CentOS Active Directory - stanislawbartkowski/wikis GitHub Wiki
Inspiration
CentOS - Active Directory integration is quite easy and straightforward although not everything is obvious from the beginning. A very good description can be found here https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/. During my test, I was using CentOS 7.6, RHEL 7.6, RHEL 8.2 hosts and Windows 2016 Active Directory Domain Controller. The purpose is to have Linux users and groups managed by Active Directory. The user can be created, authenticated and assigned to the group through Active Directory Domain.
Prerequisites
CentOS hosts and Windows Active Directory is up and running. Lessons learned.
- Active Directory Domain name should match Windows 2016 host name. In my test environment Active Directory Domain name is verse1.fyre.net but Windows 2016 hostname is different. So I added verse1.fyre.net entry to /etc/hosts file to map verse1.fyre.net to a proper IP address.
- Avoid mixing small and capital letters in the hostname. There could be a problem with implementing passwordless logging into a Linux host. Use small letters only.
- Make sure that AD hostname is the first name in the corresponding entry in /etc/hosts
For instance, assuming AD hostname: verse1.fyre.net Line in /etc/hosts
.....
9.30.54.109 verse1.fyre.net verse1.fyre.ibm.com verse1
.....
Install client software
yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients -y
ansible all -m yum -a "name=sssd,realmd,oddjob,oddjob-mkhomedir,adcli,samba-common,samba-common-tools,krb5-workstation,openldap-clients"
Check that AD Domain is visible
realm discover verse1.fyre.net
fyre.net
type: kerberos
realm-name: FYRE.NET
domain-name: fyre.net
configured: no
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
Join AD Domain
It is the only moment when AD Administrator credentials are necessary.
realm join verse1.fyre.net
(Administrator password should be at hand) This command will configure /etc/krb5.conf and /etc/sssd/sssd.conf. Also, a proper entry in AD Directory container is created and AD authentication is ready.
realm list
fyre.net
type: kerberos
realm-name: FYRE.NET
domain-name: fyre.net
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %[email protected]
login-policy: allow-realm-logins
uid=1603200500([email protected]) gid=1603200513(domain [email protected]) grupy=1603200513(domain [email protected]),1603200520(group policy creator [email protected]),1603200519(enterprise [email protected]),1603200572(denied rodc password replication [email protected]),1603200518(schema [email protected]),1603200512(domain [email protected])
Drop domain name from user name
It does not make sense to qualify user name with a domain name if we are not going to authenticate in several AD domains.
vi /etc/sssd/sssd.conf
use_fully_qualified_names = False
fallback_homedir = /home/%u
Restart sssd after applying changes. The domain name is not required any longer and also user home directory is not qualified with domain name whatsoever.
systemctl restart sssd
id Administrator
uid=1603200500(administrator) gid=1603200513(domain users) grupy=1603200513(domain users),1603200520(group policy creator owners),1603200519(enterprise admins),1603200572(denied rodc password replication group),1603200518(schema admins),1603200512(domain admins)
Create users in Active Directory
There is no general rule on how to position Linux user in Active Directory domain. But assume that we do not want to mix regular Windows user and Linux users. So the approach is to create a separate container for Linux users and restrict CentOS only to this set of users and groups. It does not make any sense to allow AD Administrator to log in as Linux user. So I created a separate container CN=centos,DC=fyre,DC=net in AD and two users user1 and user2 belonging to centosuser group.
[root@C11 ~]# id user1
uid=1603201215(user1) gid=1603200513(domain users) grupy=1603200513(domain users),1603201214(centosgroup)
[root@C11 ~]# id user2
uid=1603201216(user2) gid=1603200513(domain users) grupy=1603200513(domain users),1603201214(centosgroup)
[root@C11 ~]#
Logon from remote host as new Linux user
ssh user1@c11
user1@c11's password:
Creating home directory for user1.
[user1@C11 ~]$ pwd
/home/user1
[user1@C11 ~]$
User home directory should be created without domain name.
Passwordless connection using Kerbers authentication
Configure remote Kerberos client
vi /etc/krb5.conf
.............
[realms]
FYRE.NET = {
kdc = verse1.fyre.net
admin_server = verse1.fyre.net
}
kinit [email protected]
Password for [email protected]:
klist
Ticket cache: KEYRING:persistent:1001:1001
Default principal: [email protected]
Valid starting Expires Service principal
03.02.2019 00:22:24 03.02.2019 10:22:24 krbtgt/[email protected]
renew until 10.02.2019 00:22:21
Log into CentOS again, the password should not be requested again.
Troubleshooting
Run ssh command with -v parameter
ssh user1@c11 -vv
Enable more talkative logging for sssd daemon.
vi /etc/sssd/sssd
[sssd]
.........
debug_level=9
[domain/fyre.net]
.............
debug_level=9
Run sshd daemon in debug mode
systemctl stop sshd /usr/sbin/sshd -d -d -d
AD keytabs
The recommended method to authenticate in Kerberos environment is passwordless connection with the use of keytabs. More details : https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.iseries.doc/ae/tsec_kerb_create_spn.html Example, generate keytab for user1 user.
ktpass /princ [email protected] /pass secret /ptype KRB5_NT_PRINCIPAL /out user1.keytab
Do not pay attention to the confusing message:
NOTE: creating a keytab but not mapping principal to any user.
For the account to work within a Windows domain, the
principal must be mapped to an account, either at the
domain level (with /mapuser) or locally (using ksetup)
If you intend to map [email protected] to an account through other means
or don't need to map the user, this message can safely be ignored.
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to user1.keytab:
Keytab version: 0x502
keysize 48 [email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 1 etype 0x17 (RC4-HMAC) keylength 16 (0xa11851e19f53c60d42efe70d90d95d54)
Copy user1.keytab to protected space in client machine and obtain Kerbetos ticket.
kinit -kt user1.keytab [email protected] klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
13.02.2019 12:08:18 13.02.2019 22:08:18 krbtgt/[email protected]
renew until 20.02.2019 12:08:18