Blog History

October 8, 2020

Join CentOS Linux to AD, give AD group sudo access

A short guide on how to join CentOS Linux to AD and give an AD group sudo access

Install the following:
sudo yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python -y

Make sure /etc/resolv.conf has the DC address to resolve the domain

Join the domain with this command:
sudo realm join --user=administrator domain.local

The /etc/sssd/sssd.conf and /etc/krb.conf files will be automatically configured

Move the CentOS Computer Object to the correct OU.

Switch PasswordAuthentication from no to yes in /etc/ssh/sshd_config by commenting with #

Modify /etc/sssd/sssd.conf with the following:
use_fully_qualified_names = False
fallback_homedir = /home/%u
ad_access_filter = (memberOf=cn=<groupname>,ou=<groups OU>,ou=<parent OU>,dc=domain,dc=local)

Respectively, the last two lines removes the FQDN specified after the user's home directory, and restricts access to a certain AD group for security.

Add the following to /etc/sudoers to allow sudo access to the group:
%domain.local\\<groupname> ALL=(ALL)       ALL

Restart both sssd and sshd:
systemctl restart sssd
systemctl restart sshd

Try logging in with a user from the AD group specified above. If you attempt a login with a user outside the group, the server should immediately close the connection.

References:

No comments:

Post a Comment