• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How to Integrate CentOS/RHEL system into an AD Domain with LDAP/Kerberos/SSSD

by admin

The post outlines steps to integrate CentOS/RHEL 6 (client) servers into an AD domain with LDAP/Kerberos/SSSD.

1. Install the required packages:

# yum install sssd samba-common krb5-workstation
Note: Make sure NTP is running and working as expected and add your AD server in /etc/hosts

2. Configure /etc/krb5.conf to resemble the following::

# vi /etc/krb5.conf
[logging]
kdc = SYSLOG:DEBUG
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
allow_weak_crypto = true

[realms]
EXAMPLE.COM = {
kdc = adserver.example.com
admin_server = adserver.example.com

}

[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM

3. Configure /etc/samba/smb.conf to resemble the following:

# vi /etc/samba/smb.conf
[global]
workgroup = ADGRP
realm = EXAMPLE.COM
security = ads
kerberos method = secrets and keytab
log file = /var/log/samba/log.%m
max log size = 50
client signing = yes
client use spnego = yes
idmap config * : backend = tdb
password server = adserver.example.com

4. Open a Kerberos ticket as an AD Administrator:

# kinit your-admin-user
Note: Make sure to remove old key in case that is presented. : “rm /etc/krb5.keytab”

5. Join the OL machine to Active Directory and generate a Keytab:

# net ads join createupn=host/adserver.example.com@EXAMPLE.COM -k
# net ads keytab create -k

6. Run the following to enable SSSD within /etc/nsswitch.conf and PAM:

# authconfig --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir --update

7. Create /etc/sssd/sssd.conf and set the correct permissions:

# echo > /etc/sssd/sssd.conf
# chmod 600 /etc/sssd/sssd.conf

8. Configure /etc/sssd/sssd.conf to resemble the following:

# vi /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
debug_level = 9
domains = example.com
services = nss, pam
cache_credentials = true
ad_server = adserver.example.com
id_provider = ad
access_provider = ad

[domain/example.com]
id_provider = ad
debug_level = 9
access_provider = ad
override_homedir = /home/%u
default_shell = /bin/bash
auth_provider = ad
chpass_provider = ad
ldap_schema = ad
cache_credentials = true
use_fuly_qualified_domain_name = true
ad_enable_gc = false

9. Restart the SSSD service for the changes to take effect.

# service sssd restart

Notes

SSSD’s id mapping is identical to Winbind’s autorid for which it uses the same algorithm to generate locally-cached UIDs and GIDs based off of an LDAP Object’s SID attribute, so that all machines using SSSD with id mapping are consistent in UID and GID identifiers.

In case your Active Directory environment contains POSIX attributes instead of only usernames and SIDs, you can use the following additional configurations within the [domain] section of /etc/sssd/sssd.conf to disable id_mapping:

ldap_id_mapping = false

You can also override Shell and Home Directory attribute information by changing fallback_homedir and default_shell to override_homedir and override_shell. The ‘fallback‘ and ‘default‘ options will only be used if this information is not returned from AD. However, the ‘override’ options will override whatever AD returns, regardless.

Also note, that anytime you make significant changes such as this to SSSD or are not sure if local SSSD cache should be regenerated, always run the following afterwards:

# service sssd stop
# rm -rf /var/log/sssd/*
# rm -rf /var/lib/sss/db/*
# service sssd start

Filed Under: CentOS/RHEL 6, Linux

Some more articles you might also be interested in …

  1. Linux OS Service ‘portreserve’
  2. How to set nproc (Hard and Soft) Values in CentOS / RHEL 5,6,7
  3. CentOS / RHEL 7 : How to disable IPv6 on a specific interface only
  4. CentOS / RHEL 7 : How to boot into rescue mode from installation DVD/ISO
  5. How to find all the sparse files in Linux
  6. How to add words to the dictionary cracklib uses for validating passwords against known dictionary words
  7. Beginners Guide to Udev in Linux
  8. Difference between absolute and relative paths in Linux
  9. System Log File /var/log/messages Is Getting Deleted or Trimmed Automatically (CentOS/RHEL)
  10. CentOS / RHEL : How to add a new Physical Volume to an existing Volume Group

You May Also Like

Primary Sidebar

Recent Posts

  • What are /dev/zero and /dev/null files in Linux
  • grpck command – Remove corrupt or duplicate entries in the /etc/group and /etc/gshadow files.
  • xxd command – Expressed in hexadecimal form
  • sesearch: command not found

© 2022 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright