The Fedora 20 Active Directory Integration Guide : Joining A Domain

Joining the Domain

Joining an Active Directory domain couldn’t be simpler in Fedora 20.  First, install the dependencies.

#yum install oddjob oddjob-mkhomedir sssd adcli samba-common

Once that is done, you can join the domain with the following command.

#realm join -U username.da corp.mydomain.com

Now reboot your machine or manually start all the services you just installed and you will be able to login to your Fedora machine using an Active Directory account.  If you were to look one of your domain controllers in the Active Directory Users and Computers applet you would see a new machine account for your Fedora machine.  This means that you don’t have to manually create service accounts and passwords for your Fedora machine to make LDAP queries and perform kerberos authentication.

You can see information about the domain now using

#realm list

Configuration

Now that you are joined to the domain, there are some security considerations and other configuration details you should probably take care of.  First, decide what login format you want to use.  Would you prefer to type in your full username in the format username@corp.mydomain.com?  If so, there is nothing to be done.  If you would rather just login with username, then edit the sssd configuration file and do not require fully qualified names.  In our examples, we will not be allowing any local accounts on the Linux machine, so there is no worry about duplicate usernames.

#vi /etc/sssd/sssd.conf

Update the variable to

use_fully_qualified_names = True

Domain administrators do not automatically have any special privileges on the Fedora machine, so it is a good idea to allow them to sudo so they can perform system administration tasks.  In the sudoers file the % sign indicates group and the \ character allows you to use spaces in the group names.

#visudo

Add the following line

%Domain\ Admins@corp.mydomain.com ALL=(ALL)       ALL

Security

If regular users are not required to login to this server at all through ssh or any installed application, we can restrict logins to domain administrators at the sssd level.

#realm permit -g Domain\ Admins@corp.mydomain.com

If regular users will need to authenticate to an installed application (like apache) using their active directory accounts, but will not need ssh access, skip the above line and instead we can use PAM to restrict just SSH

#vi /etc/pam.d/sshd

Add the following line to the auth section.  The square brackets allow us to use the space in the group name.

auth       required     pam_succeed_if.so user ingroup [Domain Admins]

Since the sshd can also allow GSSAPI authentication by default, which is not part of the PAM stack, we will want to turn it off or anyone who is logged into a windows machine using their domain account and putty could login to the server without a password.

#vi /etc/ssh/sshd_config

Update the following line.

GSSAPIAuthentication no

Timekeeping

Since Active Directory logins rely on good timekeeping and Active Directory servers are already ntp servers, we might as well make sure our clock stays in synch.

#yum install chrony
#vi /etc/chrony.conf

Assuming, you have created a dns cname called ntp that points to dc1 or dc2 update the following lines

# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.fedora.pool.ntp.org iburst
#server 1.fedora.pool.ntp.org iburst
#server 2.fedora.pool.ntp.org iburst
#server 3.fedora.pool.ntp.org iburst
server ntp