In this tutorial, you will use adcli to join a Linux client (RHEL/CentOS 7/8) to a Windows Active Directory domain. Adcli will use the system security service daemon (SSSD) to connect CentOS/RHEL 7/8 systems to the Microsoft Active Directory domain. Basically, two components are required to connect CentOS/RHEL 7/8 systems to Active Directory (AD).
SSSD interacts with the central identity and authentication source, adcli detects the available domains, and then the underlying RHEL system service (SSSD in this case) must be manually configured to connect to the domain.
Overview of integrating Linux with Windows domains using SSSD
The system security service daemon (sssd) provides a set of daemons to manage access and authentication mechanisms to remote directories. In this example, Active Directory. The sssd service provides the system with NSS (Name Service Switch) and PAM (Pluggable Authentication Mechanism) interfaces and a modular back-end system to connect to multiple different account sources and D-bus interfaces.
Identify the account on the remote Active Directory through LDAP and authenticate the AD domain through Kerberos. LDAP account search is referenced and /usr/lib64/libnss is called_ sss. so. 2 NSS module and /etc/nsswitch Conf file. Will use /lib64/security/pam_nss.so reference authentication.
We use SSSD to access the user directory for authentication and authorization through a common framework with a user cache to allow offline login. SSSD is the recommended component for connecting RHEL systems to one of the following types of identity servers:
- Active Directory
- Identity management in RHEL (IdM)
- Any generic LDAP or Kerberos server
Overview of laboratory environment
To demonstrate this article's addition of CentOS 8 to a Windows domain controller (Active Directory), we will use a Linux server with CentOS 8 installed.
There is a Microsoft Server 2012 R2 Active Directory domain controller with an IP address of 192.168.0.107 and a CentOS 8 host with an IP address of 192.168.0.117. Therefore, this article needs a pre configured Windows Active Directory.
Prerequisites for adding Linux to a Windows AD domain
Important:
Before joining Linux to a Windows domain, we need to ensure that the time service and DNS service have been set up
Update /etc/resolv conf
Ensure that RHEL/CentOS client machines can resolve Active Directory servers. To do this, update /etc/resolv conf.
# cat /etc/resolv.conf search golinuxcloud.com nameserver 192.168.0.107
Verify domain name resolution
Verify that the client can resolve the domain name:
# nslookup golinuxcloud.com Server: 192.168.0.107 Address: 192.168.0.107#53 Name: golinuxcloud.com Address: 192.168.0.107
Verify the configuration of name resolution. In particular, verify DNS SRV records.
~]# host -t SRV _kerberos._udp.golinuxcloud.com. _kerberos._udp.golinuxcloud.com has SRV record 0 100 88 win-71humtros3m.golinuxcloud.com. ~]# host -t SRV _ldap._tcp.golinuxcloud.com. _ldap._tcp.golinuxcloud.com has SRV record 0 100 389 win-71humtros3m.golinuxcloud.com. ~]# host -t SRV _ldap._tcp.dc._msdcs.golinuxcloud.com _ldap._tcp.dc._msdcs.golinuxcloud.com has SRV record 0 100 389 win-71humtros3m.golinuxcloud.com.
Ensure support for common encryption types in AD and RHEL
By default, SSSD supports RC4, AES-128, and AES-256 Kerberos encryption types.
RC4 encryption has been deprecated and disabled by default in CentOS/RHEL 8 because it is considered less secure than the newer AES-128 and AES-256 encryption types. If you are using RHEL/CentOS 7, you can ignore this step.
Can focus on how to repair“ KDC does not support encryption type ”? Enable RC4 encryption.
