This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ===== RHEL 7 Active Directory LDAP with SSSD ===== Configure DNS with Active Directory IP address. <code> nmcli con mod eth0 ipv4.dns-search dominio.local hostnamectl set-hostname ldap.dominio.local yum install sssd realmd oddjob oddjob-mkhomedir samba-common-tools krb5-workstation sssd-ad realm join dominio.local authconfig --update --enablesssd --enablesssdauth --enablemkhomedir </code> ==== RHEL 6 ==== You must have configured NTP and DNS. File /etc/hosts correctly configure for example: <code> 192.168.75.166 servidor servidor.2008r2.example.com </code> Install packages: <code> yum install ntp sssd samba-common krb5-workstation </code> Edit /etc/krb5.conf: <code> includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = 2008R2.EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] 2008R2.EXAMPLE.COM = { } [domain_realm] .2008r2.example.com = 2008R2.EXAMPLE.COM 2008r2.example.com = 2008R2.EXAMPLE.COM </code> Edit /etc/samba/smb.conf: <code> [global] workgroup = 2008R2 client signing = yes client use spnego = yes kerberos method = secrets and keytab log file = /var/log/samba/%m.log realm = 2008R2.EXAMPLE.COM security = ads </code> Create kerberos ticket: <code> kinit Administrator net ads join -k authconfig --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir --update </code> Create /etc/sssd/sssd.conf: <code> echo >/etc/sssd/sssd.conf chmod 600 /etc/sssd/sssd.conf </code> With this content: <code> [domain/2008r2.example.com] id_provider = ad access_provider = ad default_shell=/bin/bash fallback_homedir=/home/%u debug_level = 0 [sssd] services = nss, pam config_file_version = 2 domains = 2008r2.example.com [nss] [pam] </code> Restart sssd: <code> service sssd restart </code> ==== AD user access filter ==== Edit /etc/sssd/sssd.conf and configure in a similar way: <code> access_provider = simple simple_allow_users = user1,user2 </code> Restart sssd: <code> systemctl restart sssd </code> ==== AD groups access filter ==== Edit /etc/sssd/sssd.conf and configure in a similar way: <code> access_provider = simple simple_allow_groups = linuxusers@administrativos.ice.com,linuxusers@sucursales.ice.com </code> Restart sssd: <code> systemctl restart sssd </code> ==== Configure AD groups with sudo ==== Use visudo to add this lines: <code> %linuxusers@administrativos.ice.com ALL=(ALL) ALL </code> ==== Configure home dir ==== Change line: <code> fallback_homedir=/home/%u@%d </code> ==== Referencias ==== * https://access.redhat.com/solutions/2710131 * https://access.redhat.com/articles/3023951 * https://access.redhat.com/solutions/715173 * http://www.thinkplexx.com/learn/howto/linux/system/allow-user-sudo-but-exlude-some-privileges-run-shells-etc