I am jotting down my recipe for RedHat 7.3 Linux and providing user logins from Microsoft's Active Directory. This was tested with two AWS instances and Microsoft AD 2016. There are many articles around the Interwebs but in short things became a lot easier with SSSD in most major distributions.<\/p>\n
Out of scope:
\n- Add AD role to Windows 2016 server
\n- Add DNS entry and reverse entry for client
\n- Make sure DNS and reverse DNS works!<\/p>\n
\r\n# more \/etc\/redhat-release \r\nRed Hat Enterprise Linux Server release 7.3 (Maipo)\r\n\r\n# domainname\r\n(none)\r\n\r\n# hostname\r\nip-172-31-22-140.ec2.internal\r\n\r\n# cat \/etc\/hosts\r\n127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4\r\n::1 localhost localhost.localdomain localhost6 localhost6.localdomain6\r\n172.31.22.140 ip-172-31-22-140.ec2.internal \r\n172.31.16.163 ec2amaz-82floju.iqonda.com ec2amaz-82floju\r\n<\/pre>\nInstall packages.<\/p>\n
\r\n# yum install realmd sssd adcli\r\n<\/pre>\nEnsure you are pointing to the AD\/DNS server for name resolution. I made sure resolv.conf can't be updated on boot since this is a dynamic EC2 instance.<\/p>\n
\r\n# cat \/etc\/resolv.conf \r\nsearch iqonda.com\r\nnameserver 172.31.16.163\r\n\r\n# chattr +i \/etc\/resolv.conf\r\n\r\n# ping 172.31.16.163\r\nPING 172.31.16.163 (172.31.16.163) 56(84) bytes of data.\r\n64 bytes from 172.31.16.163: icmp_seq=37 ttl=128 time=0.653 ms\r\n64 bytes from 172.31.16.163: icmp_seq=38 ttl=128 time=0.522 ms\r\n^C\r\n--- 172.31.16.163 ping statistics ---\r\n38 packets transmitted, 2 received, 94% packet loss, time 36999ms\r\nrtt min\/avg\/max\/mdev = 0.522\/0.587\/0.653\/0.069 ms\r\n\r\n# nslookup 172.31.16.163\r\nServer:\t\t172.31.16.163\r\nAddress:\t172.31.16.163#53\r\n\r\nNon-authoritative answer:\r\n163.16.31.172.in-addr.arpa\tname = ip-172-31-16-163.ec2.internal.\r\n\r\nAuthoritative answers can be found from:\r\n\r\n# hostname\r\nip-172-31-22-140.ec2.internal\r\n\r\n# nslookup ip-172-31-22-140.ec2.internal\r\nServer:\t\t172.31.16.163\r\nAddress:\t172.31.16.163#53\r\n\r\nNon-authoritative answer:\r\nName:\tip-172-31-22-140.ec2.internal\r\nAddress: 172.31.22.140\r\n\r\n# nslookup 172.31.22.140\r\nServer:\t\t172.31.16.163\r\nAddress:\t172.31.16.163#53\r\n\r\n140.22.31.172.in-addr.arpa\tname = ip-172-31-22-140.ec2.internal.iqonda.com.\r\n\r\n# nslookup iqonda.com\r\nServer:\t\t172.31.16.163\r\nAddress:\t172.31.16.163#53\r\n\r\nName:\tiqonda.com\r\nAddress: 172.31.16.163\r\n\r\n# dig -t SRV _ldap._tcp.ad.iqonda.com @172.31.16.163\r\n\r\n; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> -t SRV _ldap._tcp.ad.iqonda.com @172.31.16.163\r\n;; global options: +cmd\r\n;; Got answer:\r\n;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51524\r\n;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1\r\n\r\n;; OPT PSEUDOSECTION:\r\n; EDNS: version: 0, flags:; udp: 4000\r\n;; QUESTION SECTION:\r\n;_ldap._tcp.ad.iqonda.com.\tIN\tSRV\r\n\r\n;; AUTHORITY SECTION:\r\niqonda.com.\t\t3600\tIN\tSOA\tec2amaz-82floju.iqonda.com. hostmaster.iqonda.com. 95 900 600 86400 3600\r\n\r\n;; Query time: 0 msec\r\n;; SERVER: 172.31.16.163#53(172.31.16.163)\r\n;; WHEN: Tue Feb 21 13:02:58 EST 2017\r\n;; MSG SIZE rcvd: 126\r\n<\/pre>\nNow lets check if we can join the AD domain.<\/p>\n
