Use realm/adcli to join RHEL7/8/9 to AD
For RHEL 7
# yum install realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation authconfig
adcli info test.com
# adcli join test.com
Password for Administrator@TEST.COM: <---- Enter Admin password
The join operation creates an /etc/krb5.keytab keytab that the machine will authenticate with. you can run below command to show several entries
# klist -kte
Configure /etc/krb5.conf to use AD domain:
[libdefaults]
default_realm = TEST.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
udp_preference_limit = 1
[realms]
TEST.COM = {
#kdc = ad1.test.com
#admin_server = ad1.test.com
}
[domain_realm]
.test.com = TEST.COM
test.com = TEST.COM
Use authconfig to set up the Name Service Switch (/etc/nsswitch.conf) and PAM stacks(/etc/pam.d/password-authand /etc/pam.d/system-auth):
# authconfig --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir --update
#cat /etc/sssd/sssd.conf
[sssd]
domains = test.com
config_file_version = 2
services = nss, pam
[domain/test.com]
access_provider = simple
ad_domain = test.com
ad_gpo_access_control = permissive
ad_server = ad1.test.com, ad2.test.com
auto_private_groups = true #all ad users have gid same as uid
cache_credentials = true
default_shell = /bin/bash
fallback_homedir = /home/%u # same as local user home folder location
id_provider = ad
krb5_realm = TEST.COM
krb5_store_password_if_offline = true
ldap_id_mapping = true # use id mapping from kerberos instead of postix uid/gid defintion in AD
ldap_schema = ad
ldap_user_ssh_public_key = sshPublicKey
realmd_tags = manages-system, joined-with-samba
simple_allow_groups = ssh users
use_fully_qualified_names = false
[nss]
[pam]
# chown root:root /etc/sssd/sssd.conf
# chmod 600 /etc/sssd/sssd.conf
# id username
For RHEL 8/9
# yum install realmd sssd oddjob oddjob-mkhomedir krb5-workstation authselect-compat adcli [samba-common-tools]
#realm discover example.com
#realm list
#realm join example.com
Password for Administrator:
#authselect select sssd with-mkhomedir with-faillock without-nullok --force
#systemctl enable sssd.service --now
#systemctl enable oddjobd.service --now
A keytab is a file containing pairs of Kerberos principals and
encrypted keys
[root@test1 ~]# more /etc/realmd.conf
[users]
default-home = /home/%U
default-shell = /bin/bash
[service]
automatic-install = yes
[providers]
sssd = yes
[active-directory]
default-client = sssd
[test.com]
fully-qualified-names = no
automatic-id-mapping = yes
# other commands
#realm leave
#klist -k /etc/krb5.keytab
#authconfig --test
No comments:
Post a Comment