Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 7. Configuring a RHEL host to use AD as an authentication provider

As a system administrator, you can use Active Directory (AD) as the authentication provider for a Red Hat Enterprise Linux (RHEL) host without joining the host to AD.

Use this approach if:

  • You do not want AD administrators to have control over enabling and disabling the host.
  • The host, which can be a corporate PC, is only meant to be used by one user in your company.
Important

Use this approach only if you have a specific reason to avoid joining your host to AD.

Consider fully joining the system to AD or Red Hat Identity Management (IdM) instead. Joining the RHEL host to a domain makes the setup easier to manage. If you are concerned about client access licences related to joining clients into AD directly, consider leveraging an IdM server that is in a trust agreement with AD. For more information about an IdM-AD trust, see Planning a cross-forest trust between IdM and AD and Installing a trust between IdM and AD.

After you complete this procedure, AD_user can log in to rhel_host system using their the password set in the AD user database in the example.com domain. The EXAMPLE.COM Kerberos realm corresponds to the example.com domain.

Prerequisites

  • You have root access to rhel_host.
  • The AD_user user account exists in the example.com domain.
  • The Kerberos realm is EXAMPLE.COM.
  • rhel_host has not been joined to AD using the realm join command.

  • You have installed the sssd-proxy package. 

    # dnf install sssd-proxy
    Copy to Clipboard

Procedure

  1. Create the AD_user user account locally without assigning a password to it: 

    # useradd AD_user
    Copy to Clipboard

  2. Open the /etc/nsswitch.conf file for editing, and make sure that it contains the following lines: 

    passwd:     sss files systemd
group:      sss files systemd
shadow:     files sss
    Copy to Clipboard

  3. Open the /etc/krb5.conf file for editing, and make sure that it contains the following sections and items: 

    # To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    default_realm = EXAMPLE.COM
    default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 EXAMPLE.COM = {
     kdc = ad.example.com
     admin_server = ad.example.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM
    Copy to Clipboard

  4. Create the /etc/sssd/sssd.conf file and insert the following sections and lines into it: 

    [sssd]
    services = nss, pam
    domains = EXAMPLE.COM

[domain/EXAMPLE.COM]
    id_provider = proxy
    proxy_lib_name = files
    auth_provider = krb5
    krb5_realm = EXAMPLE.COM
    krb5_server = ad.example.com
    Copy to Clipboard

  5. Change the permissions on the /etc/sssd/sssd.conf file: 

    # chmod 600 /etc/sssd/sssd.conf
    Copy to Clipboard

  6. Start the Security System Services Daemon (SSSD): 

    # systemctl start sssd
    Copy to Clipboard

  7. Enable SSSD: 

    # systemctl enable sssd
    Copy to Clipboard

  8. Open the /etc/pam.d/system-auth file, and modify it so that it contains the following sections and lines: 

    # Generated by authselect on Wed May  8 08:55:04 2019
# Do not modify this file manually.

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so nullok try_first_pass
auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so

account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

password    requisite                                    pam_pwquality.so try_first_pass local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so
    Copy to Clipboard

  9. Copy the contents of the /etc/pam.d/system-auth file into the /etc/pam.d/password-auth file. Enter yes to confirm the overwriting of the current contents of the file: 

    # cp /etc/pam.d/system-auth /etc/pam.d/password-auth
cp: overwrite '/etc/pam.d/password-auth'? yes
    Copy to Clipboard

Verification

  1. Request a Kerberos ticket-granting ticket (TGT) for AD_user. Enter the password of AD_user as requested: 

    # kinit AD_user
Password for AD_user@EXAMPLE.COM:
    Copy to Clipboard

  2. Display the obtained TGT: 

    # klist
Ticket cache: KEYRING:persistent:0:0
Default principal: AD_user@EXAMPLE.COM

Valid starting     Expires            Service principal
11/02/20 04:16:38  11/02/20 14:16:38  krbtgt/EXAMPLE.COM@EXAMPLE.COM
	renew until 18/02/20 04:16:34
    Copy to Clipboard

AD_user has successfully logged in to rhel_host using the credentials from the EXAMPLE.COM Kerberos domain.

Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat