My company has asked me to look into connecting our CentOS 7 instance’s to our Active Directory to make it easier for user management.
I have so far looked at:
- Kerberos, doing it via command line – How To Join CentOS Linux To An Active Directory Domain
- OpenLDAP – 24.7. Configuring a System to Authenticate Using OpenLDAP
Is there any other tool or resource I should look into to do my due diligence?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
sssd and realmd was by far the easiest way to get this done. The below steps are what I did to get my CentOS machine on the domain and able to restrict access to only the specific users in the security groups in Active Directory (AD).
NOTE: All steps from the below two links:
- https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/
- https://askubuntu.com/questions/545058/ssh-allow-windows-ad-groupswith-special-charactors
Install the packages
$ sudo yum install -y sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python
Edit the /etc/resolv.conf file & insert the following two lines:
$ sudo vi /etc/resolv.conf search <domain> nameserver <ip>
Joining to AD DOM
Join the Linux machine to the domain to be seen in Active Directory & to view that you are now on the domain:
$ sudo realm join --user=<user with permissions to add users to the domain> <domain> $ sudo realm list
Edit /etc/sssd/sssd.conf:
From
use_fully_qualified_names = True fallback_homedir = /home/%<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="bacffa">[email protected]</a>%d
To
use_fully_qualified_names = False fallback_homedir = /home/%u
Then restart the sssd service:
$ sudo systemctl restart sssd
Setup sudo
Create the groups that will be used in AD in /etc/sudoers.d/<group Name> & edit the file and add the user access:
$ sudo touch /etc/sudoers.d/sudoers $ sudo vi !$
Insert into sudoers file the permissions you want for this group:
%sudoers ALL=(ALL) ALL
NOTE: Have a system admin create the same groups in AD.
Edit which groups or users can access the system via SSH. Edit /etc/ssh/sshd_config and add the groups to the AllowGroups section. You may need to add AllowGroups to config file, I had to:
AllowGroups sudoers node_access
I have two groups, sudoers and node_access. Edit /etc/security/access.conf and add the groups into this file to only allow ssh access for users in the sudoers and node_access group.
Add the groups in ()’s to the below section of the access.conf file:
# Same, but make sure that really the group wheel and not the user # wheel is used (use nodefgroup argument, too): # -:ALL EXCEPT (wheel) shutdown sync:LOCAL (sudoers) (node_access)
Restart the sssd service and test.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0