It is very useful to connect to a linux server in a Windows domain to, for example, log into ssh with a domain account.
First of all, you have to update the system:
Installation of the dependencies:
yum install realmd oddjob oddjob-mkhomedir sssd samba-common-tools adcli ntp ntpdate krb5-workstation openldap-clients policycoreutils-python
NTP server configuration :
If you have not already done so, you must configure the time server (often the AD servers are used). First you have to stop the ntpd daemon :
systemctl stop ntpd
We edit the configuration file:
Next we modify domain names located after server :
ex : server mondomain.local
Then we restart the service ntpd:
systemctl start ntpd
domain integration :
realm join -U “administrateur” –computer-ou=” OU=linux,OU=Serveurs,DC=mondomaine,DC=local” mondomaine.local
This command must be used with the domain administrator account (I tested with a member account of the domain administrators group without success). The parameter –computer-ou = is not mandatory but allows to indicate the UO where to place the server.
Login format modification :
To connect with a login of the form admin_name (without having to specify the domain name @ domain.local), edit the file /etc/sssd/sssd.conf and modify the parameter like below :
use_fully_qualified_names = False
Then restart the service :
systemctl restart sssd.service
Allow the group AD Grp_admins_Users to connect via ssh :
Next edit the configutaion file sudoers with the visudo command and add the line:
%Grp_admins_Users ALL=(ALL) NOPASSWD: ALL
Explanations: AD Group members Grp_admins_Users are allowed to execute any commands from any host without authenticating (this is just an example, avoid these permissions on a critical server !!)
The server is now integrated with the Active Directory but the DNS entry is not created. You have to add this entry manually on your dns server.
- sss_cache –E : if you meet connection problems, it may be useful to empty the sssd cache.
- realm list : display the connection parameters (whose the AD group allowed ton connect)
- realm leave domain.local : leave the domain domain.local
- systemctl restart sssd.service : restart the service sssd after each modifications