Difference between revisions of "AD integration - ssh/sudoers using AD accounts"

From Tech-Wiki
Jump to: navigation, search
(Created page with "# install vmware tools yum -y install open-vm-tools apt-get install open-vm-tools service vmtoolsd start systemctl enable vmtoolsd # Add missing basic networking tools...")
 
Line 1: Line 1:
# install vmware tools
+
[[Category:Linux]]
yum -y install open-vm-tools
+
apt-get install open-vm-tools
+
service vmtoolsd start 
+
systemctl enable vmtoolsd
+
  
 
+
NTP  
# Add missing basic networking tools
+
apt install chrony  
apt-get install net-tools
+
# Use AD DCs as NTP source in /etc/chrony/chrony.conf  
 
+
server dc01.domain.local iburst  
 
+
server dc02.domain.local iburst  
# NTP  
+
apt install chrony  
+
# Use AD DCs as NTP source in /etc/chrony/chrony.conf  
+
server dring.internal.oriongroup.co.nz iburst  
+
server dyson.internal.oriongroup.co.nz iburst  
+
  
 
systemctl enable chrony ; systemctl restart chrony  
 
systemctl enable chrony ; systemctl restart chrony  
Line 22: Line 13:
  
  
# allow sudo from required AD group  
+
Allow sudo from required AD group, add to /etc/sudoers.d/ad-admins
vi /etc/sudoers.d/ad-admins  
+
%Domain\ Admins ALL=(ALL) ALL  
%Domain\ Admins ALL=(ALL) ALL  
+
  
  
# enable AD auth and DNS registration  
+
Enable AD auth and DNS registration  
yum -y  install sssd  adcli realmd samba-common-tools oddjob oddjob-mkhomedir  
+
yum -y  install sssd  adcli realmd samba-common-tools oddjob oddjob-mkhomedir  
apt install sssd-ad  sssd-tools realmd adcli  
+
apt install sssd-ad  sssd-tools realmd adcli  
realm -v discover internal.oriongroup.co.nz
+
realm -v discover domain.local
realm join internal.oriongroup.co.nz --user limafadmin  
+
realm join domain.local --user administrator  
 
   
 
   
# Add those to /etc/sssd/sssd.conf  
+
Add those to /etc/sssd/sssd.conf  
access_provider = simple  
+
access_provider = simple  
simple_allow_groups = Domain Admins@internal.oriongroup.co.nz
+
simple_allow_groups = Domain Admins@domain.local
use_fully_qualified_names = false  
+
use_fully_qualified_names = false  
dyndns_update = true  
+
dyndns_update = true  
dyndns_refresh_interval = 43200  
+
dyndns_refresh_interval = 43200  
dyndns_update_ptr = true  
+
dyndns_update_ptr = true  
dyndns_ttl = 3600  
+
dyndns_ttl = 3600  
 
   
 
   
systemctl restart sssd.service  
+
systemctl restart sssd.service  
pam-auth-update (and enable homedir creation)
+
 
 +
Enable homedir creation
 +
pam-auth-update
 
   
 
   
# restrict root login from ssh  
+
Restrict root login from ssh in /etc/ssh/sshd.conf  
On /etc/ssh/sshd.conf  
+
PermitRootLogin no
PermitRootLogin no
+

Revision as of 16:49, 6 March 2025


NTP 

apt install chrony 
# Use AD DCs as NTP source in /etc/chrony/chrony.conf 
server dc01.domain.local iburst 
server dc02.domain.local iburst

systemctl enable chrony ; systemctl restart chrony timedatectl set-timezone Pacific/Auckland timedatectl ; chronyc makestep systemctl disable systemd-timesyncd ; systemctl stop system-timesyncd


Allow sudo from required AD group, add to /etc/sudoers.d/ad-admins 

%Domain\ Admins ALL=(ALL) ALL


Enable AD auth and DNS registration 

yum -y  install sssd  adcli realmd samba-common-tools oddjob oddjob-mkhomedir 
apt install sssd-ad  sssd-tools realmd adcli 
realm -v discover domain.local
realm join domain.local --user administrator

Add those to /etc/sssd/sssd.conf 

access_provider = simple 
simple_allow_groups = Domain Admins@domain.local 
use_fully_qualified_names = false 
dyndns_update = true 
dyndns_refresh_interval = 43200 
dyndns_update_ptr = true 
dyndns_ttl = 3600 

systemctl restart sssd.service

Enable homedir creation 

pam-auth-update

Restrict root login from ssh in /etc/ssh/sshd.conf 

PermitRootLogin no
Retrieved from ‘http://tech-wiki.net/index.php?title=AD_integration_-_ssh/sudoers_using_AD_accounts&oldid=3071