Linux direct integration with SSSD
Editing linux-direct-entegration-sssd-ad-sudo.md (github.com)
1. download the file. for create schema and its attiributes.
https://github.com/sudo-project/sudo/blob/main/docs/schema.ActiveDirectory
2. rename file name kt.ldf. open the file than find/replace the string…
Dc=x -> DC=ornek,DC=com
3. import the file on Active Directory server.
C:\Users\Administrator\Desktop\direct-entegration>ldifde -i -f kt.ldf
Connecting to “ad.ornek.com”
Logging in as current user using SSPI
Importing directory from file “kt.ldf”
Loading entries………….
12 entries modified successfully.
The command has completed successfully
C:\Users\Administrator\Desktop\direct-entegration>
4. install sssh on linux rhel8
yum install samba-common-tools realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation
5. check sssd
[root@rhel8 ~]# realm discover ad.ornek.com
ornek.com
type: kerberos
realm-name: ORNEK.COM
domain-name: ornek.com
configured: no
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
6. join domain
realm join ad.ornek.com
[root@rhel8 ~]# getent passwd administrator@ornek.com
administrator@ornek.com:*:549800500:549800513:Administrator:/home/administrator@ornek.com:/bin/bash
### if you want to use posix attirubute on AD use that command.
# realm join — automatic-id-mapping=no ornek.com
# or
# change the file: /etc/sssd/sssd.conf ( ldap_id_mapping = false )
# and delete cache by this command: rm -f /var/lib/sss/db/*
# finaly restart service by this command: systemctl restart sssd
7. manual id mapping
You can take help from here: https://chat.openai.com/chat
Set-ADUser -identity test -Add @{uidNumber=”5000"; gidNumber=”100"; loginShell=”/bin/bash”; unixHomeDirectory=”/home/test”}
Get-ADUser -Identity test -Properties * | Out-String -Stream | Select-String “uidNumber”,”gidNumber”,”loginShell”,”unixHomeDirectory”
result here:
login here:
8. check dns record update
C:\Users\Administrator>ping rhel8
Pinging rhel8.ornek.com [192.168.1.228] with 32 bytes of data:
Reply from 192.168.1.228: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.1.228:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Control-C
^C
C:\Users\Administrator>ping rhel8.ornek.com
Pinging rhel8.ornek.com [192.168.1.228] with 32 bytes of data:
Reply from 192.168.1.228: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.1.228:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Control-C
^C
9. SUDO from Microsoft AD
1. add highlighted word “sudo” to this file /etc/sssd/sssd.conf
2. add a line to this file : /etc/nsswitch.conf
echo “sudoers: files sss” >> /etc/nsswitch.conf
10. Final Result:
Burada SSSD direckt entegrasyon sağlandığında kurumun tüm linux sunucularında “merkezi kilmik yönetimi” mevcut Mikrosoft AD kullanılarak sağlanmakta ve SUDO yetkileri bile AD arayüzlerinden “Kimlik ve Yetkilendirme Bölümü” tarafından rahatlıkla yönetilebilmektedir.
Linux sunucu tarafından görünen SUDO yetkileri AD’den alınmıştır. ve yönetilmektedir.
NOT: chronyd service might dont work “Could not step system clock” if installed open-vm-tools , you should enable it.
/usr/bin/vmware-toolbox-cmd timesync status
/usr/bin/vmware-toolbox-cmd timesync enable