CentOS/RHEL 7 mit Kerberos an AD anbinden

Voraussetzungen:

Linux: CentOS 7.6 (192.168.0.10)

Windows: Active Directory 2016 (192.168.0.100)

Der AD ist auch DNS, DHCP Server

cat /etc/resolv.conf
search meinad.lan
nameserver 192.168.0.100

bind-utils installieren falls nicht installiert (Minimal)
yum install bind-utils

mit nslookup die Namensauflösung prüfen

nslookup meinad.lan

Benötigte Paket via yum installieren

yum install adcli sssd authconfig realmd krb5-workstation

Prüfen ob wir bereits zu einer Domain gehören

realm list

Prüfen ob alle benötigten Paket vorhanden sind

realm discover meinad.lan

Somit wird die /etc/krb5.keytab und /etc/krb5.conf erstellt.

Join in der Domain in die OU Linux-Computers

realm join --computer-ou="OU=Linux-Computers" --user=Administrator meinad.lan

oder alternativ in die “default” OU

realm join --user=Administrator meinad.lan

Domain join prüfen mit

realm list

Kerberos keytab die durch einen erfolgreichen join erstellt wurde prüfen

klist -kt

NSS und PAM einrichten

authconfig --enablesssd --enablesssdauth --update

Dadurch werden die Dateien /etc/nsswitch.conf, /etc/pam.d/password-auth und /etc/pam.d/system-auth  entsprechend angepasst.

SSSD Deamon prüfen, ggfl. neustarten bzw. aktivieren damit er beim boot automatisch gestartet wird.
systemctl status sssd
systemctl restart sssd
systemctl enable sssd

AD User abfragen

id Administrator@meinad.lan

 

 

-------------------------------------------
root USER
-------------------------------------------
hostname
cat /etc/resolv.conf
nslookup ads.lan
yum install -y adcli sssd authconfig realmd krb5-workstation oddjob oddjob-mkhomedir samba-common-tools
realm list
realm discover ads.lan

#TEST : OU=Linux-Systems,OU=Team-Unix-Test,OU=Team-Unix-Prod,OU=server,OU=ADS,DC=ads,DC=lan
realm join ads.lan --user=A0009210 --computer-ou=OU=Linux-Systems,OU=Team-Unix-Test,OU=Team-Unix-Prod,OU=server,OU=ADS,DC=ads,DC=lan

#Prod : OU=Linux-Systems,OU=Team-Unix-Prod,OU=server,OU=ADS,DC=ads,DC=lan
realm join ads.lan --user=A0009210 --computer-ou=OU=Linux-Systems,OU=Team-Unix-Prod,OU=server,OU=ADS,DC=ads,DC=lan

klist -kte

vi /etc/krb5.conf
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_kdc = true
 dns_lookup_realm = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_ccache_name = KEYRING:persistent:%{uid}

 default_realm = ADS.LAN
[realms]
 ADS.LAN = {
  kdc = ads.lan
  admin_server = ads.lan
 }

[domain_realm]
 ads.lan = ADS.LAN
 .ads.lan = ADS.LAN
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

vi /etc/sssd/sssd.conf
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[sssd]
domains = ads.lan
config_file_version = 2
services = nss, pam, ssh, autofs

[domain/ads.lan]
ad_domain = ads.lan
krb5_realm = ADS.LAN
krb5_store_password_if_offline = True
realmd_tags = manages-system joined-with-samba
cache_credentials = True

id_provider = ad
use_fully_qualified_names = False

ldap_id_mapping = True
ldap_force_upper_case_realm = True
fallback_homedir = /home/%u
default_shell = /bin/bash

access_provider = ad
ad_access_filter = (&(memberOf=CN=RO_ADMIN_RZIK_UNIX,OU=grp,OU=haorg,OU=DEU,DC=ads,DC=lan))
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

authconfig --enablesssd --enablesssdauth --update

systemctl status sssd
systemctl restart sssd
systemctl enable sssd
systemctl status sssd

