Did you know you can centrally manage Linux systems and user accounts under an Active Directory domain?\u202f <\/p>\n\n\n\n
For many businesses, Active Directory (AD) is the preferred (if not only) directory service.\u202f <\/p>\n\n\n\n
If you and your team are in charge of a Linux and Windows hybrid environment, centralizing authentication for both systems makes sense.\u202f\u00a0<\/p>\n\n\n\n
In this article, I\u2019ll discuss how to include Linux devices in an Active Directory domain. <\/p>\n\n\n\n
For many years, Microsoft Active Directory<\/a>, also referred to as AD, has dominated the market for enterprise access control. It is used by organizations and people all over the world to centrally manage access to organizational resources. You can control who has access to what by managing users, passwords, and resources like computers. Some of you who are reading this article, especially those who work for large organizations, have already dealt with AD. Typically, the interaction involves logging in to all workstations inside the organization using a single set of login credentials.\u202f<\/p>\n\n\n\n Each user in Active Directory is uniquely created as an object with a single set of credentials in a central database. Additionally, every computer system is created as an object. With the same set of credentials, every user has automatic access to every workstation. Any necessary account updates are made once at the centralized database. The same set of credentials can be used by staff members to access the printers. To do that, AD can be connected with the printers\u2019 authentication system.\u202f<\/p>\n\n\n\n It is possible to customize and maintain access to different resources using groups and organizational units. This directory can be expanded to include more information in addition to the phone numbers and email addresses of the personnel.\u202f\u00a0<\/p>\n\n\n\n AD is a kind of distributed database, which is accessed using Lightweight Directory Access Protocol (LDAP).\u202f <\/p>\n\n\n\n What happens, though, if your organization leverages AD and you have a few Red Hat systems but do not want to keep track of a distinct set of login credentials for your Linux users? As it turns out \u2013 you can join the Red Hat systems to AD using sssd.\u202f\u00a0<\/p>\n\n\n\n The System Security Services Daemon (SSSD) is a system service facilitating access to remote directories and authentication mechanisms.\u202f <\/p>\n\n\n\n An SSSD client, on a local system, can be connected to an identity provider.\u202f <\/p>\n\n\n\n For instance:\u202f <\/p>\n\n\n\n In this example we will use the following: <\/p>\n\n\n\n The following packages need to be installed: <\/p>\n\n\n\n To ensure that the server can correctly communicate with Active Directory, use the following command: <\/p>\n\n\n\n Ensure that you can resolve the AD domain controllers using dig: <\/p>\n\n\n\n Note: the ad_server option defines the Domain Controller for the given domain. This option is useful to avoid DNS SRV record lookups and if the Linux server can only resolve DNS names from one of the forest domains. If this is your case \u2013 add the Domain Controllers\u2019 names to \/etc\/hosts as well.<\/p>\n\n\n\n Learn how to simplify the way your team manages both Linux and Windows systems, centrally manage your Linux systems and user accounts,\u202fcontact us<\/a>\u202fto learn more. <\/p>\n\n\n\n\n
Prerequisites<\/h2>\n\n\n\n
\n
\n
\n
\n
\n
Package Installation<\/h2>\n\n\n\n
# dnf install sssd realmd oddjob oddjob-mkhomedir adcli krb5-workstation samba-common-tools <\/code><\/pre>\n\n\n\n# update-crypto-policies --set DEFAULT:AD-SUPPORT <\/code><\/pre>\n\n\n\n[root@utility ~]# dig srv _kerberos-master._udp.example01.net \n
\n
\n; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8_6.1 <<>> srv _kerberos-master._udp.example01.net \n
