Adding your CentOS / Fedora to Active Directory

Today blog will explain how you add a Linux machine(CentOS/RedHat/Fedora) to a Windows Server 2012 Active Directory.

NOTE: If you are using Fedora replace yum with dnf instead during this blog article.

Before you start to install anything on your Linux machine you need to know following things before you start.

REQUIRMENT:
  • NetBIOS Name of your domain (eg MyCorpDomain)
  • Full Qualified Domain Na,e (FQDN) (eg. MyCorpDomain.Com)
  • Name or IP of your Domain Controller
  • Have a Domain Admin Account
BEFORE YOU START:
Make sure you have update your Linux first

# yum update

INSTALLATION:
Login as root or use sudo to be able to install following packages.
Depending on how your system are setup it may install a lot of dependency’s

# yum install sssd realmd ntp ntpupdate samba samba-common oddjob, oddjob-mkhomedir

NTP CONFIGURATION:
Before you start make sure you have setup Network Time Protocal first (ntp)
A basic intro is to verify /etc/ntp.conf and that the service are up and running
You can use your Domain Controller as Time Server or a NTP server that I use in this case.

# cat /etc/ntp.conf
driftfile /var/lib/ntp/drift
restrict default nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1
server ntp1.mycorpdom.com iburst
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys
disable monitor

Verify that your NTP Service are running and restart it if you have done changes.

# systemctl status ntpd
● ntpd.service - Network Time Service
Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled; vendor preset: disabled)
Active: inactive (dead)
# systemctl restart ntpd

JOIN YOUR DOMAIN:
Now we can join the Windows Active Directory domain.

# realm join --user=adminaccount@mycorpdomain.com mycorpdomain.com

Now can you verify it have joined the domain both from Windows and from Linux.

# realm list
mycorpdomain.com
type: Kerberos
realm-name: MYCORPDOMAIN.COM
domain-name: mycorpdomain.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common
login-formats: %U@mycorpdomain.com
login-policy: allow-realm-logins
USE DEFAULT DOMAIN FOR LOGIN:
When I normally setup a Linux Server in our domain, I want to make sure it is easy to login with a username.
I’ll normally remove that you need to use FQDN in your login. By modify sssd.conf you can make sure you only use your username and not Username@MyCorpDomain.com when you login.
In the sssd.conf file, find the use_fully_qualified_names line and make sure it says False, if not change that to False and save the file

# cat /etc/sssd/sssd.conf
[sssd]
domains = mycorpdomain.com
config_file_version = 2
services = nss, pam
[domain/ mycorpdomain.com]
ad_domain = mycorpdomain.com
krb5_realm = MYCORPDOMAIN.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = ad

Try now to login as one of your domain account users, if it doesn’t work, try to restart sssd service.


# su my.user.account
su: user my.user.account does not exist
# systemctl restart sssd
# su – my.user.account
[my.user.account@rss1 ~]$ exit

ADD SUDO ACCESS:
You can add either SUDO access per user or for a Windows Active Directory User Group.
To see the fully name of all groups that the user belongs to in Active Directory and see how that will be presented in Linux, you can use the command id.

# id my.user.account 
uid=288001152(my.user.account) gid=288001132(corp linux adm) grupper=288001132(corp linux adm),288001133(corp users),288002361(domain users)

In my case do I want to add the group “Corp Linux Adm” so everyone that belongs to that group can run any sudo command.

Let’s open /etc/sudoers with your favorite editor, (vi) and add following line

"%corp linux adm" ALL=(ALL) ALL

I have read many examples out there where you need to type DOMAIN\MY^GROUP or DOMAIN\\MY^GROUP and multiple others versions.

But because you are using default domain in your login account, will Linux automatic search for your group in your domain, so you don’t need to specify any domain in sudoers.


I hope this help,

Comments

Post a Comment

Popular posts from this blog

Move a Spectrum Scale Filesystem to an new disk

Very few time but it's happened that you need to move a filesystem from one Disk system to another Disk system in IBM Spectrum Scale (GPFS). And here is a little how to how to move a filesystem from one disk to another. Basic overview ·         Create the new disks in Linux ·         Create a NSD on the new disks ·         Add the new NSD to the file system ·         Remove the old NSDs and let Spectrum Scale to migrate the data automatic. ·         Delete the NSDs ·         Delete the Disks in Linux So let's start with Scanning the SCSI bus for new Disks on all NSD Servers [root@server01~] echo "- - -" > /sys/class/scsi_host/hostX/scan    Replace the X with the correct SCSI Host adapter. Create a NSD Stanza file...
Read more

Manual Upgrade IBM Spectrum Protect 7.1.x to 8.1.x

Image
I'm ended up in a situations where a IBM Spectrum Protect (ISP) server was lock down with limitation who is allowed to login over SSH. The main reason of this is because the server was connected to a Linux based LDAP environment after the installation of ISP was done. So now did we end up in a situation where we not where able to let the local ISP user account couldn't ssh to itself. And because we couldn't ssh even though localhost to our ISP user (let's call it tsminst1). And I guess I'm not alone with this issue so I guess this could be a create blog post for my Spectrum Protect / TSM friends. First of all if you are using SuSE Linux Enterprise Server 11 you most run minimum SLES 11 Service Pack 4. Here is a quick and dirty how to upgrade your SLES 11 to SP4. For more information please go to following link: https://www.suse.com/support/kb/doc/?id=7016711 Before you start upgrade anything, make sure you backup the ISP database/volhistory and devic...
Read more

Upgrade GPFS 3.4 to Spectrum Scale 4.1.1

It's funny because it's true…. That´s how I want to start with today's story… And today will I be more technical then normally. Let's start from beginning before I complain too much and showing how easy it is. I have now heard twice where end-users of GPFS heard it isn't possible to upgrade from GPFS 3.4 filesystem to Spectrum Scale 4.x without to shut down the entire cluster. This is not true and I will now show it for you how easy it is and how it's works.  I want with today's topic explain how easy it is to upgrade a GPFS 3.4 filesystem to Spectrum Scale 4.1.1 without to shut down the cluster. This how my test system looks like and see the time stamp when I start with my upgrade. [root@gpfs1 gpfs]# date Tue Jul 28 14:52:21 CEST 2015 [root@gpfs1 src]# mmlscluster GPFS cluster information ========================   GPFS cluster name:         gpfstest.cristie.se   GPFS cluster ...
Read more