Add a Linux host to Active Directory with LDAP and Kerberos

In this post I describe how you can add a CentOS 7 host to a Windows Active Directory domain. Happy experimenting.

Precondition:
Windows 2012R2 with Windows Active Directory services in place.
A Linux server. In this case CentOS 7.

On Windows
Add the Linux server in DNS for the forward lookup zone including the associated pointer record.
Make sure you have a user with sufficient priviliges to add a server to a domain.

On Linux
Install the necessary additional packages.
Make sure the Linux server uses the DNS server of the Windows domain.

yum -y install sssd realmd krb5-workstation

Create an empty sssd.conf

cp /usr/share/doc/sssd-common-1.13.0/sssd-example.conf /etc/sssd/sssd.conf
chmod 600 /etc/sssd/sssd.conf

The Linux server is not part of a domain.
Some checks:

realm discover
realm discover petersplanet.intranet

Now it is time to add the Linux server to the Windows domain:

realm join -U peter@petersplanet.intranet petersplanet.intranet
realm discover petersplanet.intranet

linux

Test the result:

getent passwd peter@petersplanet.intranet

getent

A disadvantage is that it looks like you always have to use the fully qualified domain name (FQDN) for a user.

putty

Now it is time to finetune the configuration. For instance limit the acces to the Linux host for a certain group of users.

The contents of /etc/sssd/sssd.conf which has been generated by the realm command can be seen below:

[sssd]
config_file_version = 2
services = nss, pam
domains = petersplanet.intranet

[nss]

[pam]

[domain/petersplanet.intranet]
ad_domain = petersplanet.intranet
krb5_realm = PETERSPLANET.INTRANET
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

References:
https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server
http://docs.aws.amazon.com/directoryservice/latest/admin-guide/join_linux_instance.html

 

No Comments

Post a Comment