=====Adding RHEL 7 Hosts to Active Directory=====
Installing the “sssd” service if required.
To allow a Red Hat 7.0 or 7.1 server to join Active Directory, we need to install the sssd service. This service performs a lot of previously manual configurations.
To install this server type the following command
yum install sssd*
Ensure that you DNS working and defined on your nics.
You should have the following entries on your **ifcfg-eth**
DNS1=10.5.5.100
DNS2=10.5.5.101
===Using the realm command===
Before joining the Active Directory you can check that the server can contact the PDC emulator for “office.local”
realm discover office.local
if you get a responce then try
realm join office.local -U brindleyp@office.local
====Using Active Directory Users====
Once server is added to Domain AD users can log into the server format is
username@domain
===Using SSH===
Ideally you want to modify the ssh service so that only users belonging to **sshusers** group can log in. To do this with Active directory you need to
* Create a group in active Direcory
* Modify **sshd.config** and add **AllowGroups sshusers@domainname**
To login into the server using ssh use the following format
ssh ip/hostname -l username@domain
To speed up ssh login set **UseDNS no**
===Using Sudo===
To add sudo permissions to AD users add the following line using visudo
%sshusers@domainname ALL=(ALL) ALL
====modifying config files====
Need to modify SSS and KRB5 config files
===SSSD===
add the extra file at ** /etc/sssd/conf.d/office.conf**
[domain/office.local]
ad_domain = office.local
krb5_realm = OFFICE.LOCAL
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
ad_gpo_ignore_unreadable = True
ad_gpo_access_control = permissive
===Krb===
add the extra file at ** /etc/krb5.conf.d/office.conf**
[realms]
OFFICE.LOCAL = {
kdc = dubc2dc01
kdc = dubl5dc02
kdc = dubmgmtdc01
kdc = dubmgmtdc02
kdc = crkmdc02
kdc = dubvdc01
kdc = dubvdc02
kdc = dubpdc03
kdc = dubpdc04
}
[domain_realm]
office.local = OFFICE.LOCAL
.office.local = OFFICE.LOCAL
Might also have to remove some lines from krb5.conf
and ensure that
default_realm = OFFICE.LOCAL
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
finally clear the cache and restart sss
sss_cache -E
systemctl stop sssd;rm -rf /var/lib/sss/db/*;systemctl start sssd;