Difference between revisions of "AD integration - ssh/sudoers using AD accounts"
From Tech-Wiki
(Created page with "# install vmware tools yum -y install open-vm-tools apt-get install open-vm-tools service vmtoolsd start systemctl enable vmtoolsd # Add missing basic networking tools...") |
|||
| (6 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | + | [[Category:Linux]] | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| + | Use NTP for time synchronization | ||
| + | apt install chrony | ||
| + | # Use AD DCs as NTP source in /etc/chrony/chrony.conf | ||
| + | server dc01.domain.local iburst | ||
| + | server dc02.domain.local iburst | ||
| − | + | systemctl enable chrony ; systemctl restart chrony | |
| − | + | timedatectl set-timezone Pacific/Auckland | |
| + | timedatectl ; chronyc makestep | ||
| + | systemctl disable systemd-timesyncd ; systemctl stop system-timesyncd | ||
| + | Allow sudo from required AD group, add to /etc/sudoers.d/ad-admins | ||
| + | %Domain\ Admins ALL=(ALL) ALL | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | Enable AD authentication and DNS registration | |
| − | + | yum -y install sssd adcli realmd samba-common-tools oddjob oddjob-mkhomedir | |
| − | + | apt install sssd-ad sssd-tools realmd adcli | |
| − | + | realm -v discover domain.local | |
| + | realm join domain.local --user administrator | ||
| + | Add those to /etc/sssd/sssd.conf | ||
| + | access_provider = simple | ||
| + | simple_allow_groups = Domain Admins@domain.local | ||
| + | use_fully_qualified_names = false | ||
| + | dyndns_update = true | ||
| + | dyndns_refresh_interval = 43200 | ||
| + | dyndns_update_ptr = true | ||
| + | dyndns_ttl = 3600 | ||
| − | + | Now restart it | |
| − | + | systemctl restart sssd.service | |
| − | + | ||
| + | Enable homedir creation | ||
| + | pam-auth-update | ||
| − | + | Restrict root login from ssh in /etc/ssh/sshd.conf | |
| − | + | PermitRootLogin no | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | PermitRootLogin no | + | |
Latest revision as of 16:52, 6 March 2025
Use NTP for time synchronization
apt install chrony # Use AD DCs as NTP source in /etc/chrony/chrony.conf server dc01.domain.local iburst server dc02.domain.local iburst
systemctl enable chrony ; systemctl restart chrony timedatectl set-timezone Pacific/Auckland timedatectl ; chronyc makestep systemctl disable systemd-timesyncd ; systemctl stop system-timesyncd
Allow sudo from required AD group, add to /etc/sudoers.d/ad-admins
%Domain\ Admins ALL=(ALL) ALL
Enable AD authentication and DNS registration
yum -y install sssd adcli realmd samba-common-tools oddjob oddjob-mkhomedir apt install sssd-ad sssd-tools realmd adcli realm -v discover domain.local realm join domain.local --user administrator
Add those to /etc/sssd/sssd.conf
access_provider = simple simple_allow_groups = Domain Admins@domain.local use_fully_qualified_names = false dyndns_update = true dyndns_refresh_interval = 43200 dyndns_update_ptr = true dyndns_ttl = 3600
Now restart it
systemctl restart sssd.service
Enable homedir creation
pam-auth-update
Restrict root login from ssh in /etc/ssh/sshd.conf
PermitRootLogin no