For more information, see access.redhat.com: ensure support for common encryption types in AD and RHEL
Install package (RHEL/CentOS 8)
The following packages need to be installed on the CentOS/RHEL 8 client node:
# dnf -y install adcli sssd oddjob oddjob-mkhomedir samba-common-tools krb5-workstation authselect-compat
Installation package (RHEL/CentOS 7)
The following packages need to be installed on the CentOS/RHEL 7 client node:
# yum -y install adcli sssd authconfig oddjob oddjob-mkhomedir samba-common-tools krb5-workstation
Some brief overview of these individual packages:
- Samba common tools: this represents a shared tool between the server and the client
- oddjob: this is a D-bus service that provides odd jobs for clients
- Oddjob mkhomedir: it can be used together with the odd job service to create a home directory for the AD account if necessary
- sssd: the system security service daemon can be used to transfer client authentication as needed
- adcli: these are tools for joining and managing AD domains
- Krb5 workstation: provides the Kerberos klist command for verifying Kerberos related configurations.
Using adcli to join Linux to a Windows domain
Discover AD domains
You can use the adcli info command, which displays discovered information about Active Directory domains or Active Directory domain controllers.
# adcli info golinuxcloud.com [domain] domain-name = GOLINUXCLOUD.COM domain-short = GOLINUXCLOUD domain-forest = GOLINUXCLOUD.COM domain-controller = WIN-71HUMTROS3M.GOLINUXCLOUD.COM domain-controller-site = Default-First-Site-Name domain-controller-flags = pdc gc ldap ds kdc timeserv closest writable good-timeserv full-secret ads-web domain-controller-usable = yes domain-controllers = WIN-71HUMTROS3M.GOLINUXCLOUD.COM [computer] computer-site = Default-First-Site-Name
Join RHEL/CentOS 7/8 system to Windows AD domain
adcli join creates a computer account in the domain for the local machine and sets a keytab for the machine. It does not configure authentication services (such as sssd).
# adcli join golinuxcloud.com Password for Administrator@GOLINUXCLOUD.COM: adcli: couldn't connect to golinuxcloud.com domain: Couldn't authenticate as: Administrator@GOLINUXCLOUD.COM: KDC has no support for encryption type
What we get here is that "the KDC does not support encryption type", because the domain controller is still using RC4 encryption, which needs to be enabled on the client, as in the precondition As notified in section. This error is used to demonstrate the errors that may occur if AES encryption is not used on the domain controller.
Therefore, update the encryption policy on the client and retry the adcli join command. By default, it prompts for an administrator password, but you can specify another user using the -u <user> option:
# adcli join golinuxcloud.com Password for Administrator@GOLINUXCLOUD.COM:
You can use klist -kt to check the keytab, which should display several entries containing the client hostname in some form:
# klist -kte Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 2 03/05/2021 03:38:03 CENTOS8$@GOLINUXCLOUD.COM (DEPRECATED:arcfour-hmac) 2 03/05/2021 03:38:03 CENTOS8$@GOLINUXCLOUD.COM (aes128-cts-hmac-sha1-96) 2 03/05/2021 03:38:03 CENTOS8$@GOLINUXCLOUD.COM (aes256-cts-hmac-sha1-96) 2 03/05/2021 03:38:03 host/CENTOS8@GOLINUXCLOUD.COM (DEPRECATED:arcfour-hmac) 2 03/05/2021 03:38:03 host/CENTOS8@GOLINUXCLOUD.COM (aes128-cts-hmac-sha1-96) 2 03/05/2021 03:38:03 host/CENTOS8@GOLINUXCLOUD.COM (aes256-cts-hmac-sha1-96) 2 03/05/2021 03:38:03 host/centos8.golinuxcloud.com@GOLINUXCLOUD.COM (DEPRECATED:arcfour-hmac) 2 03/05/2021 03:38:03 host/centos8.golinuxcloud.com@GOLINUXCLOUD.COM (aes128-cts-hmac-sha1-96) 2 03/05/2021 03:38:03 host/centos8.golinuxcloud.com@GOLINUXCLOUD.COM (aes256-cts-hmac-sha1-96) 2 03/05/2021 03:38:03 RestrictedKrbHost/CENTOS8@GOLINUXCLOUD.COM (DEPRECATED:arcfour-hmac) 2 03/05/2021 03:38:03 RestrictedKrbHost/CENTOS8@GOLINUXCLOUD.COM (aes128-cts-hmac-sha1-96) 2 03/05/2021 03:38:03 RestrictedKrbHost/CENTOS8@GOLINUXCLOUD.COM (aes256-cts-hmac-sha1-96) 2 03/05/2021 03:38:03 RestrictedKrbHost/centos8.golinuxcloud.com@GOLINUXCLOUD.COM (DEPRECATED:arcfour-hmac) 2 03/05/2021 03:38:03 RestrictedKrbHost/centos8.golinuxcloud.com@GOLINUXCLOUD.COM (aes128-cts-hmac-sha1-96) 2 03/05/2021 03:38:03 RestrictedKrbHost/centos8.golinuxcloud.com@GOLINUXCLOUD.COM (aes256-cts-hmac-sha1-96)
Configure Kerberos (/etc/krb5.conf)
