How to enable AD authenticaton in Linux server ?

In this post we will see the hight level steps requried to enable AD authentication on the Linux server with the help of sssd component .

Once the sssd is configured successfully we will be able to list the AD id with its groups in the server just by using normal Linux command id idname . sssd component will query the user related details as well as it can authenticate the with the id passwrod .

here are the high level steps

install all the required dependent component for sssd using yum

yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python
authconfig --enablesssd --enablesssdauth --update
chkconfig sssd on

Before configre rest of the configuration take the necessary config file that will be modified with the sssd configuration

cp -rp /etc/resolv.conf /etc/resolv.conf_bkp
cp -rp /etc/passwd /etc/passwd_bkp
cp -rp /etc/shadow  /etc/shadow_bkp
cp -rp /etc/group   /etc/group_bkp
cp -rp /etc/nsswitch.conf   /etc/nsswitch.conf_bkp
cp -rp /etc/sssd/sssd.conf /etc/sssd/sssd.conf_bkp  

On the AD we should have the HOSTNAME created and the id adjoin that we used to join the server to AD should have necessary permission granted on AD

realm join --user=adjoin ORG.COM

Now server is registered successuflly after above command run without error.

If we want to use SSL for sssd component then we should have the AD root and intermediate certificates .if we dont have then use openssl command that will display the certs . Then we can copy the Certs displayed [ Begin Certifiate to End Certificate ] and form a PEM File that we can refer in sssd.conf file

[root@HOSTNAME certs]# openssl s_client -connect ORG.COM:636 -showcerts </dev/null
CONNECTED(00000003)
++++++here it will display all the server cert ++++++
DONE

modify sssd.conf file manullay . Final content looks like below

[root@HOSTNAME sssd]# cat sssd.conf

[sssd]
domains = ORG.COM
config_file_version = 2
services = nss, pam

[domain/ORG.COM]
ad_domain = org.com
ad_server=org.com
krb5_realm = ORG.COM
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
#ldap_id_use_start_tls = true
#ldap_tls_reqcert = demand
#ldap_tls_cacert = /etc/openldap/certs/orc.cert.pem
ldap_uri = ldaps://org.com
ldap_search_base = dc=org,dc=com
chpass_provider = ad
case_sensitive = False
enumerate = False
enum_cache_timeout = 120
account_cache_expiration = 15
subdomains_provider = none
ad_enable_gc = false
ldap_schema = ad
ldap_user_principal = nosuchattr
ldap_force_upper_case_realm = True
ldap_purge_cache_timeout = 0
ldap_access_order = filter,expire
ldap_account_expire_policy = ad
ldap_use_tokengroups = False
[root@HOSTNAME sssd]# 

/etc/openldap/certs/orc.cert.pem file will have the AD root and intermediate certs for SSL authentication or handshake .

Now restart sssd component using systemctl restart sssd

Verify sssd status systemctl status sssd

Finally check the id someadid . it shoud display the id details along with the group details form Active directory .

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *