How to easily setup Linux AD Authentication with Realmd and SSSD
This demonstration is for a 7 or 8 CENTOS or RHEL based system, but I imagine this is similar with any other Linux system that can obtain the realmd and sssd packages.
First you want to install the necessary packages. The following should install the necssary dependencies with these
yum install -y realmd sssd oddjob oddjob-mkhomedir sssd samba-common-tools
Next Join the computer to the domain. You must either use a delegated service account (see this article) or an account that has rights to join computer objects to the domain like your admin account 🙂
realm join --computer-ou="ou=someLinuxSvrOU,dc=domain,dc=com" -U <some_joinacct>
# Enter your password
Once you have joined your computer to the domain, you want to make some adjustments to your “/etc/sssd/sssd.conf” file to make some common standards to your setup.
– You can substitute “yourdomain.com” with your own FQDN domain name.
– Also add any groups or users that you want to have access to login to your server under the settings: simple_allow_groups, and simple_allow_users
[sssd]
default_domain_suffix = yourdomain.com
domains = yourdomain.com
config_file_version = 2
services = nss, pam
[domain/yourdomain.com]
ad_domain = yourdomain.com
krb5_realm = YOURDOMAIN.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = simple
simple_allow_groups = <whatever AD groups you want to have access>
simple_allow_users = <whatever AD users your want>
[nss]
homedir_substring = /home
[pam]
default_domain_suffix = yourdomain.com
restart sssd and you are done!
systemctl restart sssd
Check the man page for realm to add necessary groups or users that you want to allow remote login with:
Syntax from the Man page as
realm permit [-ax] [-R realm] {user@domain?}
realm deny -a [-R realm]
# EXAMPLES of common permit commands
realm permit -g "ad_group_name"
realm permit user@your_ad_domain_fqdn.com
realm permit -a # Permits all
Ben Tuma
Over 20 years of experience in the Information Technology field. I love technology and seeing how it changes and impacts peoples lives for the better. I have healthy appetite for innovation and problem solving.
I am sharing my knowledge and challenges in hopes to help others as we constantly face ever changes problems in IT and technology.