Domain join your Linux system to Active Directory and take advantage of automatic account availability.

Install pre-requisite RPMs:

yum install realmd oddjob-mkhomedir sssd samba-common-tools

Join the computer to Active Directory:

realm join -v --computer-name=dhcp240 --computer-ou='OU=Computers,OU=Systems Engineering,OU=IST,DC=ad,DC=bu,DC=edu' --user=[you]-adm --os-name=CentOS --os-version=7 --automatic-id-mapping=no ad.bu.edu
  • --computer-name= – Optionally specify the computer-name.  Unix hosts can be any length but Windows systems have a 15 character LANMan limit.  Check in with your administrator team for appropriate computer names.
  • --computer-ou= – Place in a specific OU, otherwise would be in default group.  See https://www.bu.edu/tech/services/infrastructure/iam/directory/ad/intro/faqs/computer-administration/ for details.
  • --user= – Only departmental admin accounts can domain join a computer.
  • --automatic-id-mapping=no – Retrieve user IDs from AD/LDAP and do not automatically generate a mapping.  This is necessary for compatibility with existing Global UID numbers for file ownership on network shares.

Update /etc/sssd/sssd.conf with specifics for Boston University:

  • # Use UID and GID from Active Directory with BU specific ID fields
  • ldap_id_mapping = False
  • ldap_user_gecos = displayName
  • ldap_user_uid_number = bu-ph-index-id-numeric
  • ldap_user_gid_number = bu-ph-index-id-numeric
  • # Specify local home directory
  • fallback_homedir = /home/%u
  • # Make account name be just username, not “username@domain”
  • full_name_format = %1$s
  • # Helpful for figuring out what LDAP queries are being done
  • #debug_level = 7

Optionally update /etc/sssd/sssd.conf to restrict login access to specific accounts:

  • access_provider = simple
  • simple_allow_groups = BU_OIT_Everyone
  • -or-
  • access_provider = ad
  • # Pick one of:
  • ad_access_filter = (bu-ph-deptid=51*)
  • ad_access_filter = (|(sAMAccountName=moe)(sAMAccountName=larry)(sAMAccountName=curly))
  • ad_access_filter = (|(manager=CN=smith,OU=People,DC=ad,DC=bu,DC=edu)(manager=CN=jones,OU=People,DC=ad,DC=bu,DC=edu))

Restart sssd and clear any cached information

systemctl restart sssd ; sss_cache -E

Confirm accounts are visible

  • getent passwd moe
  • getent passwd larry


Restricting account login access:

Since all accounts are defined in Active Directory, by default all accounts will be able to log in to your system.  You can restrict this via two different ways using either the “simple” or “ad” access_provider.  These ways have various pros and cons which you should consider before choosing what is best for you.

simple access_provider:

Restricts/allows login access based on members of a specified group.

Example:


 	access_provider = simple
 	simple_allow_groups = groupname

Pros: Simple way to restrict access based on group membership.
Cons: Does not check if account is active and will still allow login even though the account may be in the “expired” state.

You can determine membership of the simple_allow_groups by doing:


 	klist -k
 	kinit -k 'DHCP240$'    (replace with your machine account)
 	ldapsearch -H ldap://ist-adc1.ad.bu.edu -b "dc=ad,dc=bu,dc=edu" "(&(objectCategory=group)(CN=[groupname]))"|grep member:

kinit -k to get an authentication token as the domain joined machine (stored in /etc/krb5.keytab and viewable by running /usr/bin/klist -k).  The ldapsearch then shows any members of the specified group.  Groups themselves can be determined by doing

  • ldapsearch -H ldap://ist-adc1.ad.bu.edu -b “dc=ad,dc=bu,dc=edu” “(&(objectCategory=group)(CN=*))”

ad access_provider:

Restricts/allows login access based on an LDAP filter that selects members based on directory queries / matches.

Examples:


 	access_provider = ad
 	ad_access_filter = (bu-ph-deptid=51*)
 	ad_access_filter = (|(sAMAccountName=moe)(sAMAccountName=larry)(sAMAccountName=curly))
 	ad_access_filter = (manager=CN=smith,OU=People,DC=ad,DC=bu,DC=edu)

Pros: Powerful way of specifying who can access, honors Active Directory account ‘expiration’ state.
Cons: Complex syntax can be hard to understand and tricky to implement.

The ad_access_filter can contain anything normally found in the user account entry which can be queried with:


klist -k
kinit -k 'DHCP240$'     (replace with your machine account)
ldapsearch -oldif-wrap=no -H ldap://ist-adc1.ad.bu.edu -b "dc=ad,dc=bu,dc=edu" "(samaccountname=[some-account])"

Note: The man page for sssd_ad shows examples of using memberOf in the filter.  At Boston University since we are covered by FERPA, memberOf data is not available.  But any other data as seen by the samaccountname= query above will be valid for use in the ad_access_filter

For examples of search filter syntax, see https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx