Difference between revisions of "AD integration - ssh/sudoers using AD accounts"
From Tech-Wiki
| Line 11: | Line 11: | ||
timedatectl ; chronyc makestep | timedatectl ; chronyc makestep | ||
systemctl disable systemd-timesyncd ; systemctl stop system-timesyncd | systemctl disable systemd-timesyncd ; systemctl stop system-timesyncd | ||
| − | |||
Allow sudo from required AD group, add to /etc/sudoers.d/ad-admins | Allow sudo from required AD group, add to /etc/sudoers.d/ad-admins | ||
| Line 22: | Line 21: | ||
realm -v discover domain.local | realm -v discover domain.local | ||
realm join domain.local --user administrator | realm join domain.local --user administrator | ||
| − | + | ||
Add those to /etc/sssd/sssd.conf | Add those to /etc/sssd/sssd.conf | ||
access_provider = simple | access_provider = simple | ||
| Line 31: | Line 30: | ||
dyndns_update_ptr = true | dyndns_update_ptr = true | ||
dyndns_ttl = 3600 | dyndns_ttl = 3600 | ||
| − | + | ||
Now restart it | Now restart it | ||
systemctl restart sssd.service | systemctl restart sssd.service | ||
| Line 37: | Line 36: | ||
Enable homedir creation | Enable homedir creation | ||
pam-auth-update | pam-auth-update | ||
| − | + | ||
Restrict root login from ssh in /etc/ssh/sshd.conf | Restrict root login from ssh in /etc/ssh/sshd.conf | ||
PermitRootLogin no | PermitRootLogin no | ||
Latest revision as of 16:52, 6 March 2025
Use NTP for time synchronization
apt install chrony # Use AD DCs as NTP source in /etc/chrony/chrony.conf server dc01.domain.local iburst server dc02.domain.local iburst
systemctl enable chrony ; systemctl restart chrony timedatectl set-timezone Pacific/Auckland timedatectl ; chronyc makestep systemctl disable systemd-timesyncd ; systemctl stop system-timesyncd
Allow sudo from required AD group, add to /etc/sudoers.d/ad-admins
%Domain\ Admins ALL=(ALL) ALL
Enable AD authentication and DNS registration
yum -y install sssd adcli realmd samba-common-tools oddjob oddjob-mkhomedir apt install sssd-ad sssd-tools realmd adcli realm -v discover domain.local realm join domain.local --user administrator
Add those to /etc/sssd/sssd.conf
access_provider = simple simple_allow_groups = Domain Admins@domain.local use_fully_qualified_names = false dyndns_update = true dyndns_refresh_interval = 43200 dyndns_update_ptr = true dyndns_ttl = 3600
Now restart it
systemctl restart sssd.service
Enable homedir creation
pam-auth-update
Restrict root login from ssh in /etc/ssh/sshd.conf
PermitRootLogin no