Software >> OS >> Unix >> Linux >> RHEL >> How to configure single sign-on using Windows 2012 active directory

References

• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/integrating_rhel_systems_directly_with_windows_active_directory/index
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/introduction


## prepare the AD server

hostname w2k12ad.myexample.com
ip 192.168.0.253


## prepare linux server
ensure DNS nameserver is only 192.168.0.253

test visibility of LDAP service from that AD

[root@rhel7]# dig -t SRV _ldap._tcp.myexample.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.7 <<>> -t SRV _ldap._tcp.myexample.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56030
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_ldap._tcp.myexample.com.      IN      SRV

;; ANSWER SECTION:
_ldap._tcp.myexample.com. 600   IN      SRV     0 100 389 w2k12ad.myexample.com.

;; ADDITIONAL SECTION:
w2k12ad.myexample.com.  3600    IN      A       192.168.0.253
w2k12ad.myexample.com.  3600    IN      A       192.168.1.253
w2k12ad.myexample.com.  3600    IN      A       172.24.11.253

;; Query time: 0 msec
;; SERVER: 192.168.0.253#53(192.168.0.253)
;; WHEN: Sat Nov 13 17:10:03 +08 2021
;; MSG SIZE  rcvd: 142


## install required packages

yum install -y krb5-workstation samba-common-tools sssd-ad oddjob oddjob-mkhomedir sssd adcli


## note the command is realm the package is realmd

## do connection test to the AD server

curl -v telnet://192.168.0.253:53
curl -v telnet://192.168.0.253:389
curl -v telnet://192.168.0.253:88
curl -v telnet://192.168.0.253:464
curl -v telnet://192.168.0.253:3268
nc -z -v -u 192.168.0.253 123   # udp

## join to the AD domain
## when prompted enter login with domain account iwth permission to join e.g. domain admin

realm join myexample.com

## NOTE: to disable automatic mapping of uid/gid from windows ad SID , join as follows instead
## in this case for each user we have to create the following attributes in AD
## POSIX attributes (uidNumber, gidNumber, unixHomeDirectory, and loginShell

realm join --automatic-id-mapping=no myexample.com

## To re-do, we can leave the domain by

realm leave -v --remove myexample.com


## test login locally



or




## when connecting remotely from ssh client like putty, use single \




or



## to check accounts on AD
## e.g. check domain user administrator on domain myexample.com


[root@rhel7 sysconfig]# getent passwd administrator@myexample.com
administrator@myexample.com:*:1368800500:1368800513:Administrator:/home/administrator@myexample.com:/bin/bash


## TESTING

## On the linux server, create the gid for the user's primary group

groupadd -g 1050 sysadmin


## On AD, create the group sysadmin, create user arba

Active Directory Users and Computers => Users => New => Group
   Group name: sysadmin

Active Directory Users and Computers => Users => New => User
   First name: Abc Def
   Last name: Ghi
   Full name: Abc Def Ghi
   User logon name : arba
   => Next
   Password: **************
   Confirm password: ***************
   [] User must change password at next logon
   [/] Password never expires
   => Next
   => Finish

Active Directory Users and Computers => Users => [new user] => Properties => Member Of => Add
   object name: sysadmin
   => OK
   select group "sysadmin"
   => Click "Set Primary Group"
   => OK





## Create the POSIX attributes for user to avoid automatic mapping of SID to uid/gid which is cumbersome.
## enable Advanced features in the view menu of the Active Directory Users and Computers console

Active Directory Users and Computers => View => Advanced Features






Active Directory Users and Computers => Users => [new user] => Properties => Attribute Editor



   => set the values for the following attributes
      uidNumber: 1062
      gidNumber: 1050
      unixHomeDirectory: /home/arba  # optional, if not set in the sssd.conf, then set in AD
      loginShell: /bin/bash          # optional, if not set in the sssd.conf, then set in AD


## Verify before logging in for the first time

[root@rhel8 home]# getent passwd arba@myexample.com
arba@myexample.com:*:1062:1050:Abc Def Ghi:/home/arba@myexample.com:/bin/bash

## Test Login

[root@rhel8 home]# ssh myexample.com\arba@localhost
myexample.com\arba@localhost's password:
Activate the web console with: systemctl enable --now cockpit.socket

Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Sat Nov  6 20:55:08 2021 from 127.0.0.1
[arba@myexample.com@rhel8 ~]$ pwd
/home/arba@myexample.com