• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Geek Diary

CONCEPTS | BASICS | HOWTO

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • Linux Services
    • VCS
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
    • Data Guard
  • DevOps
    • Docker
    • Shell Scripting
  • Interview Questions
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How to Integrate CentOS/RHEL system into an AD Domain with LDAP/Kerberos/SSSD

By admin

The post outlines steps to integrate CentOS/RHEL 6 (client) servers into an AD domain with LDAP/Kerberos/SSSD.

1. Install the required packages:

# yum install sssd samba-common krb5-workstation
Note: Make sure NTP is running and working as expected and add your AD server in /etc/hosts

2. Configure /etc/krb5.conf to resemble the following::

# vi /etc/krb5.conf
[logging]
kdc = SYSLOG:DEBUG
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
allow_weak_crypto = true

[realms]
EXAMPLE.COM = {
kdc = adserver.example.com
admin_server = adserver.example.com

}

[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM

3. Configure /etc/samba/smb.conf to resemble the following:

# vi /etc/samba/smb.conf
[global]
workgroup = ADGRP
realm = EXAMPLE.COM
security = ads
kerberos method = secrets and keytab
log file = /var/log/samba/log.%m
max log size = 50
client signing = yes
client use spnego = yes
idmap config * : backend = tdb
password server = adserver.example.com

4. Open a Kerberos ticket as an AD Administrator:

# kinit your-admin-user
Note: Make sure to remove old key in case that is presented. : “rm /etc/krb5.keytab”

5. Join the OL machine to Active Directory and generate a Keytab:

# net ads join createupn=host/adserver.example.com@EXAMPLE.COM -k
# net ads keytab create -k

6. Run the following to enable SSSD within /etc/nsswitch.conf and PAM:

# authconfig --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir --update

7. Create /etc/sssd/sssd.conf and set the correct permissions:

# echo > /etc/sssd/sssd.conf
# chmod 600 /etc/sssd/sssd.conf

8. Configure /etc/sssd/sssd.conf to resemble the following:

# vi /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
debug_level = 9
domains = example.com
services = nss, pam
cache_credentials = true
ad_server = adserver.example.com
id_provider = ad
access_provider = ad

[domain/example.com]
id_provider = ad
debug_level = 9
access_provider = ad
override_homedir = /home/%u
default_shell = /bin/bash
auth_provider = ad
chpass_provider = ad
ldap_schema = ad
cache_credentials = true
use_fuly_qualified_domain_name = true
ad_enable_gc = false

9. Restart the SSSD service for the changes to take effect.

# service sssd restart

Notes

SSSD’s id mapping is identical to Winbind’s autorid for which it uses the same algorithm to generate locally-cached UIDs and GIDs based off of an LDAP Object’s SID attribute, so that all machines using SSSD with id mapping are consistent in UID and GID identifiers.

In case your Active Directory environment contains POSIX attributes instead of only usernames and SIDs, you can use the following additional configurations within the [domain] section of /etc/sssd/sssd.conf to disable id_mapping:

ldap_id_mapping = false

You can also override Shell and Home Directory attribute information by changing fallback_homedir and default_shell to override_homedir and override_shell. The ‘fallback‘ and ‘default‘ options will only be used if this information is not returned from AD. However, the ‘override’ options will override whatever AD returns, regardless.

Also note, that anytime you make significant changes such as this to SSSD or are not sure if local SSSD cache should be regenerated, always run the following afterwards:

# service sssd stop
# rm -rf /var/log/sssd/*
# rm -rf /var/lib/sss/db/*
# service sssd start

Filed Under: CentOS/RHEL 6, Linux

Some more articles you might also be interested in …

  1. CentOS / RHEL : Exclusion with Yum For Kernel Updates
  2. Inconsistent Device Names Across Reboot Cause Mount Failure Or Incorrect Mount in Linux
  3. How to Run a Script When USB Devices Is Attached or Removed Using UDEV
  4. Linux OS Service ‘yum-updatesd’
  5. Linux OS Service ‘sshd’
  6. What are Shell Scripts? How to Create Shell Scripts?
  7. Linux OS Service ‘lm_sensors’
  8. MySQL Fails to Start Using systemctl On systemd Linux Distributions
  9. How to Configure iSCSI Initiator and iSCSI Timeouts in CentOS/RHEL 7
  10. How to Count lines in a file in UNIX/Linux

You May Also Like

Primary Sidebar

Recent Posts

  • How to Disable IPv6 on Ubuntu 18.04 Bionic Beaver Linux
  • How to Capture More Logs in /var/log/dmesg for CentOS/RHEL
  • Unable to Start RDMA Services on CentOS/RHEL 7
  • How to rename a KVM VM with virsh
  • Archives
  • Contact Us
  • Copyright

© 2021 · The Geek Diary