Wednesday, August 14, 2019

.::: Join Domain Active Directory on Centos 7 / Redhat 7, 8, 9 :::.

In Most of the Organizations users and groups are created and managed on Windows Active Directory.  We can integrate our RHEL 7 and CentOS 7 servers with AD(Active Directory) for authenticate purpose. In other words we can join our CentOS 7 and RHEL 7 Server on Windows Domain so that system admins can login to these Linux servers with AD credentials. While creating UNIX users on AD we can map these users to a specific group so that level of access is controlled centrally from AD

1. Install Package realmd, sssd, samba dan kerberos
[root@radius-teguht ~]# yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python -y

2. additional IP, domain, hostname on /etc/hosts , and /etc/resolv.conf

[root@radius-teguht ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.10.10.102 radius-teguht
10.10.10.110  ad ad.teguht.com
[root@radius-teguht ~]#

[root@radius-teguht ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search teguht.com
nameserver 10.10.10.110
[root@radius-teguht ~]#

3. Restart realmd   

[root@radius-teguht ~]# systemctl restart realmd.service
[root@radius-teguht ~]#

4. Join domain ke active directory,enter user AD and password and domain    
[root@radius-teguht ~]# realm join --user=administrator teguht.com
Password for administrator:
[root@radius-teguht ~]#

5. check status join domain   

 [root@radius-teguht ~]# realm list
  teguht.com
  type: kerberos
  realm-name: TEGUHT.COM
  domain-name: teguht.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U@teguht.com
  login-policy: allow-realm-logins
[root@radius-teguht ~]#

6. Edit configuration sssd.conf, on use_fully_qualified_names=False & fallback_homedir = /home/%u and save.   

[root@radius-teguht ~]# cat /etc/sssd/sssd.conf

[sssd]
domains = teguht.com
config_file_version = 2
services = nss, pam

[domain/teguht.com]
ad_domain = teguht.com
krb5_realm = TEGUHT.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
[root@radius-teguht ~]#

7. Restart service sssd   

[root@radius-teguht ~]# systemctl restart sssd


8. Set user access to root   
[root@radius-teguht ~]# visudo
[root@radius-teguht ~]#

9. Edit file visudo,add user to access root    
## Allows people in group wheel to run all commands
%wheel    ALL=(ALL)    ALL
administrator ALL=(ALL:ALL) ALL
## Same thing without a password
# %wheel    ALL=(ALL)    NOPASSWD: ALL


10. Check active direvtory on computer and user

11. Tes ssh login using AD

[root@radius-teguht ~]#
[root@radius-teguht ~]# ssh administrator@teguht.com@localhost
administrator@teguht.com@localhost's password:
Last login: Wed Aug 14 15:33:41 2019 from 10.10.10.10
[administrator@radius-teguht ~]$



No comments:

Post a Comment

Popular Posts