\r\n# realm discover\r\nrealm: No default realm discovered\r\n\r\n# realm discover ec2amaz-82floju\r\niqonda.com\r\n type: kerberos\r\n realm-name: IQONDA.COM\r\n domain-name: iqonda.com\r\n configured: no\r\n server-software: active-directory\r\n client-software: sssd\r\n required-package: oddjob\r\n required-package: oddjob-mkhomedir\r\n required-package: sssd\r\n required-package: adcli\r\n required-package: samba-common-tools\r\n\r\n# realm join ec2amaz-82floju\r\nPassword for Administrator: \r\n\r\n# realm list\r\niqonda.com\r\n type: kerberos\r\n realm-name: IQONDA.COM\r\n domain-name: iqonda.com\r\n configured: kerberos-member\r\n server-software: active-directory\r\n client-software: sssd\r\n required-package: oddjob\r\n required-package: oddjob-mkhomedir\r\n required-package: sssd\r\n required-package: adcli\r\n required-package: samba-common-tools\r\n login-formats: %U@iqonda.com\r\n login-policy: allow-realm-logins\r\n<\/pre>\nAdd login permission to a specific AD group.<\/p>\n
\r\n# realm permit -g webadmins@iqonda.com\r\n<\/pre>\nTest a client login.<\/p>\n
\r\n$ ssh -l user1@iqonda.com ec2-107-21-198-224.compute-1.amazonaws.com\r\nPermission denied (publickey,gssapi-keyex,gssapi-with-mic).\r\n<\/pre>\nAllow SSHD passwords.<\/p>\n
\r\n# grep PasswordA \/etc\/ssh\/sshd_config \r\nPasswordAuthentication yes\r\n# systemctl restart sshd\r\n<\/pre>\nTry client login again. And test sudo as well.<\/p>\n
\r\n$ ssh -l user1@iqonda.com ec2-107-21-198-224.compute-1.amazonaws.com\r\nuser1@iqonda.com@ec2-107-21-198-224.compute-1.amazonaws.com's password: \r\nCreating home directory for user1@iqonda.com.\r\n\r\n$ id\r\nuid=234601107(user1@iqonda.com) gid=234600513(domain users@iqonda.com) groups=234600513(domain users@iqonda.com),234601104(webadmins@iqonda.com) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\r\n\r\n$ pwd\r\n\/home\/user1@iqonda.com\r\n\r\n$ sudo systemctl status sshd\r\n\r\nWe trust you have received the usual lecture from the local System\r\nAdministrator. It usually boils down to these three things:\r\n\r\n #1) Respect the privacy of others.\r\n #2) Think before you type.\r\n #3) With great power comes great responsibility.\r\n\r\n[sudo] password for user1@iqonda.com: \r\nuser1@iqonda.com is not in the sudoers file. This incident will be reported.\r\n<\/pre>\nAllow AD group sudo perms.<\/p>\n
\r\n# tail -2 \/\/etc\/sudoers\r\n%webadmins@iqonda.com ALL=(ALL) ALL\r\n#%Domain\\ Admins@example.com ALL=(ALL:ALL) ALL \r\n\r\n$ sudo systemctl status sshd\r\n[sudo] password for user1@iqonda.com: \r\n\u25cf sshd.service - OpenSSH server daemon\r\n Loaded: loaded (\/usr\/lib\/systemd\/system\/sshd.service; enabled; vendor preset: enabled)\r\n[..]