-------------------------------------------
oracle USER
-------------------------------------------

mkdir -p /apps/oracle/diag/krb/cc/
cd /apps/oracle/12.2.0.1/rdbms/network/admin/
ls -ltrha
ln -s /apps/oracle/12.2.0.1/grid/network/admin/vmlli-xendbp01.keytab vmlli-xendbp01.keytab
ls -ltrha
oklist -k -t /apps/oracle/12.2.0.1/rdbms/network/admin/vmlli-xendbp01.keytab

vi /apps/oracle/12.2.0.1/rdbms/network/admin/sqlnet.ora
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#NAMES.DIRECTORY_PATH=(TNSNAMES, EZCONNECT)
NAMES.DIRECTORY_PATH=(TNSNAMES, HOSTNAME)
NAMES.DEFAULT_DOMAIN=WORLD

SQLNET.AUTHENTICATION_SERVICES=(BEQ,TCPS,NTS,KERBEROS5PRE,KERBEROS5)
#SQLNET.AUTHENTICATION_SERVICES=(BEQ,TCPS,KERBEROS5PRE,KERBEROS5)
SQLNET.KERBEROS5_CONF=/etc/krb5.conf
SQLNET.KERBEROS5_CONF_MIT=true
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle
SQLNET.KERBEROS5_KEYTAB=/apps/oracle/12.2.0.1/rdbms/network/admin/vmlli-xendbp01.keytab
SQLNET.KERBEROS5_CC_NAME=/apps/oracle/diag/krb/cc/krb5cc_99
SQLNET.FALLBACK_AUTHENTICATION = TRUE

#TRACE_LEVEL_SERVER=32
#TRACE_LEVEL_CLIENT=6
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

oklist -k -t /apps/oracle/12.2.0.1/rdbms/network/admin/vmlli-xendbp01.keytab

. oraenv
<== +ASM
lsnrctl stop
lsnrctl start

/*
CREATE USER "A0009210@ADS.LAN"
  IDENTIFIED EXTERNALLY AS 'A0009210@ADS.LAN'
  DEFAULT TABLESPACE USERS
  TEMPORARY TABLESPACE TEMP
  PROFILE DEFAULT
  ACCOUNT UNLOCK;

-- 3 Roles for "A0009210@ADS.LAN" 
GRANT CONNECT TO "A0009210@ADS.LAN";
GRANT DBA TO "A0009210@ADS.LAN";
GRANT RESOURCE TO "A0009210@ADS.LAN";
ALTER USER "A0009210@ADS.LAN" DEFAULT ROLE ALL;

-- 1 System Privilege for "A0009210@ADS.LAN" 
GRANT UNLIMITED TABLESPACE TO "A0009210@ADS.LAN";

CREATE USER "A0008900@ADS.LAN"
  IDENTIFIED EXTERNALLY AS 'A0008900@ADS.LAN'
  DEFAULT TABLESPACE USERS
  TEMPORARY TABLESPACE TEMP
  PROFILE DEFAULT
  ACCOUNT UNLOCK;

-- 3 Roles for "A0008900@ADS.LAN" 
GRANT CONNECT TO "A0008900@ADS.LAN";
GRANT DBA TO "A0008900@ADS.LAN";
GRANT RESOURCE TO "A0008900@ADS.LAN";
ALTER USER "A0008900@ADS.LAN" DEFAULT ROLE ALL;

-- 1 System Privilege for "A0008900@ADS.LAN" 
GRANT UNLIMITED TABLESPACE TO "A0008900@ADS.LAN";
*/

 

 

 

 

 

 

Quelle: https://www.golinuxcloud.com/add-linux-to-windows-ad-domain-adcli-centos-7

AD Zugriff auf Linux festlegen: https://docs.pagure.org/SSSD.sssd/design_pages/active_directory_access_control.html