CentOS/RHEL 7 mit Kerberos an AD anbinden
Voraussetzungen:
Linux: CentOS 7.6 (192.168.0.10)
Windows: Active Directory 2016 (192.168.0.100)
Der AD ist auch DNS, DHCP Server
cat /etc/resolv.conf search meinad.lan nameserver 192.168.0.100
bind-utils installieren falls nicht installiert (Minimal)
yum install bind-utils
mit nslookup die Namensauflösung prüfen
nslookup meinad.lan
Benötigte Paket via yum installieren
yum install adcli sssd authconfig realmd krb5-workstation
Prüfen ob wir bereits zu einer Domain gehören
realm list
Prüfen ob alle benötigten Paket vorhanden sind
realm discover meinad.lan
Somit wird die /etc/krb5.keytab
und /etc/krb5.conf
erstellt.
Join in der Domain in die OU Linux-Computers
realm join --computer-ou="OU=Linux-Computers" --user=Administrator meinad.lan
oder alternativ in die “default” OU
realm join --user=Administrator meinad.lan
Domain join prüfen mit
realm list
Kerberos keytab die durch einen erfolgreichen join erstellt wurde prüfen
klist -kt
NSS und PAM einrichten
authconfig --enablesssd --enablesssdauth --update
Dadurch werden die Dateien /etc/nsswitch.conf, /etc/pam.d/password-auth und /etc/pam.d/system-auth entsprechend angepasst.
SSSD Deamon prüfen, ggfl. neustarten bzw. aktivieren damit er beim boot automatisch gestartet wird.
systemctl status sssd systemctl restart sssd systemctl enable sssd
AD User abfragen
id Administrator@meinad.lan
------------------------------------------- root USER ------------------------------------------- hostname cat /etc/resolv.conf nslookup ads.lan yum install -y adcli sssd authconfig realmd krb5-workstation oddjob oddjob-mkhomedir samba-common-tools realm list realm discover ads.lan #TEST : OU=Linux-Systems,OU=Team-Unix-Test,OU=Team-Unix-Prod,OU=server,OU=ADS,DC=ads,DC=lan realm join ads.lan --user=A0009210 --computer-ou=OU=Linux-Systems,OU=Team-Unix-Test,OU=Team-Unix-Prod,OU=server,OU=ADS,DC=ads,DC=lan #Prod : OU=Linux-Systems,OU=Team-Unix-Prod,OU=server,OU=ADS,DC=ads,DC=lan realm join ads.lan --user=A0009210 --computer-ou=OU=Linux-Systems,OU=Team-Unix-Prod,OU=server,OU=ADS,DC=ads,DC=lan klist -kte vi /etc/krb5.conf ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_kdc = true dns_lookup_realm = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt default_ccache_name = KEYRING:persistent:%{uid} default_realm = ADS.LAN [realms] ADS.LAN = { kdc = ads.lan admin_server = ads.lan } [domain_realm] ads.lan = ADS.LAN .ads.lan = ADS.LAN ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ vi /etc/sssd/sssd.conf ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ [sssd] domains = ads.lan config_file_version = 2 services = nss, pam, ssh, autofs [domain/ads.lan] ad_domain = ads.lan krb5_realm = ADS.LAN krb5_store_password_if_offline = True realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad use_fully_qualified_names = False ldap_id_mapping = True ldap_force_upper_case_realm = True fallback_homedir = /home/%u default_shell = /bin/bash access_provider = ad ad_access_filter = (&(memberOf=CN=RO_ADMIN_RZIK_UNIX,OU=grp,OU=haorg,OU=DEU,DC=ads,DC=lan)) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ authconfig --enablesssd --enablesssdauth --update systemctl status sssd systemctl restart sssd systemctl enable sssd systemctl status sssd ------------------------------------------- oracle USER ------------------------------------------- mkdir -p /apps/oracle/diag/krb/cc/ cd /apps/oracle/12.2.0.1/rdbms/network/admin/ ls -ltrha ln -s /apps/oracle/12.2.0.1/grid/network/admin/vmlli-xendbp01.keytab vmlli-xendbp01.keytab ls -ltrha oklist -k -t /apps/oracle/12.2.0.1/rdbms/network/admin/vmlli-xendbp01.keytab vi /apps/oracle/12.2.0.1/rdbms/network/admin/sqlnet.ora ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ #NAMES.DIRECTORY_PATH=(TNSNAMES, EZCONNECT) NAMES.DIRECTORY_PATH=(TNSNAMES, HOSTNAME) NAMES.DEFAULT_DOMAIN=WORLD SQLNET.AUTHENTICATION_SERVICES=(BEQ,TCPS,NTS,KERBEROS5PRE,KERBEROS5) #SQLNET.AUTHENTICATION_SERVICES=(BEQ,TCPS,KERBEROS5PRE,KERBEROS5) SQLNET.KERBEROS5_CONF=/etc/krb5.conf SQLNET.KERBEROS5_CONF_MIT=true SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle SQLNET.KERBEROS5_KEYTAB=/apps/oracle/12.2.0.1/rdbms/network/admin/vmlli-xendbp01.keytab SQLNET.KERBEROS5_CC_NAME=/apps/oracle/diag/krb/cc/krb5cc_99 SQLNET.FALLBACK_AUTHENTICATION = TRUE #TRACE_LEVEL_SERVER=32 #TRACE_LEVEL_CLIENT=6 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ oklist -k -t /apps/oracle/12.2.0.1/rdbms/network/admin/vmlli-xendbp01.keytab . oraenv <== +ASM lsnrctl stop lsnrctl start /* CREATE USER "A0009210@ADS.LAN" IDENTIFIED EXTERNALLY AS 'A0009210@ADS.LAN' DEFAULT TABLESPACE USERS TEMPORARY TABLESPACE TEMP PROFILE DEFAULT ACCOUNT UNLOCK; -- 3 Roles for "A0009210@ADS.LAN" GRANT CONNECT TO "A0009210@ADS.LAN"; GRANT DBA TO "A0009210@ADS.LAN"; GRANT RESOURCE TO "A0009210@ADS.LAN"; ALTER USER "A0009210@ADS.LAN" DEFAULT ROLE ALL; -- 1 System Privilege for "A0009210@ADS.LAN" GRANT UNLIMITED TABLESPACE TO "A0009210@ADS.LAN"; CREATE USER "A0008900@ADS.LAN" IDENTIFIED EXTERNALLY AS 'A0008900@ADS.LAN' DEFAULT TABLESPACE USERS TEMPORARY TABLESPACE TEMP PROFILE DEFAULT ACCOUNT UNLOCK; -- 3 Roles for "A0008900@ADS.LAN" GRANT CONNECT TO "A0008900@ADS.LAN"; GRANT DBA TO "A0008900@ADS.LAN"; GRANT RESOURCE TO "A0008900@ADS.LAN"; ALTER USER "A0008900@ADS.LAN" DEFAULT ROLE ALL; -- 1 System Privilege for "A0008900@ADS.LAN" GRANT UNLIMITED TABLESPACE TO "A0008900@ADS.LAN"; */
Quelle: https://www.golinuxcloud.com/add-linux-to-windows-ad-domain-adcli-centos-7
AD Zugriff auf Linux festlegen: https://docs.pagure.org/SSSD.sssd/design_pages/active_directory_access_control.html