Integrate Linux servers in Active Directory is not mandatory. Several way are available to easily authenticate users with different directory and SSO central solutions. In my homelab, I have installed Active Directory so my objective is to use Active Directory users to control and doing some tasks on linux including sudo rights capacity.
Linux system can use different solutions to be able to authenticate Active Directory users on a linux system.
- Native LDAP and Kerberos PAM and NSS modules
- Samba Winbind
- System Security Services Daemon (SSSD)
We will use the last solutions recommanded by RedHat in their documents.
With RedHat, you need to have a subscription assigned to the server as soon as you want to install packages. Also the subscription can be attached using redhat public servers or using solutions like satellite if internet is not accessible directly by the servers.
With CentOS, well, it’s the “free” branch of RedHat so you don’t need to do this task.
The command below is the same on CentOS and RedHat.
#yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python -y
4.1 Authorize members of sudoers Active Directory Group to have sudo priviledges.
#echo ‘%sudoers ALL=(ALL) ALL’ >> /etc/sudoers
4.2 Integrate server in Active Directory
Launch command :
realm join –user=UserAD domain.xyz
4.3 Modify sssd.conf
Change 2 value :
use_fully_qualified_names = True : change value True to false will allow you to login without domain extension.
Fallback_homedir = /home/%u@%d : change the value %u@%d to %u will create a /home/login folder for each user connected to the server
5.1 Computer Objects in “Computers” OU in my Active Directory
5.2 Test user login
5.2 Test sudo
5.3 Validate with another user without sudoers rights
6. Common mistakes
/etc/resolv.conf not configured correctly :