GJaminon
1/27/2018 - 1:25 PM

Join Centos to Active Directory

From : https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/
Set TimeZone https://www.cyberciti.biz/faq/centos-linux-6-7-changing-timezone-command-line/


Install the tools : 
yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python -y

Set the domain name and DC IP in  /etc/resolv.conf i
[root@centos7 ~]# sudo vi /etc/resolv.conf
search example.com
nameserver 192.168.1.2


Join the domain : 
[root@centos7 ~]# sudo realm join --user=administrator example.com
Password for administrator:

Check : 
[root@centos7 ~]# realm list
example.com
  type: kerberos
  realm-name: EXAMPLE.COM
  domain-name: example.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U@example.com
  login-policy: allow-realm-logins
  
[root@centos7 ~]# id administrator
id: administrator: no such user

[root@centos7 ~]# id administrator@example.com

Edit  /etc/sssd/sssd.conf to remove the necesity of @exemple.com
use_fully_qualified_names = False
fallback_homedir = /home/%u

Restart sssd
[root@centos7 ~]# systemctl restart sssd

Create a file with the name of the AD Group to give sudo acces on the Linux box (use sudo -s) : 
[root@centos7 ~]# cat /etc/sudoers.d/LinuxAdmins
%LinuxAdmins    ALL=(ALL)       ALL

# Allow user from linuxAdmins group to logon to the server

sudo realm permit -g linuxadmins


Login via ssh without password by using the kerberos token : 
In /etc/ssh/sshd_config on the server, you should find a directive, GSSAPIAuthentication, uncomment it and change the value to yes. Restart the SSH daemon 

https://serverfault.com/questions/337967/ssh-from-windows-to-linux-with-ad-certificates