\n;; global options: +cmd \n
\n;; Got answer: \n
\n;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9762 \n
\n;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 \n
\n
\n;; OPT PSEUDOSECTION: \n
\n; EDNS: version: 0, flags:; udp: 4000 \n
\n;; QUESTION SECTION: \n
\n;_kerberos-master._udp.example01.net. IN\tSRV \n
\n
\n
\n;; AUTHORITY SECTION: \n
\nexample01.net.\t3600\tIN\tSOA\tlmigadc01.example01.net. hostmaster.example01.net. 7082 900 600 86400 3600 \n
\n
\n;; Query time: 1 msec \n
\n;; SERVER: 172.16.34.10#53(172.16.34.10) \n
\n;; WHEN: Wed Dec 14 13:49:17 AEDT 2022 \n
\n;; MSG SIZE rcvd: 150 \n
\n------------------------------------------ \n
\n[root@utility ~]# dig srv _kerberos-master._udp.example02.net \n
\n
\n; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8_6.1 <<>> srv _kerberos-master._udp.example02.net \n
\n;; global options: +cmd \n
\n;; Got answer: \n
\n;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9762 \n
\n;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 \n
\n
\n;; OPT PSEUDOSECTION: \n
\n; EDNS: version: 0, flags:; udp: 4000 \n
\n;; QUESTION SECTION: \n
\n;_kerberos-master._udp.example02.net. IN\tSRV \n
\n
\n;; AUTHORITY SECTION: \n
\nexample02.net.\t3600\tIN\tSOA\tlmigadc01.example02.net. hostmaster.example02.net. 7082 900 600 86400 3600 \n
\n
\n;; Query time: 1 msec \n
\n;; SERVER: 172.16.34.10#53(172.16.34.10) \n
\n;; WHEN: Wed Dec 14 13:49:17 AEDT 2022 \n
\n;; MSG SIZE rcvd: 150 \n
\n
\n
\n--------------- \n
\n
\n[root@utility ~]# dig srv _kerberos-master._udp.example03.net \n
\n
\n; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8_6.1 <<>> srv _kerberos-master._udp.example03.net \n
\n;; global options: +cmd \n
\n;; Got answer: \n
\n;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9762 \n
\n;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 \n
\n
\n
\n;; OPT PSEUDOSECTION: \n
\n; EDNS: version: 0, flags:; udp: 4000 \n
\n;; QUESTION SECTION: \n
\n;_kerberos-master._udp.example03.net. IN\tSRV \n
\n
\n;; AUTHORITY SECTION: \n
\nexample03.net.\t3600\tIN\tSOA\tlmigadc01.example03.net. hostmaster.example03.net. 7082 900 600 86400 3600 \n
\n
\n;; Query time: 1 msec \n
\n;; SERVER: 172.16.34.10#53(172.16.34.10) \n
\n;; WHEN: Wed Dec 14 13:49:17 AEDT 2022 \n
\n;; MSG SIZE rcvd: 150 <\/code><\/pre>\n\n\n\n\n
# realm join EXAMPLE01.NET <\/code><\/pre>\n\n\n\n\n
domain_realm] \n
\n .example01.net = EXAMPLE01.NET \n
\n example01.net = EXAMPLE01.NET \n
\n .example02.net = EXAMPLE02.NET \n
\n example02.net = EXAMPLE02.NET \n
\n .example03.net = EXAMPLE03.NET \n
\n example03.net = EXAMPLE03.NET <\/code><\/pre>\n\n\n\n\n
# adcli join -\u2013host-keytab=\/etc\/krb5.keytab.example02.net example02.net<\/code><\/pre>\n\n\n\n\n
[sssd] \n
\ndomains = example01.net,example02.net \n
\nconfig_file_version = 2 \n
\nservices = nss, pam, pac, ssh \n
\n
\n
\n[domain\/example01.net] \n
\nad_domain = example01.net \n
\nad_server = lmigadc01.example01.net \n
\nkrb5_realm = example01.net \n
\nrealmd_tags = manages-system joined-with-adcli \n
\ncache_credentials = True \n
\nid_provider = ad \n
\nkrb5_store_password_if_offline = True \n
\ndefault_shell = \/bin\/bash \n
\nldap_id_mapping = True \n
\nuse_fully_qualified_names = True \n
\nfallback_homedir = \/home\/%u@%d \n
\naccess_provider = ad \n
\ndyndns_update = true \n
\n
\n
\n[domain\/example02.net] \n
\nad_domain = example02.net \n
\nad_server = lcolad01.example02.net \n
\nkrb5_realm = example02.net \n
\nrealmd_tags = manages-system joined-with-adcli \n
\ncache_credentials = True \n
\nid_provider = ad \n
\nkrb5_store_password_if_offline = True \n
\ndefault_shell = \/bin\/bash \n
\nldap_id_mapping = True \n
\nuse_fully_qualified_names = True \n
\nfallback_homedir = \/home\/%u@%d \n
\naccess_provider = ad \n
\nkrb5_keytab = \/etc\/krb5.keytab.example02.net \n
\nldap_krb5_keytab = \/etc\/krb5.keytab.example02.net \n
