RHEL 7 Active Directory LDAP with SSSD
Configure DNS with Active Directory IP address.
nmcli con mod eth0 ipv4.dns-search dominio.local hostnamectl set-hostname ldap.dominio.local yum install sssd realmd oddjob oddjob-mkhomedir samba-common-tools krb5-workstation sssd-ad realm join dominio.local authconfig --update --enablesssd --enablesssdauth --enablemkhomedir
RHEL 6
You must have configured NTP and DNS.
File /etc/hosts correctly configure for example:
192.168.75.166 servidor servidor.2008r2.example.com
Install packages:
yum install ntp sssd samba-common krb5-workstation
Edit /etc/krb5.conf:
includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = 2008R2.EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] 2008R2.EXAMPLE.COM = { } [domain_realm] .2008r2.example.com = 2008R2.EXAMPLE.COM 2008r2.example.com = 2008R2.EXAMPLE.COM
Edit /etc/samba/smb.conf:
[global] workgroup = 2008R2 client signing = yes client use spnego = yes kerberos method = secrets and keytab log file = /var/log/samba/%m.log realm = 2008R2.EXAMPLE.COM security = ads
Create kerberos ticket:
kinit Administrator net ads join -k authconfig --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir --update
Create /etc/sssd/sssd.conf:
echo >/etc/sssd/sssd.conf chmod 600 /etc/sssd/sssd.conf
With this content:
[domain/2008r2.example.com] id_provider = ad access_provider = ad default_shell=/bin/bash fallback_homedir=/home/%u debug_level = 0 [sssd] services = nss, pam config_file_version = 2 domains = 2008r2.example.com [nss] [pam]
Restart sssd:
service sssd restart
AD user access filter
Edit /etc/sssd/sssd.conf and configure in a similar way:
access_provider = simple simple_allow_users = user1,user2
Restart sssd:
systemctl restart sssd
AD groups access filter
Edit /etc/sssd/sssd.conf and configure in a similar way:
access_provider = simple simple_allow_groups = [email protected],[email protected]
Restart sssd:
systemctl restart sssd
Configure AD groups with sudo
Use visudo to add this lines:
%[email protected] ALL=(ALL) ALL
Configure home dir
Change line:
fallback_homedir=/home/%u@%d