Sunday, June 5, 2022

Active Directory Integration with Oracle Linux (SSSD)

I)Create a user linuxsso in AD and add it to Administrator group (or the group which has privilege to add the machine into domain)


II) Install the prereq RPMS

1yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python

Note: For this configuration, the essential package to install is realmd.Realmd provides a simplified way to discover and interact with Active Directory domains. It employs sssd to do the actual lookups required for remote authentication and other heavy work of interacting with the domain

 III) Update the DC as DNS in /etc/resolv.conf

1[root@linux ~]# cat /etc/resolv.conf 2search demo.example.com 3nameserver 10.0.2.18

 IV) Create the DNS record for linux machine on DNS


V) Ensure Linux Node & AD domains are resolvable through nslookup

1[root@linux ~]# nslookup WIN-FRIG2LT3VIU.demo.example.com 2Server: 10.0.2.18 3Address: 10.0.2.18#53 4 5Name: WIN-FRIG2LT3VIU.demo.example.com 6Address: 10.0.2.18 7 8[root@linux ~]# nslookup linux.demo.example.com 9Server: 10.0.2.18 10Address: 10.0.2.18#53 11 12Name: linux.demo.example.com 13Address: 10.0.2.22 14

VI) Realmd (interacting with the domain)

Now that all packages have been installed, the first thing to do is to join the CentOS system to the Active Directory domain. We use the realm application for that. The realm client is installed at the same time as realmd. It is used to join, remove, control access, and accomplish many other tasks. Here is the expected syntax for a simple domain join:

1Ex: realm join --user=[domain user account] [domain name] 2realm join --user=linuxsso demo.example.com

Output:



VII) Check realm list output

1[root@linux network-scripts]# realm list 2demo.example.com 3 type: kerberos 4 realm-name: DEMO.EXAMPLE.COM 5 domain-name: demo.example.com 6 configured: kerberos-member 7 server-software: active-directory 8 client-software: sssd 9 required-package: oddjob 10 required-package: oddjob-mkhomedir 11 required-package: sssd 12 required-package: adcli 13 required-package: samba-common-tools 14 login-formats: %U@demo.example.com 15 login-policy: allow-realm-logins 16[root@linux network-scripts]#

and also check the Linux machine is visible in Domain controller.






VIII) Update /etc/sssd/sssd.conf with additional parameters

  • default_domain_suffix - Set this to the domain name if you do not want to have to type the full user account name when logging in. Instead of having to type linuxsso@demo.example.com always, you can just type linuxsso and the password. This helps a lot when you have a long domain name.

  • Change the fallback_homedir = /home/%u (default value would be /home/%u@%d ). We are chaning this because default setting would create the home dir as /home/linuxsso@demo.example.com which would not be user friendly . so changing /home/%u will create /home/linuxsso as home directory

 

Latest sshd.conf

1[root@linux home]# cat /etc/sssd/sssd.conf 2 3[sssd] 4domains = demo.example.com 5config_file_version = 2 6services = nss, pam 7ldap_referrals = false 8default_domain_suffix = demo.example.com 9 10 11[domain/demo.example.com] 12ad_domain = demo.example.com 13krb5_realm = DEMO.EXAMPLE.COM 14realmd_tags = manages-system joined-with-samba 15cache_credentials = True 16id_provider = ad 17krb5_store_password_if_offline = True 18default_shell = /bin/bash 19ldap_id_mapping = True 20use_fully_qualified_names = True 21fallback_homedir = /home/%u 22access_provider = ad 23[root@linux home]# 24

iX) Make sure you test the AD username resolution by running id command:

1[root@linux home]# id linuxsso 2uid=1242601103(linuxsso@demo.example.com) gid=1242600513(domain users@demo.example.com) groups=1242600513(domain users@demo.example.com) 3[root@linux home]#

X ) Verify that authentication for an Active Directory user is successful:

Note. Type the domain name in upper-case letters.

If everything was configured correctly, the ticket will be created.

1[root@linux home]# kinit linuxsso@DEMO.EXAMPLE.COM 2Password for linuxsso@DEMO.EXAMPLE.COM: 3[root@linux home]# echo $? 40 5[root@linux home]# klist 6Ticket cache: KEYRING:persistent:0:0 7Default principal: linuxsso@DEMO.EXAMPLE.COM 8 9Valid starting Expires Service principal 1006/05/2022 17:23:56 06/06/2022 03:23:56 krbtgt/DEMO.EXAMPLE.COM@DEMO.EXAMPLE.COM 11 renew until 06/12/2022 17:23:53 12

 XI) Now try to login to Linux machine with AD credentials





at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

How to Compile Forms , Reports & Custom.pll in R12.2

How to Compile Custom.pll   cd $AU_TOP/resource  cp CUSTOM.plx CUSTOM.plx_bkup  cp CUSTOM.pll CUSTOM.pll_bkup  frmcmp_batch module=CUSTOM.pl...

  • Terraform - count vs for_each
      Count: Before Terraform 0.12.6, the only way to create multiple instances of the same resource was to use a  count  parameter. One o...
  • How to Export DB_LINKS
    We used to refresh our DEV database from production.so we need to preserve the DEV dblinks before we start refresh . we need to restore aft...
  • How to check If a patch is applied in R12.2
    In eBusiness Suite (EBS) 12.2.x you cannot query the AD_BUGS table to check if patches have been applied.The AD_BUGS table may have entries...