A short guide on how to join CentOS Linux to AD and give an AD group sudo access
Install the following:sudo yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python -y
Make sure /etc/resolv.conf has the DC address to resolve the domain
Join the domain with this command:
sudo realm join --user=administrator domain.local
The /etc/sssd/sssd.conf and /etc/krb.conf files will be automatically configured
Move the CentOS Computer Object to the correct OU.
Switch PasswordAuthentication from no to yes in /etc/ssh/sshd_config by commenting with #
Modify /etc/sssd/sssd.conf with the following:
use_fully_qualified_names = False
fallback_homedir = /home/%u
ad_access_filter = (memberOf=cn=<groupname>,ou=<groups OU>,ou=<parent OU>,dc=domain,dc=local)
use_fully_qualified_names = False
fallback_homedir = /home/%u
ad_access_filter = (memberOf=cn=<groupname>,ou=<groups OU>,ou=<parent OU>,dc=domain,dc=local)
Respectively, the last two lines removes the FQDN specified after the user's home directory, and restricts access to a certain AD group for security.
Add the following to /etc/sudoers to allow sudo access to the group:
%domain.local\\<groupname> ALL=(ALL) ALL
Restart both sssd and sshd:
systemctl restart sssd
systemctl restart sshd
Try logging in with a user from the AD group specified above. If you attempt a login with a user outside the group, the server should immediately close the connection.
References:
No comments:
Post a Comment