Buscar

Este contenido no está disponible en el idioma seleccionado.

Chapter 36. Integrating RHEL systems into AD directly by using the RHEL system role

download PDF

With the ad_integration system role, you can automate a direct integration of a RHEL system with Active Directory (AD) by using Red Hat Ansible Automation Platform.

Important

The ad_integration system role is not included in the ansible-freeipa package. It is part of the rhel-system-roles package. You can install rhel-system-roles on systems with a Red Hat Enterprise Linux Server subscription attached.

36.1. The ad_integration RHEL system role

Using the ad_integration system role, you can directly connect a RHEL system to Active Directory (AD).

The role uses the following components:

  • SSSD to interact with the central identity and authentication source
  • realmd to detect available AD domains and configure the underlying RHEL system services, in this case SSSD, to connect to the selected AD domain
Note

The ad_integration role is for deployments using direct AD integration without an Identity Management (IdM) environment. For IdM environments, use the ansible-freeipa roles.

Additional resources

36.2. Connecting a RHEL system directly to AD by using the ad_integration RHEL system role

You can use the ad_integration system role to configure a direct integration between a RHEL system and an AD domain by running an Ansible playbook.

Note

Starting with RHEL8, RHEL no longer supports RC4 encryption by default. If it is not possible to enable AES in the AD domain, you must enable the AD-SUPPORT crypto policy and allow RC4 encryption in the playbook.

Important

Time between the RHEL server and AD must be synchronized. You can ensure this by using the timesync system role in the playbook.

In this example, the RHEL system joins the domain.example.com AD domain, by using the AD Administrator user and the password for this user stored in the Ansible vault. The playbook also sets the AD-SUPPORT crypto policy and allows RC4 encryption. To ensure time synchronization between the RHEL system and AD, the playbook sets the adserver.domain.example.com server as the timesync source.

Prerequisites

  • You have prepared the control node and the managed nodes
  • You are logged in to the control node as a user who can run playbooks on the managed nodes.
  • The account you use to connect to the managed nodes has sudo permissions on them.
  • The following ports on the AD domain controllers are open and accessible from the RHEL server:

    Table 36.1. Ports Required for Direct Integration of Linux Systems into AD Using the ad_integration system role
    Source PortDestination PortProtocolService

    1024:65535

    53

    UDP and TCP

    DNS

    1024:65535

    389

    UDP and TCP

    LDAP

    1024:65535

    636

    TCP

    LDAPS

    1024:65535

    88

    UDP and TCP

    Kerberos

    1024:65535

    464

    UDP and TCP

    Kerberos change/set password (kadmin)

    1024:65535

    3268

    TCP

    LDAP Global Catalog

    1024:65535

    3269

    TCP

    LDAP Global Catalog SSL/TLS

    1024:65535

    123

    UDP

    NTP/Chrony (Optional)

    1024:65535

    323

    UDP

    NTP/Chrony (Optional)

Procedure

  1. Create a playbook file, for example ~/playbook.yml, with the following content:

    ---
    - name: Configure a direct integration between a RHEL system and an AD domain
      hosts: managed-node-01.example.com
      roles:
        - rhel-system-roles.ad_integration
      vars:
        ad_integration_realm: "domain.example.com"
        ad_integration_password: !vault | vault encrypted password
        ad_integration_manage_crypto_policies: true
        ad_integration_allow_rc4_crypto: true
        ad_integration_timesync_source: "adserver.domain.example.com"
  2. Validate the playbook syntax:

    $ ansible-playbook --syntax-check ~/playbook.yml

    Note that this command only validates the syntax and does not protect against a wrong but valid configuration.

  3. Run the playbook:

    $ ansible-playbook ~/playbook.yml

Verification

  • Display an AD user details, such as the administrator user:

    $ getent passwd administrator@ad.example.com
    administrator@ad.example.com:*:1450400500:1450400513:Administrator:/home/administrator@ad.example.com:/bin/bash

Additional resources

  • /usr/share/ansible/roles/rhel-system-roles.ad_integration/README.md file
  • /usr/share/doc/rhel-system-roles/ad_integration/ directory
Red Hat logoGithubRedditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

© 2024 Red Hat, Inc.