This is a tutorial to access with an Active Directory user in a linux server.
For this tutorial we have the following devices:
- Active Directory Server: IP 10.0.0.4
- Linux Server: IP 10.0.0.5
Instalation of Active Directory
- we need a Windows server and adding the role of Active Directory.
- Configure the domain
In this case the domain name is: lab.local
then next > install. Afterward, the server will reboot.
Check Connectivity
- Ensure the Linux server (in this case Centos7) responds to the domain.
Install requirements in Linux
- Install the following requirements in order to ensure a proper integration.
yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python
## Join the server to the Active Directory
- with an anccount of Active Directory execute this command:
realm join --user=[userAD] [domain name]
- check that the server was joined
- type those commands:
realm list,id [userAD]@[domain name]
- see the server in AD
- modify sssd configuration
modify the file /etc/sssd/sssd.conf from this:
to this:
This is used to allow auth without the domain name.
- restart the service
- check that you can request info without write
user@domainwith this command:id [userAD]
Auth with an ADUser in the Linux Server
We can do this by SSH. However, for this example I used only su command.
Security Consideration
At this point all users from the Active Directory domain can log in the Linux server. However, they do not have sudo privileges. From a security view, we need to ensure that only allowed users can access to the server and not all. To solve that, we need to do the following steps:
- deny access for all users with this command:
realm deny --all - permit specific users or groups of Active Directory with those commands:
realm permit [user]@domain_name,realm permit -g [groupname]@domain_name - restart sssd service