Many organizations use MS Active Directory to authenticate and obtain credentials for system access. Enterprise Linux 7 (RHEL7 and CentOS7) provide a wide range of tools that are well documented in Red Hat documentation. If you want to get started by simply adding Linux account authentication using AD accounts, here are the basic steps you'll need to implement 'sssd' (System Security Service Daemon) and manage the integration with Active Directory using 'realm'.
Let's start by making sure all of the required packages are installed:
# yum install oddjob oddjob-mkhomedir adcli samba-common-tools realmd sssd sssd-tools
Make sure your system is running with an accurate system clock (using ntp is the best option). Next, we enable the needed services using systemd:
# systemctl enable realmd
# systemctl enable sssd
# systemctl start realmd
# systemctl start sssd
Now we can register the system to the Active Directory Domain. You will need to use an AD account and password with Administrator access. Let's assume the account is "harvey" and the domain is "mycompany.net". Respond with the correct password when prompted.
# realm join -U harvey mycompany.net
At this point, every user in your AD domain can login and access a home directory on the EL7 system. You'll probably want to restrict this to only those accounts that really need access. Let's say the users 'harvey', 'betsy', 'morton' and 'sue' are the only ones who need access. We first deny access to everyone, then add access for the users we want:
# realm deny --all
# realm permit This email address is being protected from spambots. You need JavaScript enabled to view it. This email address is being protected from spambots. You need JavaScript enabled to view it. This email address is being protected from spambots. You need JavaScript enabled to view it. This email address is being protected from spambots. You need JavaScript enabled to view it.
# realm list
mycompant.net
type: kerberos
realm-name: MYCOMPANY.NET
domain-name: mycompany.net
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %This email address is being protected from spambots. You need JavaScript enabled to view it.
login-policy: allow-permitted-logins
permitted-logins: This email address is being protected from spambots. You need JavaScript enabled to view it. This email address is being protected from spambots. You need JavaScript enabled to view it. This email address is being protected from spambots. You need JavaScript enabled to view it. This email address is being protected from spambots. You need JavaScript enabled to view it.
permitted-groups:
These users can now login using account names in the form
This email address is being protected from spambots. You need JavaScript enabled to view it.' and their AD password. They will be assigned a consistent UID based on their Active Directory identity and their home directory will be /home/
This email address is being protected from spambots. You need JavaScript enabled to view it./. If the home directory does not exist, it will be automatically created during login. If a user needs 'sudo' access, simply edit the sudoers configuration with 'visudo' and enter the access in the form:
This email address is being protected from spambots. You need JavaScript enabled to view it. ALL=(root) /bin/mount, /bin/umount
Many additional features are available to change the default form of the home directory, specify mapping to alternate UIDs and fully intergrate users into a Samba server. For complete documentation on Windows Integration with EL7, refer to the complete Red Hat documentation:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/
