Though I'm a great fan of Linux/Unix but while working with any enterprise firm i couldn't avoid, thus i was asked to join our Linux hosts into Active directory.
So let's move ahead and join our LInux systems into ad using tool named as " adcli "
I have used this to join our Redhat/CentOS 7 hosts into AD.
Video Tutorial.
There are two must things as a prerequisites for it.
1. Make Sure RHEL machine is able to resolve Active Directory servers.
2. Install adcli package along with sssd:
Consider the below inputs as a lab enviroment of mine.
Active Directory Server : swind101x.cyberkeeda.net
Domain name : cyberkeeda.net
Linux Client Hostname : scent101x.cyberkeeda.net
[root@scent101x ~]# yum install adcli sssd authconfig
- Discover the AD domain:
[root@scent101x ~]# adcli info cyberkeeda.net
adcli will show few details about the AD domain.
[domain]
domain-name = cyberkeeda.net
domain-short = CYBERKEEDA
domain-forest = cyberkeeda.net
domain-controller = SWIND101X.cyberkeeda.net
domain-controller-site = Default-First-Site-Name
domain-controller-flags = pdc gc ldap ds kdc timeserv closest writable good-timeserv full-secret
domain-controller-usable = yes
domain-controllers = SWIND101X.cyberkeeda.net
[computer]
computer-site = Default-First-Site-Name
- Now, join RHEL system to AD domain using adcli:
[root@scent101x ~]# adcli join cyberkeeda.net
By default, it prompts for the Administrator password, but it's possible to specify another user with the -U option:
[root@scent101x ~]# adcli join cyberkeeda.net -U ad_admin_user
# adcli join cyberkeeda.net -U ad_admin_user <------ This user should have administrative rights in AD
The join operation creates a keytab the machine will authenticate with. When inspect the with klist -kt,
[root@scent101x ~]# klist -kte
It should show several entries that contain client hostname in some form:
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
2 12/03/17 14:17:32 SCENT101X$@CYBERKEEDA.NET (aes256-cts-hmac-sha1-96)
2 12/03/17 14:17:32 SCENT101X$@CYBERKEEDA.NET (aes128-cts-hmac-sha1-96)
2 12/03/17 14:17:32 SCENT101X$@CYBERKEEDA.NET (des3-cbc-sha1)
2 12/03/17 14:17:32 SCENT101X$@CYBERKEEDA.NET (arcfour-hmac)
- Configure /etc/krb5.conf to use AD domain:
Replace
Realm
Admin_server
your Realm, domain realms, AD erver information.
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = CYBERKEEDA.NET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
CYBERKEEDA.NET = {
kdc = cyberkeeda.net
admin_server = swind101x.cyberkeeda.net
}
[domain_realm]
.cyberkeeda.net = CYBERKEEDA.NET
cyberkeeda.net = CYBERKEEDA.NET
Use authconfig to set up the Name Service Switch(/etc/nsswitch.conf) and PAM stacks(password-authand system-auth):
[root@scent101x ~]# authconfig --enablesssd --enablesssdauth --update
Above command will modify and add necessary entries in
Ø /etc/nsswitch.conf,
Ø /etc/pam.d/password-auth
Ø /etc/pam.d/system-authfiles
The final step is to configure the SSSD itself.
Open /etc/sssd/sssd.conf and define a single domain:
[sssd]
services = nss, pam, ssh, autofs
config_file_version = 2
domains = CYBERKEEDA.NET
[domain/CYBERKEEDA.NET]
id_provider = ad
# Uncomment and configure below , if service discovery is not working
ad_server = swind101x.cyberkeeda.net
services = nss, pam, ssh, autofs
config_file_version = 2
domains = CYBERKEEDA.NET
[domain/CYBERKEEDA.NET]
id_provider = ad
# Uncomment and configure below , if service discovery is not working
ad_server = swind101x.cyberkeeda.net
Make sure /etc/sssd/sssd.con is owned by root:root and permissions are 600
# chown root:root /etc/sssd/sssd.conf
# chmod 600 /etc/sssd/sssd.conf
Start the SSSD and make sure it's up after reboots:
# service sssd start
# chkconfig sssd on
Try to fetch user information for AD user and then try to login as AD user
# getent passwd aduser
# id Administrator
# ssh Administrator@localhost
great
ReplyDeletedcx
ReplyDeleteIn the present worldwide setting firms need to realize what advancements would competitors be able to stifle effectively, and might be endeavoring to. best place to buy a cheap domain name
ReplyDeleteReally amazing blog!!! I enjoyed the complete article? enormous written.
ReplyDeleteContinue Reading
The people are very lucky to have this blog because it has better knowledge.
ReplyDeleteUI designers
Or then again you could search for an online professional reference that is specialty explicit, Free classifieds ads near me
ReplyDeleteJust admiring your work and wondering how you managed this blog so well. It’s so remarkable that I can't afford to not go through this valuable information whenever I surf the internet! https://hostinglelo.in/
ReplyDeleteYes, I am entirely agreed with this article, and I just want say that this article is very helpful and enlightening. I also have some precious piece of concerned info !!!!!!Thanks. naming a company
ReplyDeleteWhenever you've chosen which channel alternative you will utilize click the Advanced Search Button. https://onohosting.com/
ReplyDeleteNice blog, I will keep visiting this blog very often. https://onohosting.com/
ReplyDeleteMy friend mentioned to me your blog, so I thought I’d read it for myself. Very interesting insights, will be back for more! name a company
ReplyDeletesilvesterraketen
ReplyDeleteDST Investments
ReplyDeleteMajor thanks for the blog article. Really thank you! Will read on...
ReplyDeleteinstagram reel downloader
Nice written!! I have been a big fan of your blogs. thanks
ReplyDeleteUI company