Find knowledge base article(s) by searching for keywords in the title e.g. type linux in the search box below
Find knowledge base article(s) by browsing the subject categories of articles
Technology quick references, cheatsheets, user manuals etc.
Shop Online through ShopifyLite
Tutorials on various IT applications.
Search Title    (UL:0 |SS:f)

Software >> OS >> Unix >> Linux >> RHEL >> How to configure single sign-on using Windows 2012 active directory

References


## prepare the AD server

hostname w2k12ad.myexample.com
ip 192.168.0.253


## prepare linux server
ensure DNS nameserver is only 192.168.0.253

test visibility of LDAP service from that AD

[root@rhel7]# dig -t SRV _ldap._tcp.myexample.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.7 <<>> -t SRV _ldap._tcp.myexample.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56030
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_ldap._tcp.myexample.com.      IN      SRV

;; ANSWER SECTION:
_ldap._tcp.myexample.com. 600   IN      SRV     0 100 389 w2k12ad.myexample.com.

;; ADDITIONAL SECTION:
w2k12ad.myexample.com.  3600    IN      A       192.168.0.253
w2k12ad.myexample.com.  3600    IN      A       192.168.1.253
w2k12ad.myexample.com.  3600    IN      A       172.24.11.253

;; Query time: 0 msec
;; SERVER: 192.168.0.253#53(192.168.0.253)
;; WHEN: Sat Nov 13 17:10:03 +08 2021
;; MSG SIZE  rcvd: 142


## install required packages

yum install -y krb5-workstation samba-common-tools sssd-ad oddjob oddjob-mkhomedir sssd adcli


## note the command is realm the package is realmd

## do connection test to the AD server

curl -v telnet://192.168.0.253:53
curl -v telnet://192.168.0.253:389
curl -v telnet://192.168.0.253:88
curl -v telnet://192.168.0.253:464
curl -v telnet://192.168.0.253:3268
nc -z -v -u 192.168.0.253 123   # udp

## join to the AD domain
## when prompted enter login with domain account iwth permission to join e.g. domain admin

realm join myexample.com

## NOTE: to disable automatic mapping of uid/gid from windows ad SID , join as follows instead
## in this case for each user we have to create the following attributes in AD
## POSIX attributes (uidNumber, gidNumber, unixHomeDirectory, and loginShell

realm join --automatic-id-mapping=no myexample.com

## To re-do, we can leave the domain by

realm leave -v --remove myexample.com


## test login locally



or




## when connecting remotely from ssh client like putty, use single \


 

or



## to check accounts on AD
## e.g. check domain user administrator on domain myexample.com


[root@rhel7 sysconfig]# getent passwd administrator@myexample.com
administrator@myexample.com:*:1368800500:1368800513:Administrator:/home/administrator@myexample.com:/bin/bash
## TESTING

## On the linux server, create the gid for the user's primary group

groupadd -g 1050 sysadmin


## On AD, create the group sysadmin, create user arba

Active Directory Users and Computers => Users => New => Group
   Group name: sysadmin

Active Directory Users and Computers => Users => New => User
   First name: Abc Def
   Last name: Ghi
   Full name: Abc Def Ghi
   User logon name : arba
   => Next
   Password: **************
   Confirm password: ***************
   [] User must change password at next logon
   [/] Password never expires
   => Next
   => Finish

Active Directory Users and Computers => Users => [new user] => Properties => Member Of => Add
   object name: sysadmin
   => OK
   select group "sysadmin"
   => Click "Set Primary Group"
   => OK





## Create the POSIX attributes for user to avoid automatic mapping of SID to uid/gid which is cumbersome.
## enable Advanced features in the view menu of the Active Directory Users and Computers console

Active Directory Users and Computers => View => Advanced Features






Active Directory Users and Computers => Users => [new user] => Properties => Attribute Editor



   => set the values for the following attributes
      uidNumber: 1062
      gidNumber: 1050
      unixHomeDirectory: /home/arba  # optional, if not set in the sssd.conf, then set in AD
      loginShell: /bin/bash          # optional, if not set in the sssd.conf, then set in AD


## Verify before logging in for the first time

[root@rhel8 home]# getent passwd arba@myexample.com
arba@myexample.com:*:1062:1050:Abc Def Ghi:/home/arba@myexample.com:/bin/bash

## Test Login

[root@rhel8 home]# ssh myexample.com\arba@localhost
myexample.com\arba@localhost's password:
Activate the web console with: systemctl enable --now cockpit.socket

Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Sat Nov  6 20:55:08 2021 from 127.0.0.1
[arba@myexample.com@rhel8 ~]$ pwd
/home/arba@myexample.com








 
[ © 2008-2021 myfaqbase.com - A property of WPDC Consulting ]