Integrating CentOS 7 with Active Directory

     

This guide builds largery on the Ubuntu Active Directory tutorial, so if something’s not clear, please make sure to check that one, too.

Here’s the script which you can run on your CentOS hosts. Make sure to replace ad.foobar.com and AD.FOOBAR.COM occurences with your actual domain. Also, this script uses AD\Administrator, if that doesn’t suit your environment, please change that, too.

#!/bin/bash

set -e

echo 'Installing required packages'
yum -y install samba-client samba-common-tools sssd-ad krb5-workstation oddjob-mkhomedir

echo 'Preparing home dir'
HOME_ROOT='/home/AD.FOOBAR.COM'
mkdir ${HOME_ROOT}
chown root.root ${HOME_ROOT}
chmod 0755 ${HOME_ROOT}
restorecon -rv ${HOME_ROOT}

echo 'Configuring NSS'
echo 'sudoers: files sss' >> /etc/nsswitch.conf

echo 'Configuring Kerberos'
cat << EOF > /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    default_realm = AD.FOOBAR.COM

# The following krb5.conf variables are only for MIT Kerberos.
    krb4_config = /etc/krb.conf
    krb4_realms = /etc/krb.realms
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

# The following libdefaults parameters are only for Heimdal Kerberos.
    v4_instance_resolve = false
    v4_name_convert = {
        host = {
            rcmd = host
            ftp = ftp
        }
        plain = {
            something = something-else
        }
    }
    fcc-mit-ticketflags = true

[realms]
    AD.FOOBAR.COM = {
        kdc = DC1.AD.FOOBAR.COM
        kdc = DC2.AD.FOOBAR.COM
        admin_server = DC1.AD.FOOBAR.COM
    }

[login]
    krb4_convert = true
    krb4_get_tickets = false
EOF

echo 'Configuring Chrony'
sed -i.orig 's/^server/#server/g' /etc/chrony.conf

cat << EOF >> /etc/chrony.conf
server dc1.ad.foobar.com
server dc2.ad.foobar.com
EOF

echo 'Configuring Samba'
cp /etc/samba/smb.conf /etc/samba/smb.conf.orig
cat << EOF > /etc/samba/smb.conf
[global]
   workgroup = AD
   client signing = yes
   client use spnego = yes
   kerberos method = secrets and keytab
   realm = AD.FOOBAR.COM
   security = ads

   server string = %h server (Samba, Ubuntu)
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   usershare allow guests = yes
EOF

echo 'Configuring SSSD'
cat << EOF > /etc/sssd/sssd.conf
[sssd]
services = nss, pam, sudo
config_file_version = 2
domains = AD.FOOBAR.COM

[domain/AD.FOOBAR.COM]
id_provider = ad
access_provider = ad
cache_credentials = True
override_homedir = /home/%d/%u
default_shell = /bin/bash
EOF

sudo chown root:root /etc/sssd/sssd.conf
sudo chmod 600 /etc/sssd/sssd.conf

echo 'Configuring PAM'
authconfig --enablesssd --enablesssdauth --enablemkhomedir --updateall

echo 'Restarting Chronyd'
systemctl restart chronyd.service

echo 'Obtaining Kerberos ticket'
sudo kinit Administrator
echo 'Getting info about the obtained ticket'
sudo klist
echo 'Joining to the domain'
sudo net ads join -k

echo 'Restarting SSSD'
systemctl restart sssd.service

That’s pretty much it. You can then specify sudo rights in AD. For details, please refer to the sudo section of the Ubuntu guide.