Integrating Centos 7 with Windows Active Directory
When a user logs in to a Linux system, the username and password combination must be verified, or authenticated, as a valid and active user. Sometimes the information to verify the user is located on the local system, and other times the system defers the authentication to a user database on a remote system. In the below example we will configure Linux to use a Windows Active Directory Domain as the user database to which the local system defers authentication to.
Steps to configure Active Directory authentication
Step 1: Install the required prerequisite packages.
[root@localhost ~]# yum install realmd samba samba-common oddjob oddjob-mkhomedir sssd ntpdate ntp
Step 2: Configure the resolve.conf with the applicable search domains and nameservers.
[root@localhost ~]# vi /etc/resolv.conf search domain.local nameserver 10.1.0.11 nameserver 10.1.0.12
Step 3: Perform a realm join with a domain user account.
[root@localhost ~]# realm join --user=domainuser domain.local Password for domainuser:
Step 4: List the realm configured to ensure integration with Active Directory was successful.
[root@localhost ~]# realm list domain.local type: kerberos realm-name: DOMAIN.LOCAL domain-name: domain.local configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U@domain.local login-policy: allow-realm-logins
Step 5: Using visudo configure user permissions per the below. This will allow the Domain Admins group access to the Linux machine and run any commands.
[root@localhost ~]# visudo ## Allow root to run any commands anywhere root ALL=(ALL) ALL %DOMAIN.LOCAL\\Domain\ Admins ALL=(ALL) ALL
NOTE: Any user group with a space in the name must be separated in the configuration with "\ ". E.g. Domain\ Admins.
Verify the configuration
Now that the configuration is finished lets verify authentication works. Using a SSH client, such as Putty, we can login to the remote Linux system or locally. If successful you will be able to successfully login as I was able to do below.
login as: domain\user1 domain\email@example.com's password: Last login: Wed Aug 23 10:34:27 2015 from user-pc.domain.local [firstname.lastname@example.org@localhost ~]$