21.08.2019
CentOS/RHEL 7 mit Kerberos an AD anbinden
Voraussetzungen:
Linux: CentOS 7.6 (192.168.0.10)
Windows: Active Directory 2016 (192.168.0.100)
Der AD ist auch DNS, DHCP Server
cat /etc/resolv.conf search meinad.lan nameserver 192.168.0.100
bind-utils installieren falls nicht installiert (Minimal)
yum install bind-utils
mit nslookup die Namensauflösung prüfen
nslookup meinad.lan
Benötigte Paket via yum installieren
yum install adcli sssd authconfig realmd krb5-workstation
Prüfen ob wir bereits zu einer Domain gehören
realm list
Prüfen ob alle benötigten Paket vorhanden sind
realm discover meinad.lan
Somit wird die /etc/krb5.keytab und /etc/krb5.conf erstellt.
Join in der Domain in die OU Linux-Computers
realm join --computer-ou="OU=Linux-Computers" --user=Administrator meinad.lan
oder alternativ in die “default” OU
realm join --user=Administrator meinad.lan
Domain join prüfen mit
realm list
Kerberos keytab die durch einen erfolgreichen join erstellt wurde prüfen
klist -kt
NSS und PAM einrichten
authconfig --enablesssd --enablesssdauth --update
Dadurch werden die Dateien /etc/nsswitch.conf, /etc/pam.d/password-auth und /etc/pam.d/system-auth entsprechend angepasst.
SSSD Deamon prüfen, ggfl. neustarten bzw. aktivieren damit er beim boot automatisch gestartet wird.
systemctl status sssd systemctl restart sssd systemctl enable sssd
AD User abfragen
id Administrator@meinad.lan
-------------------------------------------
root USER
-------------------------------------------
hostname
cat /etc/resolv.conf
nslookup ads.lan
yum install -y adcli sssd authconfig realmd krb5-workstation oddjob oddjob-mkhomedir samba-common-tools
realm list
realm discover ads.lan
#TEST : OU=Linux-Systems,OU=Team-Unix-Test,OU=Team-Unix-Prod,OU=server,OU=ADS,DC=ads,DC=lan
realm join ads.lan --user=A0009210 --computer-ou=OU=Linux-Systems,OU=Team-Unix-Test,OU=Team-Unix-Prod,OU=server,OU=ADS,DC=ads,DC=lan
#Prod : OU=Linux-Systems,OU=Team-Unix-Prod,OU=server,OU=ADS,DC=ads,DC=lan
realm join ads.lan --user=A0009210 --computer-ou=OU=Linux-Systems,OU=Team-Unix-Prod,OU=server,OU=ADS,DC=ads,DC=lan
klist -kte
vi /etc/krb5.conf
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_kdc = true
dns_lookup_realm = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = ADS.LAN
[realms]
ADS.LAN = {
kdc = ads.lan
admin_server = ads.lan
}
[domain_realm]
ads.lan = ADS.LAN
.ads.lan = ADS.LAN
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
vi /etc/sssd/sssd.conf
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[sssd]
domains = ads.lan
config_file_version = 2
services = nss, pam, ssh, autofs
[domain/ads.lan]
ad_domain = ads.lan
krb5_realm = ADS.LAN
krb5_store_password_if_offline = True
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
use_fully_qualified_names = False
ldap_id_mapping = True
ldap_force_upper_case_realm = True
fallback_homedir = /home/%u
default_shell = /bin/bash
access_provider = ad
ad_access_filter = (&(memberOf=CN=RO_ADMIN_RZIK_UNIX,OU=grp,OU=haorg,OU=DEU,DC=ads,DC=lan))
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
authconfig --enablesssd --enablesssdauth --update
systemctl status sssd
systemctl restart sssd
systemctl enable sssd
systemctl status sssd
-------------------------------------------
oracle USER
-------------------------------------------
mkdir -p /apps/oracle/diag/krb/cc/
cd /apps/oracle/12.2.0.1/rdbms/network/admin/
ls -ltrha
ln -s /apps/oracle/12.2.0.1/grid/network/admin/vmlli-xendbp01.keytab vmlli-xendbp01.keytab
ls -ltrha
oklist -k -t /apps/oracle/12.2.0.1/rdbms/network/admin/vmlli-xendbp01.keytab
vi /apps/oracle/12.2.0.1/rdbms/network/admin/sqlnet.ora
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#NAMES.DIRECTORY_PATH=(TNSNAMES, EZCONNECT)
NAMES.DIRECTORY_PATH=(TNSNAMES, HOSTNAME)
NAMES.DEFAULT_DOMAIN=WORLD
SQLNET.AUTHENTICATION_SERVICES=(BEQ,TCPS,NTS,KERBEROS5PRE,KERBEROS5)
#SQLNET.AUTHENTICATION_SERVICES=(BEQ,TCPS,KERBEROS5PRE,KERBEROS5)
SQLNET.KERBEROS5_CONF=/etc/krb5.conf
SQLNET.KERBEROS5_CONF_MIT=true
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle
SQLNET.KERBEROS5_KEYTAB=/apps/oracle/12.2.0.1/rdbms/network/admin/vmlli-xendbp01.keytab
SQLNET.KERBEROS5_CC_NAME=/apps/oracle/diag/krb/cc/krb5cc_99
SQLNET.FALLBACK_AUTHENTICATION = TRUE
#TRACE_LEVEL_SERVER=32
#TRACE_LEVEL_CLIENT=6
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
oklist -k -t /apps/oracle/12.2.0.1/rdbms/network/admin/vmlli-xendbp01.keytab
. oraenv
<== +ASM
lsnrctl stop
lsnrctl start
/*
CREATE USER "A0009210@ADS.LAN"
IDENTIFIED EXTERNALLY AS 'A0009210@ADS.LAN'
DEFAULT TABLESPACE USERS
TEMPORARY TABLESPACE TEMP
PROFILE DEFAULT
ACCOUNT UNLOCK;
-- 3 Roles for "A0009210@ADS.LAN"
GRANT CONNECT TO "A0009210@ADS.LAN";
GRANT DBA TO "A0009210@ADS.LAN";
GRANT RESOURCE TO "A0009210@ADS.LAN";
ALTER USER "A0009210@ADS.LAN" DEFAULT ROLE ALL;
-- 1 System Privilege for "A0009210@ADS.LAN"
GRANT UNLIMITED TABLESPACE TO "A0009210@ADS.LAN";
CREATE USER "A0008900@ADS.LAN"
IDENTIFIED EXTERNALLY AS 'A0008900@ADS.LAN'
DEFAULT TABLESPACE USERS
TEMPORARY TABLESPACE TEMP
PROFILE DEFAULT
ACCOUNT UNLOCK;
-- 3 Roles for "A0008900@ADS.LAN"
GRANT CONNECT TO "A0008900@ADS.LAN";
GRANT DBA TO "A0008900@ADS.LAN";
GRANT RESOURCE TO "A0008900@ADS.LAN";
ALTER USER "A0008900@ADS.LAN" DEFAULT ROLE ALL;
-- 1 System Privilege for "A0008900@ADS.LAN"
GRANT UNLIMITED TABLESPACE TO "A0008900@ADS.LAN";
*/
Quelle: https://www.golinuxcloud.com/add-linux-to-windows-ad-domain-adcli-centos-7
AD Zugriff auf Linux festlegen: https://docs.pagure.org/SSSD.sssd/design_pages/active_directory_access_control.html
About Author