Unlike realmd, adcli does not automatically configure SSSD and Kerberos. Therefore, you must manually configure these services to work with AD domains. After finishing the file and deleting the comments of the field, the file looks like the following screenshot:
Tips:
Do not copy the entire output and paste it into your krb5 In the conf file, simply set the example COM is replaced by its own domain Com to update REALM
Configuring NSS and PAM
Name service switch (NSS) configuration file /etc/nsswitch Conf is used by various NSS libraries; One of the NSS libraries is /usr/lib64/libnss_sss.so.2. The NSS configuration file determines the source from which name service information can be obtained and its order from a series of categories. The information of each category is identified by a resource database name; This can be a host for name resolution and a passwd for locating user accounts in the database.
Relevant PAM modules can be configured using PAM services. They should be in /etc/pam D directory. Can be in a single file, such as /etc/pam D/login, or a command file referenced through many services (for example, /etc/pam.d/system-auth-ac).
On RHEL/CentOS 7
Use authconfig to set the name service switch (/etc/nsswitch.conf) and PAM stack (/etc/pam.d/password-auth and /etc/pam.d/system-auth)
# authconfig --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir --update
The above command will be displayed in /etc/nsswitch conf,/etc/pam. D / password auth and /etc/pam Modify and add necessary entries in the d/system-auth file. Next, enable and start / restart oddjobd service
# systemctl enable --now oddjobd.service
On RHEL/CentOS 8
authconfig is replaced by authselect in RHEL/CentOS 8. So we will use authselect to configure the respective PAM and NSS files we discussed in the previous section.
# authselect select sssd with-mkhomedir --force Backup stored at /var/lib/authselect/backups/2021-03-02-12-08-32.O2GvBy Profile "sssd" was selected. The following nsswitch maps are overwritten by the profile: - passwd - group - netgroup - automount - services Make sure that SSSD service is configured and enabled. See SSSD documentation for more information. - with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module is present and oddjobd service is enabled - systemctl enable oddjobd.service - systemctl start oddjobd.service
Next, enable and start / restart oddjobd service
# systemctl enable --now oddjobd.service
If in /etc/nsswitch Check sss in conf to see all databases that depend on a specific library. The grep command can be used to isolate these entries as follows:
# grep sss /etc/nsswitch.conf passwd: sss files systemd group: sss files systemd netgroup: sss files automount: sss files services: sss files
The database name is explained here:
- passwd: this specifies the user account
- shadow: this represents password information
- **Group:* * this specifies the group account
- services: this indicates service name resolution
- netgroup: this specifies the host group that can be used in access control rules
- automount: this indicates that autofs can automatically mount directories
You can use grep again to display the configuration that sssd is used with PAM, from /etc/pam D / password auth and /etc/pam Filter sss in d/system auth file:
