Skip to Content

Integrate Windows AD on RHEL 8 using SSSD

How can I integrate Windows AD on RHEL 8 using SSSD

 

Ensure that the following ports on the RHEL host are open and accessible to the AD domain controllers. 

DNS =53, LDAP =389, Kerberos 88 & 464, LDAP Global Catalog 3268,LDAPS 636 and NTP 123 (UDP)

Verify that the system time on both systems is synchronized. This ensures that Kerberos is able to work correctly.

Refer article to  correct server time in Centos, RHEL, Ubuntu, SUSE

.  Login to Ezeelogin Web-GUI > open settings > Ldap
 

   Add the details of LDAP configurations. 

 

2. Go to   S ettings > general > Authentication > change Web panel Authentication to LDAP
 
 
3. Select the LDAP users and click on the button to  import users into Ezeelogin  
 
 

     You can confirm the imported LDAP users were listed in the Users tab in Ezeelogin GUI.  You will be able to log in to Ezeelogin GUI with windows user credentials.

 
4. Enable Security code LDAP option from Settings > General > Authentication, if the user does not want to login to Ezeelogin GUI to set up a security code.
 

Backend configuration to integrate windows with RHEL 8

 
 
1. Install the following packages:
 

yum install samba-common-tools realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation nscd

Ensure that you are using the AD domain controller server for DNS.

 
2. Add the  following to /etc/hosts file
 

[email protected] ~]# vi /etc/hosts

WindowsAD_server_ip  windowsAD_domainname.com windowsAD_domainname

3. Add in windows server IP /etc/resolv.conf  to resolve and disc over  AD  do main.

[email protected] ~]# vi /etc/resolv.conf

nameserver  windows_ip

4. To display information for a specific domain, run realm discover and add the name of the domain you want to discover.

[email protected] ~]# realm discover ezad.com
ezad.com
type: kerberos
realm-name: EZAD.COM
domain-name: ezad.com
configured: no
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools

5.  Configure RHEL   with the Active Directory domain by the following command. Replace Administrator with Windows admin  account.
 

[email protected] ~]# realm join ezad.com -U  Administrator

Password for  Administrator :

6. You can verify by displaying AD user details, such as the administrator user:
 

[email protected] ~]#  getent passwd [email protected]
[email protected]:*:644600500:644600513:Administrator:/home/[email protected]:/bin/bash

7. After successful join, edit /etc/sssd/sssd.conf and change use_fully_qualified_names to False and append the following  override_shell = /usr/local/bin/ezsh

[email protected] ~]# vim /etc/sssd/sssd.conf

[sssd]
domains = ezad.com
config_file_version = 2
services = nss, pam

[domain/ezad.com]
ad_domain = ezad.com
krb5_realm = EZAD.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%[email protected]%d
access_provider = ad
override_shell = /usr/local/bin/ezsh

8 . Restart sssd and nscd using the below commands.
[email protected] ~]#  service sssd restart && service nscd restart

9. Run id username /getent passwd username and s ee  AD  user de tails.

[email protected] ~]# id john
uid=17016011 0 8 (john) gid=1701600513(domain users) groups=1701600513(domain users)
[email protected] ~]# getent passwd john
john:*:170160110 8 :1701600513:john user:/home/[email protected] ad .com:/ usr/local/bin/ezsh
 
Now you will be able to log in with Windows AD credentials
 

[email protected]:~$ ssh [email protected] 

Last login: Mon Jan 24 04:55:03 2022 from 123.43.233.223

[email protected] ~]#