5.2. Configuring a Managed Service Account for a RHEL host

This procedure creates a Managed Service Account (MSA) for a host from the lab.example.com Active Directory (AD) domain, and configures SSSD so you can access and authenticate to the production.example.com AD domain.

注意

If you need to access AD resources from a RHEL host, Red Hat recommends that you join the RHEL host to the AD domain with the realm command. See Connecting RHEL systems directly to AD using SSSD.

Only perform this procedure if one of the following conditions applies:

You cannot join the RHEL host to the AD domain, and you want to create an account for that host in AD.
You have joined the RHEL host to an AD domain, and you need to access another AD domain where the host credentials from the domain you have joined are not valid, such as with a one-way trust.

Prerequisites

Ensure that the following ports on the RHEL host are open and accessible to the AD domain controllers.

Expand

Service	Port	Protocols
DNS	53	TCP, UDP
LDAP	389	TCP, UDP
LDAPS (optional)	636	TCP, UDP
Kerberos	88	TCP, UDP

You have the password for an AD Administrator that has rights to create MSAs in the production.example.com domain.
You have root permissions that are required to run the adcli command, and to modify the /etc/sssd/sssd.conf configuration file..
Optional: You have the krb5-workstation package installed, which includes the klist diagnostic utility.

Procedure

Create an MSA for the host in the production.example.com AD domain.

[root@client ~]# adcli create-msa --domain=production.example.com

Display information about the MSA from the Kerberos keytab that was created. Make note of the MSA name:

[root@client ~]# klist -k /etc/krb5.keytab.production.example.com
Keytab name: FILE:/etc/krb5.keytab.production.example.com
KVNO Principal
---- ------------------------------------------------------------
   2 CLIENT!S3A$@PRODUCTION.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   2 CLIENT!S3A$@PRODUCTION.EXAMPLE.COM (aes128-cts-hmac-sha1-96)

Open the /etc/sssd/sssd.conf file and choose the appropriate SSSD domain configuration to add:
- If the MSA corresponds to an AD domain from a different forest, create a new domain section named [domain/<name_of_domain>], and enter information about the MSA and the keytab. The most important options are ldap_sasl_authid, ldap_krb5_keytab, and krb5_keytab:
  [domain/production.example.com] ldap_sasl_authid = CLIENT!S3A$@PRODUCTION.EXAMPLE.COM ldap_krb5_keytab = /etc/krb5.keytab.production.example.com krb5_keytab = /etc/krb5.keytab.production.example.com ad_domain = production.example.com krb5_realm = PRODUCTION.EXAMPLE.COM access_provider = ad ...
  警告
  Even with an existing trust relationship, sssd-ad requires a MSA in the second forest.
- If the MSA corresponds to an AD domain from the local forest, create a new sub-domain section in the format [domain/root.example.com/sub-domain.example.com], and enter information about the MSA and the keytab. The most important options are ldap_sasl_authid, ldap_krb5_keytab, and krb5_keytab:
  [domain/ad.example.com/production.example.com] ldap_sasl_authid = CLIENT!S3A$@PRODUCTION.EXAMPLE.COM ldap_krb5_keytab = /etc/krb5.keytab.production.example.com krb5_keytab = /etc/krb5.keytab.production.example.com ad_domain = production.example.com krb5_realm = PRODUCTION.EXAMPLE.COM access_provider = ad ...

Verification

Verify you can retrieve a Kerberos ticket-granting ticket (TGT) as the MSA:

[root@client ~]# kinit -k -t /etc/krb5.keytab.production.example.com 'CLIENT!S3A$'
[root@client ~]# klist
Ticket cache: KCM:0:54655
Default principal: CLIENT!S3A$@PRODUCTION.EXAMPLE.COM

Valid starting       Expires              Service principal
11/22/2021 15:48:03  11/23/2021 15:48:03  krbtgt/PRODUCTION.EXAMPLE.COM@PRODUCTION.EXAMPLE.COM

In AD, verify you have an MSA for the host in the Managed Service Accounts Organizational Unit (OU).

5.2. Configuring a Managed Service Account for a RHEL host

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links