Linux with Windows AD

Integrate Linux with Windows Active Directory using SSSD:

Install Required packages:

#yum install sssd realmd oddjob-mkhomedir adcli samba-common samba-common-tools krb-workstation openldap-clients policycoreutils-python

#vim /etc/hosts

#vim /etc/resolv.conf

#vim /etc/resolv.conf

Join windows domain:

#realm join –user=tech windowsad.osttoday.com

Whenever we run “realm join” command it will automatically configure /etc/ssd/ssd.conf file

To verify whether server joined AD or not:

#realm list

Check and verify AD users on linux:

#id vijay@osttoday.com

To get result without domain name:

#vim/etc/sssd/sssd.conf

use_fully_qualified_names = True

fallback_homedir = /home/%u@%d

to

use_fully_qualified_names = False

fallback_homedir = /home/%u

Restart sssd service:

#systemctl restart sssd

#systemctl daemon-reload

#id vijay

Login linux server with AD credential:

#ssh vijay@192.168.0.2

#id

#pwd

Give Sudo rights for AD users on Linux:

Create a group on AD with name sudoers add Linux/UNIX users in that group and on Linux server create fie with name sudoers under folder /etc/sudoers.d

#vim /etc/sudoers.d/sudoers

%sudoers            ALL=(ALL)            ALL

Relogin to server with AD credentials to see whether user is part of suders group

#ssh vijay@192.168.0.2

#sudo su

To restrict user login to CentOS 7 / RHEL 7 Server that are on window domain, use the following steps:

Create the Security Groups on AD ( like linuxadmin”)
Add the domain users (which to want to allow login) to this security group.
# realm permit -g linuxadmin@osttoday.com

Restart sssd service:

#systemctl restart sssd

#systemctl daemon-reload

once that command has been run it adds the following line to sssd.conf:
simple_allow_groups = linuxadmin@osttoday.com

If you want to control rights as well, then you can place the ad security group in sudoers file, example is shown below

%linuxadmin@osttoday.com      ALL=(ALL)            ALL