Realmd provides a simple way to discover and join identity domains. It configures Linux system services such as sssd or winbind to do the actual network authentication and user account lookups. With the release of CentOS/RHEL 7, realmd is fully supported and can be used to join IdM, AD, or Kerberos realms. The main advantage of using realmd is the ability to provide a simple one-line command to enroll into a domain as well as configure network authentication. For example, realmd can easily configure:

  • PAM Stack
  • NSS Layer
  • Kerberos
  • SSSD
  • Winbind

 

Configure CentOS/RHEL 7 as an Active Directory client using realmd

Follow the steps outlined below to configure Linux client using Realmd to connect to an Active Directory (AD) domain.

 

1. Install the required packages to configure the AD client.

# yum install realmd oddjob oddjob-mkhomedir sssd adcli openldap-clients policycoreutils-python samba-common samba-common-tools krb5-workstation

 

We can use the list subcommand to ensure that we are not currently part of a domain:

# realm list

 

The output should be blank. Now, we are ready to proceed with the next step- discovering and joining the domain.

 

2. Discover the active directory domain and join with the below commands.

# realm discover ad.example.com
ad.example.com
type: kerberos
realm-name: AD.EXAMPLE.COM
domain-name: ad.example.com
configured: no
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
# realm join ad.example.com
Password for Administrator:
realm: Joined ad.example.com domain

 

3. Verify the kerberos configuration file /etc/krb5.conf to include:

# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default = DOMAIN.EXAMPLE.COM
 dns_lookup_realm = true
 dns_lookup_kdc=true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}
default_realm = DOMAIN.EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
  AD.EXAMPLE.COM = {
   kdc = [hostname_of_server].domain.example.com:88
   admin_server = domain.example.com
}

[domain_realm]
 .domain.example.com = DOMAIN.EXAMPLE.COM
 domain.example.com = DOMAIN.EXAMPLE.COM

 

4. Verify /etc/sssd/sssd.conf to have below entries.

# cat /etc/sssd/sssd.conf
[sssd]
domains = domain.example.com
config_file_version = 2
services = nss, pam

[domain/domain.example.com]
ad_server = domain.example.com
ad_domain = domain.example.com
krb5_realm = DOMAIN.EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
enumeration = True

 

5. Assign appropriate permission to sssd.conf.

# chown root:root /etc/sssd/sssd.conf
# chmod 0600 /etc/sssd/sssd.conf
# restorecon /etc/sssd/sssd.conf
# authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
# systemctl start sssd

 

Verify

 

Verify connection with following command:

# id user@domain.example.com
# ssh user@domain.example.com

 

Example of these command are shown below.

# id user@ad.example.com
uid=1348601103(user@ad.example.com) gid=1348600513(domain users@ad.example.com) groups=1348600513(domain users@ad.example.com)

 

# ssh user@ad.example.com@127.0.0.1
user@ad.example.com@127.0.0.1's password:
Creating home directory for user@ad.example.com.

$ pwd
/home/ad.example.com/user

 

Hasznosnak találta ezt a választ? 0 A felhasználók hasznosnak találták ezt (0 Szavazat)