Purpose
This is a step-by-step guide to configure a CentOS 7 server to be able to use Windows Active Directory for login purposes
Plan
- Install needed packages
- Join the server to the Windows Domain
- Configure the sssd.conf file
- Check and verify access to AD users
- Configure sudo rights for AD user groups
Step 1: Install needed packages
1.1: Install the epel-release repo
The epel-release repo contains some of the packages we will need to complete this setup.
Input: sudo yum -y install epel-release
1.2: Update the server packages
Make sure you have all your system packages updated.
Input: sudo yum -y update
1.3: Install the Active Directory config packages
Input: sudo yum -y install \ sssd \ realmd \ oddjob \ oddjob-mkhomedir \ adcli \ samba-common \ samba-common-tools \ krb5-workstation \ openldap-clients \ policycoreutils-python
Step 2: Join the server to the Windows Domain
2.1: Join server
Here we used the realm command to join to lnxark Active Directory(AD) server. On this step you can replace “ad.lnxark.com” with the FQDN or IP of your organizations AD server. Also, replace “lnxuser” with the a user that has permissions to add a system to your domain.
Input: realm join ad.lnxark.com -U lnxuser Output:Password forlnxuserYou have new mail in/var/spool/mail/root
2.2: Check status
Now verify if the system has successfully joins to the domain or not.
Input: realm list Output: lnxark.comtype: kerberosrealm-name: LNXARK.COMdomain-name:lnxark.comconfigured: kerberos-memberserver-software: active-directoryclient-software: sssdrequired-package: oddjobrequired-package: oddjob-mkhomedirrequired-package: sssdrequired-package: adclirequired-package: samba-common-toolslogin-formats: %U@lnxark.comlogin-policy: allow-realm-logins
Step 3: Configure the sssd.conf file
3.1: Edit use_fully_qualified_names
Here we will edit the /etc/sssd/sssd.conf to allow users to login with the username format “lnxuser” instead of “lnxuser@lnxark.com“. Also, the home directory will be “/home/lnxark/lnxuser” instead of “/home/lnxuser@lnxark.com“. The “-i.orig” option will make a backup of the file that the sed command is meant to edit before making the desired changes to the file.
Input: sudosed-i.orig \-e 's|^\(use_fully_qualified_names).*|\1 = False|'\-e "s|^\(fallback_homedir).*|\1 = /home/%d/%u|"\/etc/sssd/sssd.conf
3.2: Add ad_gpo_ignore_unreadable
This step will prevent the listing of windows Group Policy Object’s(GPO) that maybe assigned to the users ad account. Since these GPO’s may not apply to the Linux machine, they will be displayed as an error message upon login.
Input: sudo tee /etc/sssd/sssd.conf&>/dev/null<<EOFad_gpo_ignore_unreadable = TrueEOF
3.3: Add ldap_access_filiter
Here we will configure sssd to use a specified Active Directory group to lookup login users.
Input:
sudo tee /etc/sssd/sssd.conf &>/dev/null <<EOF
ad_access_filter = (memberOf=cn=OIT_Linux_Users,ou=OIT Groups,ou=Groups,ou=User Accounts,dc=nsu,dc=edu)
EOF
3.4: Validate config changes
Below we will check that the above command successful made the desired changes.
Input: sudo grep \ -euse_fully_qualified_names\ -efallback_homedir\ -ead_gpo_ignore_unreadable\ -ead_access_filter\ /etc/sssd/sssd.conf Output:
3.5: Restart sssd
Input: sudo systemctl restart sssd
Step 4: Check and verify access to AD users
Input:
id lnxuser
Output:
id: lnxuser: no such user
Step 5: Configure sudo rights for AD user groups
5.1: Create a sudoers.d file to config AD group permissions on server
Input:sudo tee /etc/sudoers.d/LNXARK_Server_Team_Admin_Accounts<<EOF%LNXARK_Server_Team_Admin_Accounts ALL=(ALL) ALLEOF
If your group in AD has spaces use ‘ \ ‘ like seen below:
Input:sudo tee /etc/sudoers.d/LNXARK_Server_Team_Admin_Accounts<<EOF%LNXARK\ Server\ Team\ Admin\ Accounts ALL=(ALL) ALLEOF
5.2: Refresh user AD record
Input: sudo systemctl restart sssd
Input: sudo systemctl daemon-reload
2 Responses
It’s actually a great and helpful piece of information. I’m happy
that you just shared this useful information with us.
Please stay us up to date like this. Thank you for sharing.
This is the right blog for everyone who wants to find out about this topic. You understand so much its almost hard to argue with you (not that I personally would want toÖHaHa). You certainly put a new spin on a topic thats been written about for decades. Wonderful stuff, just great!