Though I'm a great fan of Linux/Unix but while working with any enterprise firm i couldn't avoid, thus i was asked to join our Linux hosts into Active directory.
So let's move ahead and join our LInux systems into ad using tool named as " adcli "
I have used this to join our Redhat/CentOS 7 hosts into AD.
There are two must things as a prerequisites for it.
1. Make Sure RHEL machine is able to resolve Active Directory servers.
2. Install adcli package along with sssd:
Consider the below inputs as a lab enviroment of mine.
Active Directory Server : swind101x.cyberkeeda.net
Domain name : cyberkeeda.net
Linux Client Hostname : scent101x.cyberkeeda.net
[root@scent101x ~]# yum install adcli sssd authconfig
[root@scent101x ~]# adcli info cyberkeeda.net
adcli will show few details about the AD domain.
[domain]
domain-name = cyberkeeda.net
domain-short = CYBERKEEDA
domain-forest = cyberkeeda.net
domain-controller = SWIND101X.cyberkeeda.net
domain-controller-site = Default-First-Site-Name
domain-controller-flags = pdc gc ldap ds kdc timeserv closest writable good-timeserv full-secret
domain-controller-usable = yes
domain-controllers = SWIND101X.cyberkeeda.net
[computer]
computer-site = Default-First-Site-Name
- Now, join RHEL system to AD domain using adcli:
[root@scent101x ~]# adcli join cyberkeeda.net
By default, it prompts for the Administrator password, but it's possible to specify another user with the -U option:
[root@scent101x ~]# adcli join cyberkeeda.net -U ad_admin_user
# adcli join cyberkeeda.net -U ad_admin_user <------ This user should have administrative rights in AD
The join operation creates a keytab the machine will authenticate with. When inspect the with klist -kt,
[root@scent101x ~]# klist -kte
It should show several entries that contain client hostname in some form:
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
2 12/03/17 14:17:32 SCENT101X$@CYBERKEEDA.NET (aes256-cts-hmac-sha1-96)
2 12/03/17 14:17:32 SCENT101X$@CYBERKEEDA.NET (aes128-cts-hmac-sha1-96)
2 12/03/17 14:17:32 SCENT101X$@CYBERKEEDA.NET (des3-cbc-sha1)
2 12/03/17 14:17:32 SCENT101X$@CYBERKEEDA.NET (arcfour-hmac)
- Configure /etc/krb5.conf to use AD domain:
Replace
Realm
Admin_server
your Realm, domain realms, AD erver information.
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = CYBERKEEDA.NET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
CYBERKEEDA.NET = {
kdc = cyberkeeda.net
admin_server = swind101x.cyberkeeda.net
}
[domain_realm]
.cyberkeeda.net = CYBERKEEDA.NET
cyberkeeda.net = CYBERKEEDA.NET
Use authconfig to set up the Name Service Switch(/etc/nsswitch.conf) and PAM stacks(password-authand system-auth):
[root@scent101x ~]# authconfig --enablesssd --enablesssdauth --update
Above command will modify and add necessary entries in
Ø /etc/nsswitch.conf,
Ø /etc/pam.d/password-auth
Ø /etc/pam.d/system-authfiles
The final step is to configure the SSSD itself.
Open /etc/sssd/sssd.conf and define a single domain:
[sssd]
services = nss, pam, ssh, autofs
config_file_version = 2
domains = CYBERKEEDA.NET
[domain/CYBERKEEDA.NET]
id_provider = ad
# Uncomment and configure below , if service discovery is not working
ad_server = swind101x.cyberkeeda.net
Make sure /etc/sssd/sssd.con is owned by root:root and permissions are 600
# chown root:root /etc/sssd/sssd.conf
# chmod 600 /etc/sssd/sssd.conf
Start the SSSD and make sure it's up after reboots:
# service sssd start
# chkconfig sssd on
Try to fetch user information for AD user and then try to login as AD user
# ssh Administrator@localhost