# grep sss /etc/pam.d/* /etc/pam.d/password-auth:auth sufficient pam_sss.so forward_pass /etc/pam.d/password-auth:account [default=bad success=ok user_unknown=ignore] pam_sss.so /etc/pam.d/password-auth:password sufficient pam_sss.so use_authtok /etc/pam.d/password-auth:session optional pam_sss.so /etc/pam.d/system-auth:auth sufficient pam_sss.so forward_pass /etc/pam.d/system-auth:account [default=bad success=ok user_unknown=ignore] pam_sss.so /etc/pam.d/system-auth:password sufficient pam_sss.so use_authtok /etc/pam.d/system-auth:session optional pam_sss.so
You can see that the authentication module is used for all possible triggers:
- auth: this is used during authentication
- Account: this is used for account restrictions
- Password: this is used for password change events
- Session: this is used during the login session
Configure SSSD
Using realmd again automatically creates and populates the SSSD configuration file, /etc/sssd/sssd Conf, but you must manually create and update this file to use adcli. Edit /etc/sssd/sssd Conf and define a domain (if the file does not exist, you may have to create the file manually):
at /etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = GOLINUXCLOUD.COM [domain/GOLINUXCLOUD.COM] id_provider = ad override_homedir = /home/%d/%u debug_level = 0 ldap_sasl_authid = SHORT_HOSTNAME$ [nss] override_shell=/bin/bash [pam]
Ensure that /etc/sssd/sssd Conf is owned by root:root with permissions of 600:
# chown root:root /etc/sssd/sssd.conf # chmod 600 /etc/sssd/sssd.conf # ls -l /etc/sssd/sssd.conf -rw-------. 1 root root 208 Mar 2 17:39 /etc/sssd/sssd.conf
Enable and start / restart SSSD service
# systemctl enable sssd # systemctl restart sssd
Check sssd Service status:
Log in as an Active Directory user on a Linux client
Try logging in to the Linux client using a Windows AD user and verify that the home directory is automatically created. But first, check whether the Linux client can obtain the user details of AD users:
# id GOLINUXCLOUD\\Administrator uid=111800500(administrator) gid=111800513(domain users) groups=111800513(domain users),111800520(group policy creator owners),111800512(domain admins),111800572(denied rodc password replication group),111800518(schema admins),111800519(enterprise admins)
Therefore, the administrator user in AD is detected by the Linux client, so try to switch the user to administrator:
# su - GOLINUXCLOUD\\Administrator Creating home directory for administrator. Last login: Tue Mar 2 17:41:26 IST 2021 on pts/0 $ exit logout #
Create / delete Active Directory Users
This command may not be one of the most useful tools because you can create users, but you cannot enable accounts or set passwords for new users. In this way, this command is not as useful as some other tools that use adcli.
Here, we create an AD user "Amit Kumar", whose user name is Amit:
# adcli create-user amit --domain=GOLINUXCLOUD.COM --display-name="Amit Kumar" Password for Administrator@GOLINUXCLOUD.COM:
Now, if you authenticate on Microsoft AD, this user is disabled:
So you must first assign a password to this user. Right click the user, and then click reset password. Provide the password and click OK
To enable an account now, right-click the user and select enable account
You can now try logging in with this new user on the Linux client:
# id GOLINUXCLOUD\\amit uid=111801121(amit) gid=111800513(domain users) groups=111800513(domain users) # su - GOLINUXCLOUD\\amit Creating home directory for amit. ~]$ logout
To delete the account you just created, use the following command:
# adcli delete-user --domain=golinuxcloud.com amit
There are a large number of commands that can be used with adcli. For more information, you can check the man page of adcli commands
summary
In this article, we studied how to use Active Directory as the identity store to utilize users and groups on Linux. The simplicity of this setup makes it a very useful and much needed solution for enterprises around the world.
Before setting the time and DNS, you need to do some basic work. After setting, you can use the command adcli to configure sssd to use Active Directory as the identity source.
Through RHEL system in AD domain, adcli can be used to manage this domain to some extent, and allow users to access Linux command line through console or SSH.