CentOS login Authentication with Microsoft Active Directory

Having multiple Operating Systems (OSs) on the data center, system administrator(s) must maintain different network authentication database. To simplify this process system administrator(s) may join Linux/Unix servers to Windows Domain Active Directory (AD), which ties all organizational infrastructure into one single authentication database. By integrating Linux/Unix servers with an AD, Domain users are able to log on Linux/Unix servers using their AD credential.

Testing Environment:

  • Domain Controller:           Windows Server 2012 R2
  • Domain Name:                  lab3.seedsofgenius.local
  • Linux host/server:            CentOS7

Procedures:

  • Login to the Linux host/server as root.
  • Install required packages
# yum install realmd sssd adcli

Some information about these packages:

          – realmd : a D-Bus system service which manages discovery and enrollment in realms and Windows domains like Microsoft AD Domain or IPA (Identity Policy Audit – which is a domain controller for Linux/UNIX environment).

           – sssd (System Security Services Daemon): “provides a set of daemons to manage access to remote directories and authentication mechanisms.

            – adcli: “a library and tool for joining an AD domain using standard LDAP and Kerberos calls.”

  • Join the Linux host/server to the Windows Active Directory domain
# realm join lab3.seedsofgenius.local
  • You can verify whether the client host successfully join the domain by typing the command #realm list, which return an output similar to the following:
# realm list
type: kerberos
realm-name: LAB3.SEEDSOFGENIUS.LOCAL
domain-name: lab3.seedsofgenius.local
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common
login-formats: %U
login-policy: allow-realm-logins

Notes:  Once the Linux server successfully join the network domain, you are now able to log on to your Linux server using AD credentials. However, by default all requests to the network domain must use fully qualified name. This configuration is applied to all network objects such as users, computers, etc. For example, to log on remotely to your Linux server using ssh connect, you must use the following syntax.

 ssh [user]@[Domain_name]@[Linux_host_name]

Another example is when you want to reset password for a domain user

# passwd [user] would not find the user while

# passwd [user]@[Domain_name] would.

You could avoid specifying domain name for all network objects by modifying sssd configuration as the following:

  • Open /etc/sssd/sssd.conf file with vi text editor, to modify sssd configuration
# vi /etc/sssd/sssd.conf
  • Change the “use_fully_qualified_names”  configuration from TRUE to FALSE

use_fully_qualified_names = FALSE

Notes: By setting this to FALSE, we do not have to use fully qualified domain name for all network objects. For instance, you can use the following syntax to log on remotely to your Linux server

 ssh [user]@[Linux_host_name]
  • Restart sssd configuration, so your change to the /etc/sssd/sssd.conf can get affected.
# systemctl restart sssd

 

Additional Note(s):

  • To leave the Domain, use the following command
# realm leave lab3.seedsofgenius.local

Related Articles:


    ABOUT US
    Seeds of Genius, Inc. offers a full range of IT solutions including hardware and software products in addition to consulting, installation and support services. For more information, please visit our main web site at http://www.seedsofgenius.com or contact our Technical Sales department at (410) 312-9806.