Step-by-step guide to configure a Linux machine in an Active Directory domain:
Preparations and package installation
Start by updating the packages already present on the machine, and then proceed to install only what we actually need.
Update the dependencies using the command:
sudo apt update
sudo yum update
And proceed with the installation of the packages:
sudo apt install -y realmd libnss-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob- mkhomedir packagekit
sudo dnf install realmd sssd oddjob oddjob-mkhomedir adcli samba-common-tools -y
Configuring the realm
In short, Realm helps us discover and manage the domains we have on the machine.
To start, we first need to discover the domain we are looking for.
Use the following command:
realm discover DOMAIN-NAME
We will have a response similar to this.
Now that we have discovered the domain, we will need to log in to it with a user. Use the following command:
sudo realm join -U USUARIO DOMINIO
If no errors have occurred so far, we can verify if we are indeed connected by using the following command to check the user's permissions and groups.
Another method to verify if everything is going correctly is the following:
This way, we can verify if we are already connected to the desired domain.
The pam-configs configuration was only necessary on Ubuntu to ensure that the user's folder is created upon logging into the system.
You just need to execute the command:
sudo pam-auth-update --enable mkhomedir
We need to access the file
/etc/sssd/sssd.conf to make the modifications. In this file, we will change the
use_fully_qualified_names option from
True. With this option enabled, users will be in the format user@domain instead of just user.
In our case, we will change it to True since we have only one AD. However, please note that this change should only be made if you are certain that no other domain will be added to the AD forest.
fallback_homedir = /home/%u@%d, we will modify it to
fallback_homedir = /home/%u. By removing the "@%d" part, the user's folder will be created with only the username.
access_provider = ad option, change it to
access_provider = simple.
Now let's add an option that is not present in our file, which is
simple_allow_groups. In this option, we will add the groups we have in AD and want to grant access to the Linux machine.
In our case, we have two groups: linuxuser and linuxadmin. To add them, we should include
simple_allow_groups = linuxuser, linuxadmin in the file.
As a result, the file will look like this:
Note: in the places where it says 'Domain.local', you should use the domain you are integrating with the system. And in 'simple_allow_users = groups, linuxuser, linuxadmin', it is an option that will be added automatically in the next item.
Thus, concluding the SSSD configuration process, we will allow access for users who are in the groups we added in simple_allow_groups. Use the following commands:
realm permit [group]
realm permit linuxuser
realm permit linuxadmin
With the processes performed in the above steps, we will be able to access the machine using the AD user. However, the user won't have root access to the system. To solve this, we need to add the groups to the /etc/sudoers file. The result will be as follows:
We added the %linuxuser group to allow all users in the linuxuser group to access the machine and obtain root access.
By following these steps, Active Directory users will be able to authenticate on the Linux machine and have the appropriate privileges. Always ensure to follow best security practices when performing these configurations.