Questo contenuto non è disponibile nella lingua selezionata.
30.4.2.3. Active Directory Domain Example
For SSSD to work with an Active Directory domain, both the Active Directory domain and the local system have to be configured specially to communicate with one another.
Note
The Microsoft Active Directory documentation has complete procedures for configuring the Active Directory domain.
- Using
authconfig
, set the Linux client to use Active Directory as its LDAP identity provider. For example:authconfig --enableldap --enableldapauth --ldapserver=ldap://ad.example.com:389 --enablekrb5 --krb5realm AD-REALM.EXAMPLE.COM --krb5kdc ad-kdc.example.com:88 --krb5adminserver ad-kdc.example.com:749 --update
authconfig --enableldap --enableldapauth --ldapserver=ldap://ad.example.com:389 --enablekrb5 --krb5realm AD-REALM.EXAMPLE.COM --krb5kdc ad-kdc.example.com:88 --krb5adminserver ad-kdc.example.com:749 --update
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Theauthconfig
command is described in Section 29.4, “Command Line Version”. - Create the Active Directory Domain Services role.
- Add the Identity Management for UNIX service to the Active Directory Domain Services role. Use the Unix NIS domain as the domain name in the configuration.
- On the Active Directory server, create a new Computer object with the name of the Linux client.
- In the Administrative Tools menu, select the Active Directory Users and Computers application.
- Expand the Active Directory root object, such as
ad.example.com
. - Right-click Computers, and select the and the item.
- Enter the name for the Linux client, such as
rhel-server
, and click . - Expand the Computers object.
- Right-click the
rhel-server
object, and select . - In the UNIX Attributes, enter the name of the Linux NIS domain and the IP address of the Linux server.Click.
- From the command prompt on the Active Directory server, create a machine account, password, and UPN for the Linux host principal.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Copy the keytab from the Active Directory server to the Linux client, and save it as
/etc/krb5.keytab
. - On the Linux system, reset the permissions and owner for the keytab file.
chown root:root /etc/krb5.keytab chmod 0600 /etc/krb5.keytab
[root@rhel-server ~]# chown root:root /etc/krb5.keytab [root@rhel-server ~]# chmod 0600 /etc/krb5.keytab
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Restore the SELinux file permissions for the keytab.
restorecon /etc/krb5.keytab
[root@rhel-server ~]# restorecon /etc/krb5.keytab
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Verify that the host can connect to the Active Directory domain.
kinit -k -t /etc/krb5.keytab host/rhel-server.example.com@AD-REALM.EXAMPLE.COM
[root@rhel-server ~]# kinit -k -t /etc/krb5.keytab host/rhel-server.example.com@AD-REALM.EXAMPLE.COM
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - On the Active Directory server, create a a group for the Linux users.
- Create a new group named unixusers.
- Open the unixusers group and open the Unix Attributes tab.
- Configure the Unix settings:
- The NIS domain
- The UID
- The login shell, to
/bin/bash
- The home directory, to
/home/aduser
- The primary group name, to
unixusers
- Then, configure the SSSD domain on the Linux machine.
Example 30.2. An Active Directory 2008 Domain
Copy to Clipboard Copied! Toggle word wrap Toggle overflow These options are described in the man page for LDAP domain configuration,sssd-ldap(5)
. - Restart SSSD.
service sssd restart
[root@rhel-server ~]# service sssd restart
Copy to Clipboard Copied! Toggle word wrap Toggle overflow