This shows you the differences between two versions of the page.
linux:centos_ad [2018/06/13 02:17] bmiddha |
linux:centos_ad [2021/05/02 21:36] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== CentOS 7 AD Client ====== | ||
- | |||
- | |||
- | ====== Install nslcd and kerberos ====== | ||
- | |||
- | <code> | ||
- | yum install -y pam_krb5 krb5-workstation | ||
- | yum install -y nscd nss-pam-ldapd wget | ||
- | </code> | ||
- | |||
- | ====== Enalble nslcd service ====== | ||
- | |||
- | <code> | ||
- | systemctl enable nslcd | ||
- | </code> | ||
- | |||
- | ====== Configure nslcd ====== | ||
- | |||
- | <code> | ||
- | authconfig-tui | ||
- | </code> | ||
- | |||
- | select "Use LDAP" and "Use LDAP Authentication" | ||
- | select "Use TLS" | ||
- | <code> | ||
- | Server: ldaps://ad1.acm.cs | ||
- | Base DN: dc=acm,dc=cs | ||
- | </code> | ||
- | |||
- | ====== Update nslcd config ====== | ||
- | |||
- | <file|/etc/nslcd.conf> | ||
- | uri ldaps://ad1.acm.cs | ||
- | uri ldaps://ad2.acm.cs | ||
- | uri ldaps://ad3.acm.cs | ||
- | |||
- | ldap_version 3 | ||
- | |||
- | base dc=acm,dc=cs | ||
- | |||
- | binddn apacheacm@acm.cs | ||
- | bindpw (ask sysadmin) | ||
- | |||
- | base group ou=ACMGroups,dc=acm,dc=cs | ||
- | base passwd ou=ACMUsers,dc=acm,dc=cs | ||
- | base shadow ou=ACMUsers,dc=acm,dc=cs | ||
- | |||
- | bind_timelimit 3 | ||
- | |||
- | timelimit 30 | ||
- | |||
- | ssl on | ||
- | #ssl start_tls | ||
- | tls_reqcert never | ||
- | |||
- | # Mappings for Active Directory | ||
- | pagesize 1000 | ||
- | referrals off | ||
- | idle_timelimit 800 | ||
- | filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) | ||
- | map passwd uid sAMAccountName | ||
- | map passwd homeDirectory unixHomeDirectory | ||
- | map passwd gecos displayName | ||
- | filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) | ||
- | map shadow uid sAMAccountName | ||
- | map shadow shadowLastChange pwdLastSet | ||
- | filter group (objectClass=group) | ||
- | </file> | ||
- | nslcd.conf should not be world readable if bindpw is set | ||
- | |||
- | <code> | ||
- | chmod 600 /etc/nslcd.conf | ||
- | </code> | ||
- | |||
- | ====== More LDAP Config ====== | ||
- | make sure that passwd, group and shadow have files and then ldap | ||
- | <file|/etc/nsswitch.conf> | ||
- | passwd: files ldap | ||
- | group: files ldap | ||
- | shadow: files ldap | ||
- | </file> | ||
- | |||
- | ====== Start nslcd Service ====== | ||
- | <code> | ||
- | systemctl start nslcd | ||
- | </code> | ||
- | ====== Testing the configuration ====== | ||
- | <code> | ||
- | getent passwd | ||
- | </code> | ||
- | you should see the users form AD | ||
- | |||
- | <code> | ||
- | su - usernameInAd | ||
- | </code> | ||
- | this should work | ||
- | <code> | ||
- | [root@centosimg acmadmin]# su - bmiddha | ||
- | su: warning: cannot change directory to /home/bmiddha: No such file or directory | ||
- | -bash-4.2$ | ||
- | </code> | ||
- | |||
- | |||
- | ====== Password auth with kerberos ====== | ||
- | |||
- | <file|/etc/krb5.conf> | ||
- | [libdefaults] | ||
- | default_realm = ACM.CS | ||
- | dns_lookup_realm = false | ||
- | dns_lookup_kdc = true | ||
- | |||
- | [realms] | ||
- | |||
- | [domain_realm] | ||
- | acm.cs = ACM.CS | ||
- | .acm.cs = ACM.CS | ||
- | |||
- | [logging] | ||
- | # kdc = CONSOLE | ||
- | </file> | ||
- | |||
- | Now you should be able to ssh with password | ||
- | |||
- | ====== Sudo access to LAN Admins ====== | ||
- | Create this file | ||
- | |||
- | <file|/etc/sudoers.d/AcmLanAdmins> | ||
- | %AcmLanAdmins ALL=(ALL) ALL | ||
- | </file> | ||
- | |||
- | ====== Auto create home directories ====== | ||
- | Append File | ||
- | <file|/etc/pam.d/sshd> | ||
- | . | ||
- | . | ||
- | # Create home directories | ||
- | session required pam_mkhomedir.so skel=/etc/skel/ | ||
- | </file> | ||
- | |||
- | ====== All Done! ====== | ||