Introduction

        Integrating our Linux instances with Microsoft Active Directory (AD) can streamline user management, here will walk you through the steps needed to integrate a Linux instance with an AD domain, allowing centralized authentication and authorization using AD credentials.

Why we use AD integration

For improving security and ensure consistent access controls across hybrid environment.

Prerequisites

Before starting the integration process, ensure you have the following:

  • Active Directory Domain: An existing AD domain that you want to integrate with.
  • Linux Instance: A Linux instance with network connectivity to the AD domain controller.
  • Administrator Access: Sudo or root access to the Linux instance.
  • Domain Admin Credentials: Access to an AD account with permissions to join devices to the domain.

 Install Required Packages

Install the necessary packages on Linux instance to enable communication with AD.

  • For RHEL/CentOS:

sudo yum install realmd sssd sssd-tools samba-common oddjob oddjob-mkhomedir adcli ntp -y

  • For Ubuntu/Debian:

sudo apt-get update

sudo apt-get install realmd sssd sssd-tools samba-common packagekit oddjob oddjob-mkhomedir adcli ntp -y

Note: (These packages include tools for joining the domain (`realmd`), a service for managing domain authentication (`sssd`), and dependencies for handling AD communication)

 Discover the Active Directory Domain

Discover the AD domain to ensure your Linux instance can see and communicate with it.

  • Run the following command to discover the domain:

sudo realm discover “your_domain.com”

Note: (Replace `your_domain.com` with the actual domain name. This command should return information about the domain, including its fully qualified domain name (FQDN) and configured services.)

 Join the Linux Instance to the AD Domain

After discovering the domain, proceed to join the Linux instance to the AD domain.

  • Use the following command to join the domain:

sudo realm join –user=your_admin_user “your_domain.com”

Note: (Replace `your_admin_user` with your AD admin username and `your_domain.com` with your actual domain name. You’ll be prompted to enter the password for the AD admin account).

  • After joining the domain, verify the join status:

realm list

Note: (This command should show that the Linux instance is now part of the domain).

  1. Configure SSSD for Authentication

The System Security Services Daemon (SSSD) handles authentication to the AD domain. After joining the domain, ensure SSSD is properly configured.

  • Edit the `/etc/sssd/sssd.conf` file (it may be auto configured during the join process):

sudo vi /etc/sssd/sssd.conf

Ensure the following settings are configured:

[sssd]

domains = your_domain.com

config_file_version = 2

services = nss, pam

[domain/your_domain.com]

ad_domain = your_domain.com

krb5_realm = YOUR_DOMAIN.COM

realmd_tags = manages-system joined-with-samba

cache_credentials = true

id_provider = ad

krb5_store_password_if_offline = true

default_shell = /bin/bash

ldap_id_mapping = true

use_fully_qualified_names = false

fallback_homedir = XXXXX

access_provider = simple

  • Set appropriate permissions on the `sssd.conf` file:

sudo chmod 600 /etc/sssd/sssd.conf

  • Restart SSSD to apply the changes:

sudo systemctl restart sssd

 Update PAM Configuration

PAM (Pluggable Authentication Modules) needs to be updated to use SSSD for authentication.

  • Enable automatic home directory creation for AD users:

sudo authconfig –enablemkhomedir –update

Test the Integration

To ensure that the integration is successful, test logging in with an AD user account.

  • Try switching to an AD user:

su – ad_user

Note: Replace `ad_user` with an actual AD user account. If the integration is successful, you should be logged in as that user, and a home directory should be created automatically.

  1. (Optional) Restrict Login Access

If you want to restrict which AD users can log in to the Linux instance, you can configure access controls in `/etc/sssd/sssd.conf`.

  • For example, to allow only certain AD groups:

access_provider = simple

simple_allow_groups = ad_group1, ad_group2

Note: (Replace `ad_group1` and `ad_group2` with the actual AD group names).

 Conclusion

Integrating a Linux instance with Active Directory can significantly simplify user management and enhance security by centralizing authentication and authorization. By following this guide, you can ensure a smooth integration, allowing AD users to log in to your Linux instance with their domain credentials

Recent Posts

Start typing and press Enter to search