package has no installation candidate

You might see an error saying “Package ‘<package name>’ has no installation candidate” when trying to install some tools. This happens because your package manager, like “apt,” is trying to get the package from a repository that doesn’t have it. To fix this, you need to add the right repository to your “sources.list” file. This file lists the URLs of repositories that apt uses, and it’s located at “/etc/apt/sources.list.”

1.      Visit         this site and scroll down to the package search section. 

2.      Search for the package you need.

3.   Click on the package name under “Exact hits” to see more details. You can also select a specific release if needed by clicking on their respective names at the top right corner.

4.   Scroll down to the download section, find your system architecture (like amd64 or i386), and open the link.

5.      Note the repository URL listed on that page.

6.    Open the “/etc/apt/sources.list” file in a text editor with sudo, so you have permission to edit it.

sudo nano /etc/apt/sources.list

7.      Add the copied repository URL to this file and save your changes.

8.      Run apt update to refresh the package list.

sudo apt update

9.   Try installing the tools again. They should install without any issues now.

 Insufficient Privileges

If you’re encountering this error, it might be due to a few different issues. To identify the problem, follow these steps:

1.      Copy and run the command provided with the error message

journalctl REALMD_OPERATION=r417249.186880

2.  Press Enter repeatedly to scroll through the log until you find the relevant error details.

Two common issues are as below:

Couldn’t get Kerberos ticket

If the error indicates that the machine failed to join AD due to an inability to obtain a Kerberos ticket, it might be because the `/etc/krb5.conf` file is missing. This file is usually created automatically, but if it isn’t present, you can create it manually.

1.       Use the following command to create and edit
the file:

sudo nano /etc/krb5.conf

 Add the following
configuration:

[libdefaults]

udp_preference_limit = 0

default_realm = THEHIVE.LOCAL

2.      Try joining the machines to AD again. It
should be able to join without any issues.

 Insufficient permissions to modify computer account

 In this case, from the log, you can see that the computer account for this machine is missing in AD, and a new account can’t be created due to insufficient permissions. The problem typically arises when the account used to join the machine to AD does not have the required administrative rights.

To fix this, either use an administrator account or add the current account to the administrator group.

Conclusion

In summary, these steps should work for most Debian-based
systems, not just Kali Linux. We hope this guide helps you avoid common
problems and saves you time. Keep an eye out for our next posts, where we’ll
cover important Active Directory attacks to help you better protect your
systems.