Join CentOS 7 into Active Directory using realm and sssd

Introduction to SSSD and Realmd 
Staring from Red Hat 7 and CentOS 7, SSSD or 'System Security Services Daemon' and
realm have been introduced. SSSD's main function is to access a remote identity and authentication resource through a common framework that provides caching and offline support to the system. SSSD provides PAM ans NSS integration and a database to store local users, as well as core and extended user data retrieved from a center server.

The main reason to transition from winbind to sssd is that sssd can be used for both direct and indirect integration and allows to switch from one integration approach to another without significant migration costs. The most convenient way to configure SSSD or winbind in order to directly integrate a Linux system with AD is use the realm service. Because it allows callers to configure network authentication and domain membership in a standard way. The realm service automatically discovers information about accessible domain and realm and does not require advanced configuration to join domain or realm.


1. Install required packages on your machine:

yum install -y realmd sssd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools ntpdate ntp krb5-workstation

2. Configure ntp to prevent time sync issues:
systemctl enable ntpd
ntpdate "your ntp server"
systemctl start ntpd
3. Discover your domain before join
realm discover "your domain"
4. Now that we've got that out of the way we can actually join the domain, this can be done with the 'realm join' command as shown below. You will need to specify the username of a user in the domain that has privileges to join a server to the domain
realm join --user="domainadminuser@domain" "domain"
5. Once you enter the password for your specific account, the /etc/sssd/sssd.conf and /etc/krb.conf files will be automatically configured.
We can confirm that we're in the realm (Linux terminology for the domain) by running the "realm list" command:
realm list
6. Edit sssd configuration file as we don't want to use FQDN
vi /etc/sssd/sssd.conf
7. The following lines need to change from:
use_fully_qualified_names = True
fallback_homedir = /home/%u%d
8. To the below, which does not require the fully qualified domain name (FQDN) to be specified. This also modifies the user directory in /home fro having the FQDN specified after the username
use_fully_qualified_names =False 
fallback_homedir = /home/%u
9. To apply these changes, restart sssd
systemctl restart sssd
10. Permit only one Active Directory group to logon
realm permit -g "activedirectorygroup@domain"
11. Given sudo permissions to an active directory group, type command as below
visudo
12. Add
%"activedirectorygroup@domain" ALL=(ALL) ALL
Or
%"domain"\\"activedirectorygroup" ALL=(ALL) ALL

Comments

Post a Comment

Popular posts from this blog

Configure & Install WMIC for Observium

WMI Poller Configuring Windows Firewall and User Access for WMI This guide assumes you know what Group Policy is. Allowing WMI Connections in Windows Firewall Enabling Firewall Settings via GPO 1.   Open Group Policy Management 2.   Create and/or edit the Group Policy Object you wish put these settings into   3.   Expand Computer Config > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules 4.   Create a New Rule under Inbound Rules 5.   Choose the Predefined option, and select Windows Management Instrumentation (WMI) from the drop-down list, click Next 6.   Select the "WMI-In" option and click Next 7.   Allow the connection > Finish Enabling Firewall Settings for Individual Server 1.   Open up Windows Firewall with Advanced Security, either through Control Panel or Server Manager, Run -> wf.
Read more

Zabbix Proxies on CentOS 7

Image
Overview A Zabbix proxy can collect performance and availability data on behalf of the Zabbix server. This way, a proxy can take on itself some of the load of collecting data and offload the Zabbix server. Also, using a proxy is the easiest way of implementing centralized and distributed monitoring, when all agents and proxies report to one Zabbix server and all data is collected centrally. A Zabbix proxy can be used to: Monitor remote locations Monitor locations having unreliable communications Offload the Zabbix server when monitoring thousands of devices Simplify the maintenance of distributed monitoring Setting up Proxy Server We will be using a separate Linux server with CentOS 7 as the base operating system with MariaDB database server installed on it that will be used as a local database for Proxy server. So in this article we assume that you already had set up your Zabbix Server. [root@localhost ~]# rpm --import http://repo.zabbix.com/RPM-GPG
Read more