How to make a Linux server (Centos7) to be a member of Active Directory Domain

1.  install linux package for this purpose :

[root@labnfs ~]# yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python -y



2.  point to DNS server where Active Directory (AD DNS) active :


[root@labnfs ~]# vi /etc/resolv.conf

[root@labnfs ~]# cat /etc/resolv.conf

# Generated by NetworkManager

nameserver 192.168.1.77  ==> AD DNS

nameserver 192.168.1.1   ==> default DNS from DHCP


note: if you have default DNS server using DHCP which is not part of AD DNS server and you modified name server in /etc/resolv.conf manually, network manager always overwrite /etc/resolv.conf with default DNS server. 


[root@labnfs dhcp]# cat /etc/resolv.conf   ==> always overwritten by network manager 

# Generated by NetworkManager

nameserver 192.168.1.1. 


to prevent that happened, you need to add preferred DNS into /etc/dhcp/dhclient.conf (if it doesn't exist,you can create dhclient.conf) :


[root@labnfs dhcp]# cat dhclient.conf

prepend domain-name-servers 192.168.1.77;



restart network and it's permanently added at the top:


[root@labnfs dhcp]# systemctl restart network

[root@labnfs dhcp]# cat /etc/resolv.conf

# Generated by NetworkManager

nameserver 192.168.1.77

nameserver 192.168.1.1


3.  join to windows domain :


[root@labnfs ~]# realm join  --user=Administrator batman.local

Password for Administrator: 



4.  check it on linux server whether it's been joined  windows domain or not :


[root@labnfs ~]# realm list

batman.local

  type: kerberos

  realm-name: BATMAN.LOCAL

  domain-name: batman.local

  configured: kerberos-member

  server-software: active-directory

  client-software: sssd

  required-package: oddjob

  required-package: oddjob-mkhomedir

  required-package: sssd

  required-package: adcli

  required-package: samba-common-tools

  login-formats: %U@batman.local

  login-policy: allow-realm-logins


OR

check it on Active Directory server :



5. Optional: if you don't want to use FQDN (Full Qualified Domain Name), you can do this :


[root@labnfs ~]# id Administrator@batman.local

uid=215400500(administrator@batman.local) gid=215400513(domain users@batman.local) groups=215400513(domain users@batman.local),215400520(group policy creator owners@batman.local),215400512(domain admins@batman.local),215400572(denied rodc password replication group@batman.local),215400519(enterprise admins@batman.local),215400518(schema admins@batman.local)


[root@labnfs ~]# cat /etc/sssd/sssd.conf


[sssd]

domains = batman.local

config_file_version = 2

services = nss, pam


[domain/batman.local]

ad_domain = batman.local

krb5_realm = BATMAN.LOCAL

realmd_tags = manages-system joined-with-samba 

cache_credentials = True

id_provider = ad

krb5_store_password_if_offline = True

default_shell = /bin/bash

ldap_id_mapping = True

use_fully_qualified_names = True  ==> changed to False

fallback_homedir = /home/%u@%d    ==> remove @%d

access_provider = ad


[root@labnfs ~]# vi /etc/sssd/sssd.conf

[root@labnfs ~]# cat /etc/sssd/sssd.conf


[sssd]

domains = batman.local

config_file_version = 2

services = nss, pam


[domain/batman.local]

ad_domain = batman.local

krb5_realm = BATMAN.LOCAL

realmd_tags = manages-system joined-with-samba 

cache_credentials = True

id_provider = ad

krb5_store_password_if_offline = True

default_shell = /bin/bash

ldap_id_mapping = True

use_fully_qualified_names = False

fallback_homedir = /home/%u

access_provider = ad


to make it active, restart sssd (System Security Services Daemon) :


[root@labnfs ~]# systemctl restart sssd

[root@labnfs ~]# id Administrator

uid=215400500(administrator) gid=215400513(domain users) groups=215400513(domain users),215400520(group policy creator owners),215400512(domain admins),215400572(denied rodc password replication group),215400519(enterprise admins),215400518(schema admins)

