Opbzil

User Tools

Site Tools

Trace: ad
linux:redhat:redhat7:ad

Table of Contents

Adding RHEL 7 Hosts to Active Directory

Installing the “sssd” service if required.

To allow a Red Hat 7.0 or 7.1 server to join Active Directory, we need to install the sssd service. This service performs a lot of previously manual configurations. To install this server type the following command

yum install sssd*

Ensure that you DNS working and defined on your nics.

You should have the following entries on your ifcfg-eth 

DNS1=10.5.5.100
DNS2=10.5.5.101

Using the realm command

Before joining the Active Directory you can check that the server can contact the PDC emulator for “office.local” 

realm discover office.local

if you get a responce then try 

realm join office.local -U brindleyp@office.local

Using Active Directory Users

Once server is added to Domain AD users can log into the server format is 

username@domain

Using SSH

Ideally you want to modify the ssh service so that only users belonging to sshusers group can log in. To do this with Active directory you need to

  • Create a group in active Direcory
  • Modify sshd.config and add AllowGroups sshusers@domainname

To login into the server using ssh use the following format 

ssh ip/hostname -l username@domain

To speed up ssh login set UseDNS no

Using Sudo

To add sudo permissions to AD users add the following line using visudo 

%sshusers@domainname    ALL=(ALL)  ALL

modifying config files

Need to modify SSS and KRB5 config files

SSSD

add the extra file at /etc/sssd/conf.d/office.conf 

[domain/office.local]
ad_domain = office.local
krb5_realm = OFFICE.LOCAL
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
ad_gpo_ignore_unreadable = True
ad_gpo_access_control = permissive

Krb

add the extra file at /etc/krb5.conf.d/office.conf 

[realms]
  OFFICE.LOCAL = {
    kdc = dubc2dc01
    kdc = dubl5dc02
    kdc = dubmgmtdc01
    kdc = dubmgmtdc02
    kdc = crkmdc02
    kdc = dubvdc01
    kdc = dubvdc02
    kdc = dubpdc03
    kdc = dubpdc04
  }



[domain_realm]
  office.local = OFFICE.LOCAL
  .office.local = OFFICE.LOCAL

Might also have to remove some lines from krb5.conf

and ensure that 

default_realm = OFFICE.LOCAL 
default_tkt_enctypes = rc4-hmac 
default_tgs_enctypes = rc4-hmac

finally clear the cache and restart sss 

sss_cache -E 
systemctl stop sssd;rm -rf /var/lib/sss/db/*;systemctl start sssd;
linux/redhat/redhat7/ad.txt · Last modified: by 127.0.0.1