Step-by-step guide to configure a Linux machine in an Active Directory domain:
Preparations and package installation
Start by updating the packages already present on the machine, and then proceed to install only what we actually need.
Update the dependencies using the command:
Debian
sudo apt update
RHEL
sudo yum update
And proceed with the installation of the packages:
Debian
sudo apt install -y realmd libnss-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob- mkhomedir packagekit
RHEL
sudo dnf install realmd sssd oddjob oddjob-mkhomedir adcli samba-common-tools -y
Configuring the realm
In short, Realm helps us discover and manage the domains we have on the machine.
To start, we first need to discover the domain we are looking for.
Use the following command:
realm discover DOMAIN-NAME
We will have a response similar to this.
Now that we have discovered the domain, we will need to log in to it with a user. Use the following command:
sudo realm join -U USUARIO DOMINIO
If no errors have occurred so far, we can verify if we are indeed connected by using the following command to check the user's permissions and groups.
id USUARIO@DOMINIO
Another method to verify if everything is going correctly is the following:
realm list
This way, we can verify if we are already connected to the desired domain.
Pam-configs (ubuntu)
The pam-configs configuration was only necessary on Ubuntu to ensure that the user's folder is created upon logging into the system.
You just need to execute the command:
sudo pam-auth-update --enable mkhomedir
Configuring SSSD
We need to access the file /etc/sssd/sssd.conf
to make the modifications. In this file, we will change the use_fully_qualified_names
option from False
to True
. With this option enabled, users will be in the format user@domain instead of just user.
In our case, we will change it to True since we have only one AD. However, please note that this change should only be made if you are certain that no other domain will be added to the AD forest.
In fallback_homedir = /home/%u@%d
, we will modify it to fallback_homedir = /home/%u
. By removing the "@%d" part, the user's folder will be created with only the username.
In the access_provider = ad
option, change it to access_provider = simple
.
Now let's add an option that is not present in our file, which is simple_allow_groups
. In this option, we will add the groups we have in AD and want to grant access to the Linux machine.
In our case, we have two groups: linuxuser and linuxadmin. To add them, we should include simple_allow_groups = linuxuser, linuxadmin
in the file.
As a result, the file will look like this:
Note: in the places where it says 'Domain.local', you should use the domain you are integrating with the system. And in 'simple_allow_users = groups, linuxuser, linuxadmin', it is an option that will be added automatically in the next item.
Thus, concluding the SSSD configuration process, we will allow access for users who are in the groups we added in simple_allow_groups. Use the following commands:
realm permit [group]
Example:
realm permit linuxuser
realm permit linuxadmin
SUDOERS
With the processes performed in the above steps, we will be able to access the machine using the AD user. However, the user won't have root access to the system. To solve this, we need to add the groups to the /etc/sudoers file. The result will be as follows:
We added the %linuxuser group to allow all users in the linuxuser group to access the machine and obtain root access.
Conclusion
By following these steps, Active Directory users will be able to authenticate on the Linux machine and have the appropriate privileges. Always ensure to follow best security practices when performing these configurations.
Top comments (0)