This guide builds largery on the Ubuntu Active Directory tutorial, so if something’s not clear, please make sure to check that one, too.
Here’s the script which you can run on your CentOS hosts. Make sure to replace ad.foobar.com
and AD.FOOBAR.COM
occurences with your actual domain. Also, this script uses AD\Administrator
, if that doesn’t suit your environment, please change that, too.
#!/bin/bash
set -e
echo 'Installing required packages'
yum -y install samba-client samba-common-tools sssd-ad krb5-workstation oddjob-mkhomedir
echo 'Preparing home dir'
HOME_ROOT='/home/AD.FOOBAR.COM'
mkdir ${HOME_ROOT}
chown root.root ${HOME_ROOT}
chmod 0755 ${HOME_ROOT}
restorecon -rv ${HOME_ROOT}
echo 'Configuring NSS'
echo 'sudoers: files sss' >> /etc/nsswitch.conf
echo 'Configuring Kerberos'
cat << EOF > /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AD.FOOBAR.COM
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
AD.FOOBAR.COM = {
kdc = DC1.AD.FOOBAR.COM
kdc = DC2.AD.FOOBAR.COM
admin_server = DC1.AD.FOOBAR.COM
}
[login]
krb4_convert = true
krb4_get_tickets = false
EOF
echo 'Configuring Chrony'
sed -i.orig 's/^server/#server/g' /etc/chrony.conf
cat << EOF >> /etc/chrony.conf
server dc1.ad.foobar.com
server dc2.ad.foobar.com
EOF
echo 'Configuring Samba'
cp /etc/samba/smb.conf /etc/samba/smb.conf.orig
cat << EOF > /etc/samba/smb.conf
[global]
workgroup = AD
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = AD.FOOBAR.COM
security = ads
server string = %h server (Samba, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
server role = standalone server
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
EOF
echo 'Configuring SSSD'
cat << EOF > /etc/sssd/sssd.conf
[sssd]
services = nss, pam, sudo
config_file_version = 2
domains = AD.FOOBAR.COM
[domain/AD.FOOBAR.COM]
id_provider = ad
access_provider = ad
cache_credentials = True
override_homedir = /home/%d/%u
default_shell = /bin/bash
EOF
sudo chown root:root /etc/sssd/sssd.conf
sudo chmod 600 /etc/sssd/sssd.conf
echo 'Configuring PAM'
authconfig --enablesssd --enablesssdauth --enablemkhomedir --updateall
echo 'Restarting Chronyd'
systemctl restart chronyd.service
echo 'Obtaining Kerberos ticket'
sudo kinit Administrator
echo 'Getting info about the obtained ticket'
sudo klist
echo 'Joining to the domain'
sudo net ads join -k
echo 'Restarting SSSD'
systemctl restart sssd.service
That’s pretty much it. You can then specify sudo rights in AD. For details, please refer to the sudo section of the Ubuntu guide.