[root@labnfs ~]# 


6. Test login to your linux server using Active Directory user account (I made user account "bruce" already) :


aghiel@aghiel-mbproi9 ~ % ssh bruce@labnfs

bruce@labnfs's password: 

Last login: Fri Jun 19 06:54:04 2020 from 192.168.1.121

[bruce@labnfs ~]$ id bruce

uid=215401106(bruce) gid=215400513(domain users) groups=215400513(domain users)

[bruce@labnfs ~]$ 


Active Directory user account :




7. It's done.

Comments

Post a Comment

Popular posts from this blog

OSS RC : learning by doing (new beginning)

CIF Self Management: #/opt/ericsson/nms_cif_sm/bin/smtool [option] [MC] Option [stop|start|online|offline|coldrestart|warmrestart|cancel|config|help|exit] i.e : #./smtool online Activity Manager, #./smtool –list Log : Log [-print] [-type error|event|command|nwstat|security] [-number number] [-host host] [-filter filterfile[:number]] i.e #/opt/ericsson/nms_cif_sm/bin/log –type error –number 10 |more #./log –filter myfilterfile.txt:2 (means: second row of myfilterfile.txt as filter criteria) See errors as they come in, use: #/opt/ericsson/nms_cif_sm/bin/newLogRecordsViewer.sh Openfusion #cd /opt/inprise/openfusion/bin/ Environment file: # ls –la .javaenv Check version: #./version Start manager: #./manager Log is on duty: administrative state is unlocked Log will never become full : wrap Log full: halt (until persistent storage is exhausted) Err&system log: #/opt/inprise/openfusion/domains/OpenFusion/loca...
Read more

Link sudoers in linux (centos7) with Active Directory group

Image
Assignment: create Active Directory group for linux administrator who need a root privilege (sudo su) with no password required. 1. Create linuxadm group at Active Directory server with group type: security. 2. Add Active Directory user account into linuxadm group (e.g bruce wayne). 3. Add Active Directory group into sudoers profile (/etc/sudoers) using visudo on linux server. [root@labnfs ~]# visudo %BATMAN.LOCAL\\linuxadm         ALL=(ALL)       NOPASSWD: ALL 4.  check UID  before/after run "sudo su" on Linux server using Active Directory user account to confirm it. aghiel@aghiel-mbproi9 ~ % ssh bruce@labnfs bruce@labnfs's password:  [bruce@labnfs ~]$  [bruce@labnfs ~]$ id uid=215401106(bruce) gid=215400513(domain users) groups=215400513(domain users),215401120(linuxadm) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [bruce@labnfs ~]$ sudo su [root@labnfs bruce]# id uid=0(root) gid=0(root) groups=0(root) contex...
Read more

RSYNC via SSH on solaris 10

How to use rsync via ssh on solaris 10: 1. install rsync package on both (server & client) and follow the instruction : # pkgadd -d rsync-2.6.9-sol10-sparc-local (sparc) #pkgadd -d rsync-3.0.7-sol10-x86-local (x86) don't forget to install libcap also if it doesn't exist on servers (#pkginfo |grep -i libcap) : #pkgadd -d libpcap-1.1.1-sol10-sparc-local (sparc) #pkgadd -d libpcap-1.1.1-sol10-x86-local (x86) Voila! you have rsync package installed!: -bash-3.00$ which rsync /usr/local/bin/rsync -bash-3.00$ which ssh/usr/bin/ssh 2. to check whether it is worked using ssh or not : #rsync -avn -e ssh --rsync-path=/usr/local/bin/rsync remoteuser@remotehost:/dirtobecopied/ /localdir/destination 3. to try synchronize the data with option Z (compressed using gzip) : #rsync -avz -e ssh --rsync-path=/usr/local/bin/rsync remoteuser@remotehost:/dirtobecopied/ /localdir/destination 4. to limit transfer speed/bandwidth (e.g 1MBps): #rsync -avz --bwlimit=1024 --rsync-path=/usr/local/bin/rs...
Read more