The Fedora 20 Active Directory Integration Guide : Joining A Domain
Joining the Domain
Joining an Active Directory domain couldn’t be simpler in Fedora 20. First, install the dependencies.
#yum install oddjob oddjob-mkhomedir sssd adcli samba-common
Once that is done, you can join the domain with the following command.
#realm join -U username.da corp.mydomain.com
Now reboot your machine or manually start all the services you just installed and you will be able to login to your Fedora machine using an Active Directory account. If you were to look one of your domain controllers in the Active Directory Users and Computers applet you would see a new machine account for your Fedora machine. This means that you don’t have to manually create service accounts and passwords for your Fedora machine to make LDAP queries and perform kerberos authentication.
You can see information about the domain now using
Now that you are joined to the domain, there are some security considerations and other configuration details you should probably take care of. First, decide what login format you want to use. Would you prefer to type in your full username in the format email@example.com? If so, there is nothing to be done. If you would rather just login with username, then edit the sssd configuration file and do not require fully qualified names. In our examples, we will not be allowing any local accounts on the Linux machine, so there is no worry about duplicate usernames.
Update the variable to
use_fully_qualified_names = True
Domain administrators do not automatically have any special privileges on the Fedora machine, so it is a good idea to allow them to sudo so they can perform system administration tasks. In the sudoers file the % sign indicates group and the \ character allows you to use spaces in the group names.
Add the following line
%Domain\ Admins@corp.mydomain.com ALL=(ALL) ALL
If regular users are not required to login to this server at all through ssh or any installed application, we can restrict logins to domain administrators at the sssd level.
#realm permit -g Domain\ Admins@corp.mydomain.com
If regular users will need to authenticate to an installed application (like apache) using their active directory accounts, but will not need ssh access, skip the above line and instead we can use PAM to restrict just SSH
Add the following line to the auth section. The square brackets allow us to use the space in the group name.
auth required pam_succeed_if.so user ingroup [Domain Admins]
Since the sshd can also allow GSSAPI authentication by default, which is not part of the PAM stack, we will want to turn it off or anyone who is logged into a windows machine using their domain account and putty could login to the server without a password.
Update the following line.
Since Active Directory logins rely on good timekeeping and Active Directory servers are already ntp servers, we might as well make sure our clock stays in synch.
#yum install chrony
Assuming, you have created a dns cname called ntp that points to dc1 or dc2 update the following lines
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.fedora.pool.ntp.org iburst
#server 1.fedora.pool.ntp.org iburst
#server 2.fedora.pool.ntp.org iburst
#server 3.fedora.pool.ntp.org iburst