\r\n# systemctl status sssd\r\n\u25cf sssd.service - System Security Services Daemon\r\n Loaded: loaded (\/usr\/lib\/systemd\/system\/sssd.service; enabled; vendor preset: disabled)\r\n Drop-In: \/etc\/systemd\/system\/sssd.service.d\r\n \u2514\u2500journal.conf\r\n Active: active (running) since Tue 2017-02-21 13:05:42 EST; 3min 46s ago\r\n Process: 2276 ExecStart=\/usr\/sbin\/sssd -D -f (code=exited, status=0\/SUCCESS)\r\n Main PID: 2277 (sssd)\r\n CGroup: \/system.slice\/sssd.service\r\n \u251c\u25002277 \/usr\/sbin\/sssd -D -f\r\n \u251c\u25002278 \/usr\/libexec\/sssd\/sssd_be --domain iqonda.com --uid 0 --gid 0 --debug-to-files\r\n \u251c\u25002279 \/usr\/libexec\/sssd\/sssd_nss --uid 0 --gid 0 --debug-to-files\r\n \u2514\u25002280 \/usr\/libexec\/sssd\/sssd_pam --uid 0 --gid 0 --debug-to-files\r\n\r\nFeb 21 13:05:42 ip-172-31-22-140.ec2.internal sssd[nss][2279]: Starting up\r\nFeb 21 13:05:42 ip-172-31-22-140.ec2.internal systemd[1]: Started System Security Services Daemon.\r\nFeb 21 13:05:42 ip-172-31-22-140.ec2.internal sssd_be[2278]: GSSAPI client step 1\r\nFeb 21 13:05:42 ip-172-31-22-140.ec2.internal sssd_be[2278]: GSSAPI client step 1\r\nFeb 21 13:05:42 ip-172-31-22-140.ec2.internal sssd_be[2278]: GSSAPI client step 1\r\nFeb 21 13:05:42 ip-172-31-22-140.ec2.internal sssd_be[2278]: GSSAPI client step 2\r\nFeb 21 13:07:58 ip-172-31-22-140.ec2.internal sssd_be[2278]: GSSAPI client step 1\r\nFeb 21 13:07:58 ip-172-31-22-140.ec2.internal sssd_be[2278]: GSSAPI client step 1\r\nFeb 21 13:07:58 ip-172-31-22-140.ec2.internal sssd_be[2278]: GSSAPI client step 1\r\nFeb 21 13:07:58 ip-172-31-22-140.ec2.internal sssd_be[2278]: GSSAPI client step 2\r\n[\/bash\r\n\r\n\r\nFor reference sssd config created automatically by realm join.\r\n\r\n[bash]\r\n# cat \/etc\/sssd\/sssd.conf \r\n\r\n[sssd]\r\ndomains = iqonda.com\r\nconfig_file_version = 2\r\nservices = nss, pam\r\n\r\n[domain\/iqonda.com]\r\nad_server = ec2amaz-82floju\r\nad_domain = iqonda.com\r\nkrb5_realm = IQONDA.COM\r\nrealmd_tags = manages-system joined-with-adcli \r\ncache_credentials = True\r\nid_provider = ad\r\nkrb5_store_password_if_offline = True\r\ndefault_shell = \/bin\/bash\r\nldap_sasl_authid = IP-172-31-22-14$\r\nldap_id_mapping = True\r\nuse_fully_qualified_names = True\r\nfallback_homedir = \/home\/%u@%d\r\naccess_provider = simple\r\nsimple_allow_groups = webadmins@iqonda.com\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"I am jotting down my recipe for RedHat 7.3 Linux and providing user logins from Microsoft’s Active Directory. This was<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16,78],"tags":[],"class_list":["post-1071","post","type-post","status-publish","format-standard","hentry","category-active-directory","category-sssd"],"_links":{"self":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/1071","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/comments?post=1071"}],"version-history":[{"count":0,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/1071\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/media?parent=1071"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/categories?post=1071"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/tags?post=1071"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}