From rhel6.5, ubuntu 14.04 and debian 8 its very easy to setup without using ldap directly.
This has been tested on CentOS 6.5 and Windows 2012 R2
Windows 2012 R2 setup:
On the AD controller, you need to install Identity Management for UNIX in servermanagement.
You can find the documentation from ms here
Then you can setup uid, gid and users shell from the AD usermanagmenttool.
RHEL6 setup:
Enable EPEL first, and install the adcli package. It will pull all the required files.
Then run adcli join your.ad.domain
If you get an error about reverse dns you can change rdns = false in /etc/krb5.conf
While in there, also change the default_realm into your.ad.domain
Now the rhel machine should be a member of your domain, and you should be able to see it in the useradmin tool on windows.
Next, install SSSD with yum and create /etc/ssd/sssd.conf with your favorite editor (Read, vim)
Note that logging (debug_level) is set pretty high, so you should probably change these later when things are working fine. Also shortnames is enabled, so that you can use username instead of username@your.ad.domain.
[sssd]
config_file_version = 2
domains = your.ad.domain
services = nss, pam
debug_level = 7
[domain/your.ad.domain]
# Uncomment if you need offline logins
# cache_credentials = true
id_provider = ad
auth_provider = ad
access_provider = ad
debug_level = 7
ad_domain = your.ad.domain
# Uncomment if service discovery is not working
#ad_server = server.your.ad.domain
# Uncomment if you want to use POSIX UIDs and GIDs set on the AD side
ldap_id_mapping = False
# Comment out if the users have the shell and home dir set on the AD side
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
# Uncomment and adjust if the default principal SHORTNAME$@REALM is not available
# ldap_sasl_authid = host/server.your.ad.domain@your.ad.domain
# Comment out if you prefer to user shortnames.
#use_fully_qualified_names = True
Due to a stupid bug in sssd, you should echo an empty line to the end of the file and set the permission right. You also need to enable it with authconfig.
chown root:root /etc/sssd/sssd.conf
echo >> /etc/sssd/sssd.conf
chmod 0600 /etc/sssd/sssd.conf
authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
And finaly start sssd:
service sssd start
You should now be able to test it with:
getent passwd username@your.ad.domain
id username
If it works, you should be able to login with your adusername, with the right uid/gid and shell all set from AD.
if not, you have tons of logs in /var/logs/sssd/*
No comments:
Post a Comment