CyberKeeda In Social Media

Join Linux into Windows Active Directory domain




Though I'm  a great fan of Linux/Unix but while working with any enterprise firm i couldn't avoid, thus i was asked to join our Linux hosts into Active directory.

So let's move ahead and join our LInux systems into ad using tool named as " adcli "
I have used this to join our Redhat/CentOS 7 hosts into AD.

Video Tutorial.


There are two must things as a prerequisites for it.

1.     Make Sure RHEL machine is able to resolve Active Directory servers.
2.     Install adcli package along with sssd:

 Consider the below inputs as a lab enviroment of mine.


Active Directory Server : swind101x.cyberkeeda.net
Domain name : cyberkeeda.net
Linux Client Hostname :  scent101x.cyberkeeda.net
[root@scent101x ~]# yum install adcli sssd authconfig
  • Discover the AD domain:
[root@scent101x ~]# adcli info cyberkeeda.net
adcli will show few details about the AD domain. 


[domain]
domain-name = cyberkeeda.net
domain-short = CYBERKEEDA
domain-forest = cyberkeeda.net
domain-controller = SWIND101X.cyberkeeda.net
domain-controller-site = Default-First-Site-Name
domain-controller-flags = pdc gc ldap ds kdc timeserv closest writable good-timeserv full-secret
domain-controller-usable = yes
domain-controllers = SWIND101X.cyberkeeda.net
[computer]
computer-site = Default-First-Site-Name


  • Now, join RHEL system to AD domain using adcli: 
[root@scent101x ~]# adcli join cyberkeeda.net
Password for Administrator@CYBERKEEDA.NET: <---- Enter Admin password
By default, it prompts for the Administrator password, but it's possible to specify another user with the -U option:
[root@scent101x ~]# adcli join cyberkeeda.net -U ad_admin_user 

# adcli join cyberkeeda.net -U ad_admin_user        <------ This user should have administrative rights in AD

The join operation creates a keytab the machine will authenticate with. When inspect the with klist -kt, 
[root@scent101x ~]# klist -kte
It should show several entries that contain client hostname in some form:


Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   2 12/03/17 14:17:32 SCENT101X$@CYBERKEEDA.NET (aes256-cts-hmac-sha1-96) 
   2 12/03/17 14:17:32 SCENT101X$@CYBERKEEDA.NET (aes128-cts-hmac-sha1-96) 
   2 12/03/17 14:17:32 SCENT101X$@CYBERKEEDA.NET (des3-cbc-sha1) 
   2 12/03/17 14:17:32 SCENT101X$@CYBERKEEDA.NET (arcfour-hmac)


  • Configure /etc/krb5.conf to use AD domain:

Replace 
Realm
Admin_server
your Realm, domain realms, AD erver information.

includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = CYBERKEEDA.NET
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 CYBERKEEDA.NET = {
  kdc = cyberkeeda.net
  admin_server = swind101x.cyberkeeda.net
 }

[domain_realm]
 .cyberkeeda.net = CYBERKEEDA.NET
 cyberkeeda.net = CYBERKEEDA.NET




Use authconfig to set up the Name Service Switch(/etc/nsswitch.conf) and PAM stacks(password-authand system-auth):

[root@scent101x ~]#  authconfig --enablesssd --enablesssdauth --update

Above command will modify and add necessary entries in 

Ø /etc/nsswitch.conf, 
Ø /etc/pam.d/password-auth 
Ø /etc/pam.d/system-authfiles 


The final step is to configure the SSSD itself. 
Open /etc/sssd/sssd.conf and define a single domain:

[sssd]

services = nss, pam, ssh, autofs

config_file_version = 2

domains = CYBERKEEDA.NET



[domain/CYBERKEEDA.NET]
id_provider = ad
# Uncomment and configure below , if service discovery is not working

ad_server = swind101x.cyberkeeda.net
 



 Make sure /etc/sssd/sssd.con is owned by root:root and permissions are 600

 # chown root:root /etc/sssd/sssd.conf
 # chmod 600 /etc/sssd/sssd.conf

Start the SSSD and make sure it's up after reboots:

# service sssd start
# chkconfig sssd on

    Try to  fetch user information for AD user and then try to login as AD user

# getent passwd aduser


# id Administrator
# ssh Administrator@localhost

2 comments:

  1. The effectiveness of IEEE Project Domains depends very much on the situation in which they are applied. In order to further improve IEEE Final Year Project Domains practices we need to explicitly describe and utilise our knowledge about software domains of software engineering Final Year Project Domains for CSE technologies. This paper suggests a modelling formalism for supporting systematic reuse of software engineering technologies during planning of software projects and improvement programmes in Final Year Project Centers in Chennai.

    Software management seeks for decision support to identify technologies like JavaScript that meet best the goals and characteristics of a software project or improvement programme. JavaScript Training in Chennai Accessible experiences and repositories that effectively guide that technology selection are still lacking.

    Aim of technology domain analysis is to describe the class of context situations (e.g., kinds of JavaScript software projects) in which a software engineering technology JavaScript Training in Chennai can be applied successfully

    ReplyDelete

Related Posts Plugin for WordPress, Blogger...
Designed By Kunal Saha