packages
# dnf install sssd realmd oddjob oddjob-mkhomedir adcli krb5-workstation samba-common-tools samba-common authselect-compact openldap-clients policycoreutils-python
# vi /etc/resolv.conf
search <ad.local>
$ nslookup -type=SRV _ldap._tcp.<ad.local>
Firewall
Service Port Protocol Notes
DNS 53 UDP and TCP
LDAP 389 UDP and TCP
LDAPS 636 TCP Optional
Samba 445 UDP and TCP For AD Group Policy and Objects (GPOs)
Kerberos 88 UDP and TCP
Kerberos 464 UDP and TCP Used by kadmin for setting and changing a password
LDAP Global Catalog 3268 TCP If the id_provider = ad option is being used
LDAPS Global Catalog 3269 TCP Optional
NTP 123 UDP Optional
NTP 323 UDP optional
To ensure that the server can correctly communicate with Active Directory
# update-crypto-policies --set DEFAULT:AD-SUPPORT
# realm list
# realm discover <ad.local>
# realm join <ad.local> -U Administrator # AD admin account
# getent passwd administrator@<ad.local>
Configure SSSD and Home Directory Creation
# authselect select sssd with-mkhomedir --force
cat /etc/sssd/sssd.conf
[sssd]
domains = <ad.local>
config_file_version = 2
services = nss, pam
default_domain_suffix = <ad.local>
[domain/<ad.local>]
ad_domain = <ad.local>
krb5_realm = <AD.LOCAL>
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True/False
use_fully_qualified_names = True #false means users can log in with their username itself (without the @<ad.local> suffix)
fallback_homedir = /home/%u@%d
access_provider = ad
# systemctl restart sssd
# systemctl restart nscd
# systemctl enable --now oddjobd # for homedir creation
# id <ad.local>
Control Access
Limit to Specific users/Groups
# realm permit user1@example.com
# realm permit user2@example.com user3@example.com
Allow AD group
sudo realm permit -g <group_name>
sudo realm permit -g '<group_name_1>' '<group_name_2>'
Allow All
# realm permit --all
Deny all
# realm deny--all
Sudo Access for AD Groups
# visudo -f /etc/sudoers.d/domain_admins
user1@example.com ALL=(ALL) ALL # Single user
%sysadmins@example.com ALL=(ALL) ALL # AD group (prefix with %)
%domain\ admins@example.com ALL=(ALL) ALL # Group with spaces in the name (escape spaces with backslash)
# visudo -cf /etc/sudoers.d/domain_admins # verify sudo
Leave AD
# realm leave example.com
Noraml Troubleshtting
# systemctl stop sssd
# rm -rf /var/lib/sss/db/*
# systemctl start sssd
No comments:
Post a Comment