\ndyndns_update = true <\/code><\/pre>\n\n\n\n\n
# systemctl restart sssd <\/code><\/pre>\n\n\n\n\n
# adcli join -\u2013host-keytab=\/etc\/krb5.keytab.example03.net example03.net<\/code><\/pre>\n\n\n\n\n
[sssd] \n
\ndomains = example01.net,example02.net,example03.net \n
\nconfig_file_version = 2 \n
\nservices = nss, pam, pac, ssh \n
\n
\n
\n[domain\/example01.net] \n
\nad_domain = example01.net \n
\nad_server = lmigadc01.example01.net \n
\nkrb5_realm = example01.net \n
\nrealmd_tags = manages-system joined-with-adcli \n
\ncache_credentials = True \n
\nid_provider = ad \n
\nkrb5_store_password_if_offline = True \n
\ndefault_shell = \/bin\/bash \n
\nldap_id_mapping = True \n
\nuse_fully_qualified_names = True \n
\nfallback_homedir = \/home\/%u@%d \n
\naccess_provider = ad \n
\ndyndns_update = true \n
\n
\n
\n[domain\/example02.net] \n
\nad_domain = example02.net \n
\nad_server = lcolad01.example02.net \n
\nkrb5_realm = example02.net \n
\nrealmd_tags = manages-system joined-with-adcli \n
\ncache_credentials = True \n
\nid_provider = ad \n
\nkrb5_store_password_if_offline = True \n
\ndefault_shell = \/bin\/bash \n
\nldap_id_mapping = True \n
\nuse_fully_qualified_names = True \n
\nfallback_homedir = \/home\/%u@%d \n
\naccess_provider = ad \n
\nkrb5_keytab = \/etc\/krb5.keytab.example02.net \n
\nldap_krb5_keytab = \/etc\/krb5.keytab.example02.net \n
\ndyndns_update = true \n
\n
\n
\n[domain\/example03.net] \n
\nad_domain = example03.net \n
\nad_server = lavailad02.example03.net \n
\nkrb5_realm = example03.net \n
\nrealmd_tags = manages-system joined-with-adcli \n
\ncache_credentials = True \n
\nid_provider = ad \n
\nkrb5_store_password_if_offline = True \n
\ndefault_shell = \/bin\/bash \n
\nldap_id_mapping = True \n
\nuse_fully_qualified_names = True \n
\nfallback_homedir = \/home\/%u@%d \n
\naccess_provider = ad \n
\nkrb5_keytab = \/etc\/krb5.keytab.example03.net \n
\nldap_krb5_keytab = \/etc\/krb5.keytab.example03.net \n
\ndyndns_update = true <\/code><\/pre>\n\n\n\n\n
# systemctl restart sssd <\/code><\/pre>\n\n\n\n172.16.32.10 lcolad01.example02.net lcolad01 \n
\n172.16.34.10 lmigadc01.example01.net lmigadc01 \n
\n172.16.36.10 lavailad02.example03.net lavailad02 <\/code><\/pre>\n\n\n\nTesting<\/h2>\n\n\n\n
\n
# id example_admin@example01.net \n
\n[root@utility ~]# id example_admin@example01.net \n
\nuid=794602228(example_admin@example01.net) gid=794400513(domain users@example01.net) groups=794600513(domain users@example01.net),794600512(domain admins@example01.net) \n
\n
\n
\n# id example_admin@example03.net \n
\n[root@utility ~]# id example_admin@example03.net \n
\nuid=44201110(example_admin@example03.net) gid=44201177(linux_admins@example03.net) groups=44201177(linux_admins@example03.net),44200513(domain users@example03.net),44201605(idm@example03.net) \n
\n
\n
\n# id example_admin@example02.net \n
\n[root@utility ~]# id example_admin@example02.net \n
\nuid=81601158(example_admin@example02.net) gid=81600513(domain users@example02.net) groups=81600513(domain users@example02.net),81600512(domain admins@example02.net) <\/code><\/pre>\n\n\n\n\n
root@test ~]# ssh example_admin@example03.net@utility \n
\nexample_admin@example03.net@utility's password: \n
\nLast login: Wed Dec 14 10:44:59 2022 from 10.221.8.5 \n
\n[example_admin@example03.net@utility ~]$ <\/code><\/pre>\n\n\n\n\n
[root@test ~]# ssh example_admin@example01.net@utility \n
\nexample_admin@example01.net@utility's password: \n
\nLast login: Wed Dec 14 10:44:23 2022 from 10.221.8.5 \n
\n[example_admin@example01.net@utility ~]$ kinit \n
\nPassword for example_admin@EXAMPLE01.NET: \n
\n[example_admin@example01.net@utility ~]$ klist \n
\nTicket cache: KCM:794602128:6396 \n
\nDefault principal: example_admin@EXAMPLE01.NET \n
\n
\n
\nValid starting Expires Service principal \n
\n14\/12\/22 14:19:24 15\/12\/22 00:19:24 krbtgt\/EXAMPLE01.NET@EXAMPLE01.NET <\/code><\/pre>\n\n\n\n