Optional:
Leave old domain, sync time.
ntpdate -u dc01.domain.com net ads leave domain.com -U username
Optional:
There was an issue with the previous version installed, had to remove before installing anything else.
yum remove libipa_hbac -y
Step 1: Install SSSD, Authconfig, SSSD Tools, ADCLI, and KRB5 Workstation
yum install sssd authconfig sssd-tools adcli krb5-workstation -y
Step 2: Configure KRB, Samba, and SSD ****** CASE MATTERS !!!!!!!! ******
echo y | cp /etc/krb5.conf /etc/krb5.conf.bak echo "[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] DOMAIN.COM = { kdc = DC01.DOMAIN.COM admin_server = DC01.DOMAIN.COM kdc = X.X.X.X } [domain_realm] .domain.com = DOMAIN.COM domain.com = DOMAIN.COM" > /etc/krb5.conf echo y |cp /etc/samba/smb.conf /etc/samba/smb.conf.bak echo "[global] workgroup = DOMAINN client signing = yes #client user spnego = yes kerberos method = secrets and keytab log file = /var/log/samba/%m.log password server = DC01.DOMAIN.COM realm = DOMAIN.COM security = ADS" > /etc/samba/smb.conf echo y | cp /etc/sssd/sssd.conf /etc/sssd/sssd.conf.bak echo "[sssd] config_file_version = 2 services = nss, pam, autofs, ssh, autofs domains = DOMAIN.COM #default_domain_suffix = DOMAIN.COM [nss] filter_users = root,ldap,named [domain/DOMAIN.COM] id_provider = ad ad_server = dc01.domain.com ad_backup_server = dc02.domain.com ad_domain = domain.com krb5_realm = DOMAIN.COM cache_credentials = True krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True ldap_schema = ad use_fully_qualified_names = False fallback_homedir = /home/%u access_provider = ad enumerate = true [pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5 [autofs]" > /etc/sssd/sssd.conf
Step 3 Restart the services:
service smb restart; service winbind restart; service sssd restart;
Step 3: Test to see if all the config files are working
kinit username
Type in password, if it comes back with no response it worked.
You can check this by typing
klist
If you get an error, something is wrong in the config or your password is wrong.
Step 4: Configure PAM Modules, Join Domain
authconfig --update --enablesssd --enablesssdauth service smb restart; service winbind restart; service sssd restart; adcli join domain.com -U user -v
Verify everything in the nssswitch file got updated. Should be files sss.
cat /etc/nsswitch.conf
Should look like this:
passwd: files sss winbind shadow: files sss winbind group: files sss winbind #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files sss aliases: files nisplus
Step 5: Restart services, Print out AD Users, Print out AD Groups, Check ID for test User
service smb restart; service winbind restart; service sssd restart; getent passwd getent group id username
Step 6: Test login
ssh username@127.0.0.1
****IF getent doesn't show anything but ID works, restart the services again, check again *****
service smb restart; service winbind restart; service sssd restart;
If you want to limit login based on groups, check out /etc/security/access.conf
echo "+ : group1 "group 2" jsmith root : ALL - : ALL : ALL" >> /etc/security/access.conf
Sudo based on groups
echo "%admin ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
No comments:
Post a Comment