CentOS 7 Active Directory Authentication

By gbe0Posted Linux, Server

To configure CentOS 7 to use Active Directory as an authentication source sssd will be used. The sssd setup is greatly simplified using realmd, only basic manual configuration has to be added.

Install Packages

Install the required packages with yum:

yum install sssd oddjob oddjob-mkhomedir adcli krb5-workstation samba-common-tools sssd-ad sudo realmd sssd-tools sssd-ldap sssd-krb5 sssd-krb5-common

Join to Domain

Join the host to the domain with the realm command. When adding the host I recommend setting both the computer-name and user-principal manually. For this example I am adding a server with the hostname vmhost1.syd.my.domain to the active directory domain internal.my.domain. As you can see from the servers hostname that I am adding, it is too long for the computer name (must be 15 characters or less). To ensure that it is unique I manually set the computer name to VMHOST1.SYD. The user-principal name must include the servers full hostname.

realm join -v --user=my-domain-account --computer-name=VMHOST1.SYD --user-principal=host/vmhost1.syd.my.domain@internal.my.domain internal.my.domain

You will be prompted for the password of the user you are using to join the server to the domain with.

Once this is complete, verify that you can lookup a user on your domain:

id my-domain-account@internal.my.domain

Tweak SSSD Settings

I recommend tweaking the default SSSD settings before continuing. The SSSD settings are stored in /etc/sssd/sssd.conf. I have split the below headings into the appropate sections of the configuration file.

[sssd]

  • Set the default domain for logins. If you do not set this, users will need to login using the username format username@internal.my.domain, with this setting they can login just with username:
default_domain_suffix = internal.my.domain

[nss]

  • Disable SSSD lookups for users that should not be authenticated remotely. This section by default does not exist, add it.
[nss]
filter_users = root,nobody,bin,daemon,adm,sync,shutdown,halt,mail,operator,polkitd,abrt,rpc,rpcuser,nfsnobody,postfix,ntp,chrony,sshd,sssd
filter_groups = root,nobody,bin,daemon,adm,sync,shutdown,halt,mail,operator,polkitd,abrt,rpc,rpcuser,nfsnobody,postfix,ntp,chrony,sshd,sssd

[domain/internal.my.domain]

These settings are all set under your domain section.

These settings may be defined already, but if they are not define them (or update the existing settings to match):

ad_domain = internal.mydomain.com
dns_discovery_domain = internal.mydomain.com
fallback_homedir = /home/INTERNAL/%u
access_provider = simple
default_shell = /bin/bash
create_homedir = true

Tweak kerberos settings

Replace the content of /etc/krb5.conf with the following template:

[logging]
    default = FILE:/var/log/krb5libs.log
    admin_server = FILE:/var/log/kadmind.log
    kdc = FILE:/var/log/krb5kdc.log

[libdefaults]
    default_realm = INTERNAL.MYDOMAIN.COM
    dns_lookup_kdc = false
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false

[realms]
    INTERNAL.MYDOMAIN.COM = {
        kdc = domain-controller-1.internal.mydomain.com
        kdc = domain-controller-2.internal.mydomain.com
        kdc = domain-controller-3.internal.mydomain.com
        kdc = domain-controller-4.internal.mydomain.com
        admin_server = domain-controller-1.internal.mydomain.com
        admin_server = domain-controller-2.internal.mydomain.com
        admin_server = domain-controller-3.internal.mydomain.com
        admin_server = domain-controller-4.internal.mydomain.com
    }

[domain_realm]
    .internal.mydomain.com = INTERNAL.MYDOMAIN.COM

Set allowed users/groups

By default no users will be able to login.

  • To permit the usernames my-domain-account and your-domain-account:
realm permit my-domain-account@internal.my.domain
realm permit your-domain-account@internal.my.domain
  • To permit the group good-users:
realm permit -g good-users@internal.my.domain

Sudo permissions

To allow an Active Directory authenticated user to use sudo, add a new sudoers file. As an example I will be allowing my-domain-account full sudo permissions without having to enter a password.

  1. Create /etc/sudoers.d/my-domain-account
  2. Add the following content:
my-domain-account@internal.my.domain ALL=(ALL) NOPASSWD: ALL
  1. Save the file and test.

To allow an Active Directory group to use sudo, follow the same steps as above. The group name needs to be prefixed with a %:

%good-users@internal.my.domain ALL=(ALL) NOPASSWD: ALL

Leave a Reply

Your email address will not be published. Required fields are marked *