In a mixed Windows-AD Linux environment, it is beneficial to maintain user accounts for both platforms through Active Directory. Adding Windows machines to Active Directory is a straightforward process but Linux is more of a challenge. For this reason, many organizations maintain separate authentication for Linux and Windows users.
Though not straightforward, adding Linux, in this case CentOS 7 machines to an Active Directory domain is not overly complicated.
To join a CentOS 7 machine to a domain the following packages must first be installed using the following command.
yum install realmd sssd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools ntpdate ntp.
If your systems are virtualized and share a common time source the following step is not necessary. Otherwise, configure ntpd with the following commands.
systemctl enable ntpd.service ntpdate ntp.domain sysemctl start ntpd.service
Prior to joining your domain, you should adjust your DNS to use the AD Servers or the DNS Servers they use.
DNS can be configured in /etc/sysconfig/network-scripts/ifcfg-eno*
You will want to discover information about the Active Directory Domain you wish to join with the following command.
$ realm discover domain.local domain.local type: kerberos realm-name: DOMAIN.LOCAL domain-name: domain.local configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U@domain.local login-policy: allow-permitted-logins permitted-logins: permitted-groups: LinuxAdmins@domain.local, LinuxUsers@domain.local domain.local type: kerberos realm-name: DOMAIN.LOCAL domain-name: domain.local configured: no
If any required-package displays as not installed, install it now.
To join the machine to the domain, use the following command.
realm join --email@example.com domain.local
Once joined, add the default domain suffix to the /etc/ssd/ssd.conf file.
default_domain_suffix = domain.local
Restart the sssd service
systemctl restart sssd
Permitting Select Active Directory Groups to Logon
You will probably want to limit the domain users capable of logging into your Linux machine. This can be done by first creating a group in Active Directory such as LinuxUsers and populating it with the users you wish to be able to access the Linux system. Then from the Linux system use the following command.
realm permit –g LinuxUsers@domain.local
You can add additional groups as needed using the same command.
Giving sudo Access to Active Directory Groups
Typically, users on a linux system are put into the wheel group and then allowed sudo access by uncommenting the appropriate line in the sudoers file. In this instance, we will create a new group that has sudo access using visudo to edit the sudoers file.
Assuming you have a LinuxAdmins Active Directory group add the following line to the sudoers file.
%LinuxAdmins@domain.local ALL=(ALL) ALL
How to debug SSSD and realmd
The logfile which contains information about successful or failed login attempts is /var/log/secure. It contains information related to authentication and authorization privileges. For example, sshd logs all the messages there, including unsuccessful login.
Be sure to check that logfile if you experience problems logging in with an Active Directory user.
How to clear the SSSD cache
sudo systemctl stop sssd sudo rm -f /var/lib/sss/db/* sudo systemctl start sssd
Sometimes updating the authconfig cache is useful using the following command.
Sample Config Files
[sssd] domains = Domain.local config_file_version = 2 services = nss, pam default_domain_suffix = Domain.local [domain/Domain.local] ad_domain = Domain.local krb5_realm = DOMAIN.LOCAL realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_sasl_authid = P2VM-QA-CENTOS-$ ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = simple simple_allow_groups = LinuxAdmins@domain.local, LinuxUsers@domain.local
Sudoers File Section
## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL %LinuxAdmins@domain.local ALL=(ALL) ALL