|
| 1 | +--- |
| 2 | +author: Hayden Young |
| 3 | +contributors: Steven Spencer |
| 4 | +--- |
| 5 | + |
| 6 | +# Active Directory Authentication |
| 7 | + |
| 8 | +## Prerequisites |
| 9 | + |
| 10 | +- Some understanding of Active Directory |
| 11 | +- Some understanding of LDAP |
| 12 | + |
| 13 | +## Introduction |
| 14 | + |
| 15 | +Microsoft's Active Directory (AD) is, in most enterprises, the de facto |
| 16 | +authentication system for Windows systems and for external, LDAP-connected |
| 17 | +services. It allows you to configure users and groups, access control, |
| 18 | +permissions, auto-mounting, and more. |
| 19 | + |
| 20 | +Now, while connecting Linux to an AD cluster cannot support _all_ of the |
| 21 | +features mentioned, it can handle users, groups, and access control. It is even |
| 22 | +possible (through some configuration tweaks on the Linux side and some advanced |
| 23 | +options on the AD side) to distribute SSH keys using AD. |
| 24 | + |
| 25 | +This guide, however, will just cover configuring authentication against Active |
| 26 | +Directory, and will not include any extra configuration on the Windows side. |
| 27 | + |
| 28 | +## Discovering and joining AD using SSSD |
| 29 | + |
| 30 | +!!! Note |
| 31 | + Throughout this guide, the domain name `ad.company.local` will be used to represent the Active Directory domain. To follow this guide, replace it with the actual domain name your AD domain uses. |
| 32 | + |
| 33 | +The first step along the way to join a Linux system into AD is to discover your |
| 34 | +AD cluster, to ensure that the network configuration is correct on both sides. |
| 35 | + |
| 36 | +### Preparation |
| 37 | + |
| 38 | +- Ensure the following ports are open to your Linux host on your domain |
| 39 | + controller: |
| 40 | + |
| 41 | + | Service | Port(s) | Notes | |
| 42 | + |----------|-------------------|-------------------------------------------------------------| |
| 43 | + | DNS | 53 (TCP+UDP) | | |
| 44 | + | Kerberos | 88, 464 (TCP+UDP) | Used by `kadmin` for setting & updating passwords | |
| 45 | + | LDAP | 389 (TCP+UDP) | | |
| 46 | + | LDAP-GC | 3268 (TCP) | LDAP Global Catalog - allows you to source user IDs from AD | |
| 47 | + |
| 48 | +- Ensure you have configured your AD domain controller as a DNS server on your |
| 49 | + Rocky Linux host: |
| 50 | + |
| 51 | + **With NetworkManager:** |
| 52 | + ```sh |
| 53 | + # where your primary NetworkManager connection is 'System eth0' and your AD |
| 54 | + # server is accessible on the IP address 10.0.0.2. |
| 55 | + [root@host ~]$ nmcli con mod 'System eth0' ipv4.dns 10.0.0.2 |
| 56 | + ``` |
| 57 | + |
| 58 | + **Manually editing the /etc/resolv.conf:** |
| 59 | + ```sh |
| 60 | + # Edit the resolv.conf file |
| 61 | + [user@host ~]$ sudo vi /etc/resolv.conf |
| 62 | + search lan |
| 63 | + nameserver 10.0.0.2 |
| 64 | + nameserver 1.1.1.1 # replace this with your preferred public DNS (as a backup) |
| 65 | + |
| 66 | + # Make the resolv.conf file unwritable, preventing NetworkManager from |
| 67 | + # overwriting it. |
| 68 | + [user@host ~]$ sudo chattr +i /etc/resolv.conf |
| 69 | + ``` |
| 70 | + |
| 71 | +- Ensure that the time on both sides (AD host and Linux system) is synchronized |
| 72 | + |
| 73 | + **To check the time on Rocky Linux:** |
| 74 | + ```sh |
| 75 | + [user@host ~]$ date |
| 76 | + Wed 22 Sep 17:11:35 BST 2021 |
| 77 | + ``` |
| 78 | + |
| 79 | +- Install the required packages for AD connection on the Linux side: |
| 80 | + |
| 81 | + ```sh |
| 82 | + [user@host ~]$ sudo dnf install realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation |
| 83 | + ``` |
| 84 | + |
| 85 | +### Discovery |
| 86 | + |
| 87 | +Now, you should be able to successfully discover your AD server(s) from your |
| 88 | +Linux host. |
| 89 | + |
| 90 | +```sh |
| 91 | +[user@host ~]$ realm discover ad.company.local |
| 92 | +ad.company.local |
| 93 | + type: kerberos |
| 94 | + realm-name: AD.COMPANY.LOCAL |
| 95 | + domain-name: ad.company.local |
| 96 | + configured: no |
| 97 | + server-software: active-directory |
| 98 | + client-software: sssd |
| 99 | + required-package: oddjob |
| 100 | + required-package: oddjob-mkhomedir |
| 101 | + required-package: sssd |
| 102 | + required-package: adcli |
| 103 | + required-package: samba-common |
| 104 | +``` |
| 105 | + |
| 106 | +This will be discovered using the relevant SRV records stored in your Active |
| 107 | +Directory DNS service. |
| 108 | + |
| 109 | +### Joining |
| 110 | + |
| 111 | +Once you have successfully discovered your Active Directory installation from |
| 112 | +the Linux host, you should be able to use `realmd` to join the domain, which |
| 113 | +will orchestrate the configuration of `sssd` using `adcli` and some other such |
| 114 | +tools. |
| 115 | + |
| 116 | +```sh |
| 117 | +[user@host ~]$ sudo realm join ad.company.local |
| 118 | +``` |
| 119 | + |
| 120 | +If this process succeeds, you should now be able to pull `passwd` information |
| 121 | +for an Active Directory user. |
| 122 | + |
| 123 | +```sh |
| 124 | +[user@host ~]$ sudo getent passwd [email protected] |
| 125 | +[email protected]: *:1450400500:1450400513:Administrator:/home/ [email protected]:/bin/bash |
| 126 | +``` |
| 127 | + |
| 128 | +### Attempting to Authenticate |
| 129 | + |
| 130 | +Now your users should be able to authenticate to your Linux host against Active |
| 131 | +Directory. |
| 132 | + |
| 133 | +**On Windows 10:** (which provides its own copy of OpenSSH) |
| 134 | + |
| 135 | +``` |
| 136 | +C:\Users\John.Doe> ssh -l [email protected] linux.host |
| 137 | + |
| 138 | +
|
| 139 | +Activate the web console with: systemctl enable --now cockpit.socket |
| 140 | +
|
| 141 | +Last login: Wed Sep 15 17:37:03 2021 from 10.0.10.241 |
| 142 | + |
| 143 | +``` |
| 144 | + |
| 145 | +If this succeeds, you have successfully configured Linux to use Active |
| 146 | +Directory as an authentication source. |
0 commit comments