Integration of a RHEL7/CENTOS7 server into Active Directory

1.Goals

Integrate Linux servers in Active Directory is not mandatory. Several way are available to easily authenticate users with different directory and SSO central solutions. In my homelab, I have installed Active Directory so my objective is to use Active Directory users to control and doing some tasks on linux including sudo rights capacity.

 

2.Tools

Linux system can use different solutions to be able to authenticate Active Directory users on a linux system.

  • Native LDAP and Kerberos PAM and NSS modules
  • Samba Winbind
  • System Security Services Daemon (SSSD)

We will use the last solutions recommanded by RedHat in their documents.

3.Repository configuration

With RedHat, you need to have a subscription assigned to the server as soon as you want to install packages. Also the subscription can be attached using redhat public servers or using solutions like satellite if internet is not accessible directly by the servers.

With CentOS, well, it’s the “free” branch of RedHat so you don’t need to do this task.

 

3.Command

The command below is the same on CentOS and RedHat.

#yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python -y

 

4. Configuration

4.1 Authorize members of sudoers Active Directory Group to have sudo priviledges.

#echo ‘%sudoers ALL=(ALL) ALL’ >> /etc/sudoers

 

 

4.2 Integrate server in Active Directory

Launch command :

realm join –user=UserAD domain.xyz

 

 

 

 

 

 

 

 

4.3 Modify sssd.conf

Change 2 value :

use_fully_qualified_names = True  : change value True to false will allow you to login without domain extension.

Fallback_homedir = /home/%u@%d : change the value %u@%d to %u will create a /home/login folder for each user connected to the server

 

 

 

 

 

 

 

 

 

RESTART SSSD

 

5. Checks

5.1 Computer Objects in “Computers” OU in my Active Directory

 

 

 

 

5.2 Test user login

 

 

 

5.2 Test sudo

 

 

 

 

 

 

5.3 Validate with another user without sudoers rights

 

 

 

 

 

 

 

6. Common mistakes

/etc/resolv.conf not configured correctly :

Result :

Leave a Reply

Your email address will not be published. Required fields are marked *