{"id":113073,"date":"2018-03-05T14:06:58","date_gmt":"2018-03-05T19:06:58","guid":{"rendered":"http:\/\/www.bu.edu\/tech\/?page_id=113073"},"modified":"2019-01-23T13:31:32","modified_gmt":"2019-01-23T18:31:32","slug":"linux","status":"publish","type":"page","link":"https:\/\/www.bu.edu\/tech\/services\/security\/iam\/directory\/ad\/linux\/","title":{"rendered":"Joining Linux Device to AD"},"content":{"rendered":"<p>Domain join your Linux system to Active Directory and take advantage of automatic account availability.<\/p>\n<p><strong>Install pre-requisite RPMs:<\/strong><\/p>\n<pre class=\"code-block\"><code>yum install realmd oddjob-mkhomedir sssd samba-common-tools<\/code><\/pre>\n<p><strong>Join the computer to Active Directory:<\/strong><\/p>\n<pre class=\"code-block\"><code>realm join -v --computer-name=dhcp240 --computer-ou='OU=Computers,OU=Systems Engineering,OU=IST,DC=ad,DC=bu,DC=edu' --user=[you]-adm --os-name=CentOS --os-version=7 --automatic-id-mapping=no ad.bu.edu<\/code><\/pre>\n<ul>\n<li><code><span class=\"command\">--computer-name=<\/span><\/code> &#8211; Optionally specify the computer-name. \u00a0Unix hosts can be any length but Windows systems have a 15 character LANMan limit. \u00a0Check in with your administrator team for appropriate computer names.<\/li>\n<li><code><span class=\"command\">--computer-ou=<\/span><\/code> &#8211; Place in a specific OU, otherwise would be in default group. \u00a0See <a href=\"https:\/\/www.bu.edu\/tech\/services\/infrastructure\/iam\/directory\/ad\/intro\/faqs\/computer-administration\/\">https:\/\/www.bu.edu\/tech\/services\/infrastructure\/iam\/directory\/ad\/intro\/faqs\/computer-administration\/<\/a> for details.<\/li>\n<li><code><span class=\"command\">--user=<\/span><\/code> &#8211; Only departmental admin accounts can domain join a computer.<\/li>\n<li><code><span class=\"command\">--automatic-id-mapping=no<\/span><\/code> &#8211; Retrieve user IDs from AD\/LDAP and do not automatically generate a mapping. \u00a0This is necessary for compatibility with existing Global UID numbers for file ownership on network shares.<\/li>\n<\/ul>\n<p><strong>Update \/etc\/sssd\/sssd.conf with specifics for Boston University:<\/strong><\/p>\n<ul>\n<li># Use UID and GID from Active Directory with BU specific ID fields<\/li>\n<li>ldap_id_mapping = False<\/li>\n<li>ldap_user_gecos = displayName<\/li>\n<li>ldap_user_uid_number = bu-ph-index-id-numeric<\/li>\n<li>ldap_user_gid_number = bu-ph-index-id-numeric<\/li>\n<li># Specify local home directory<\/li>\n<li>fallback_homedir = \/home\/%u<\/li>\n<li># Make account name be just username, not &#8220;username@domain&#8221;<\/li>\n<li>full_name_format = %1$s<\/li>\n<li># Helpful for figuring out what LDAP queries are being done<\/li>\n<li>#debug_level = 7<\/li>\n<\/ul>\n<p><strong>Optionally update \/etc\/sssd\/sssd.conf to restrict login access to specific accounts:<\/strong><\/p>\n<ul>\n<li>access_provider = simple<\/li>\n<li>simple_allow_groups = BU_OIT_Everyone<\/li>\n<li><strong>-or-<\/strong><\/li>\n<li>access_provider = ad<\/li>\n<li># Pick one of:<\/li>\n<li>ad_access_filter = (bu-ph-deptid=51*)<\/li>\n<li>ad_access_filter = (|(sAMAccountName=moe)(sAMAccountName=larry)(sAMAccountName=curly))<\/li>\n<li>ad_access_filter = (|(manager=CN=smith,OU=People,DC=ad,DC=bu,DC=edu)(manager=CN=jones,OU=People,DC=ad,DC=bu,DC=edu))<\/li>\n<\/ul>\n<p><strong>Restart sssd and clear any cached information<\/strong><\/p>\n<pre class=\"code-block\"><code>systemctl restart sssd ; sss_cache -E<\/code><\/pre>\n<p><strong>Confirm accounts are visible<\/strong><\/p>\n<ul>\n<li>getent passwd moe<\/li>\n<li>getent passwd larry<\/li>\n<\/ul>\n<h3><strong><br \/>\nRestricting account login access:<\/strong><\/h3>\n<p>Since all accounts are defined in Active Directory, by default all accounts will be able to log in to your system. \u00a0You can restrict this via two different ways using either the &#8220;simple&#8221; or &#8220;ad&#8221; access_provider. \u00a0These ways have various pros and cons which you should consider before choosing what is best for you.<\/p>\n<p><strong>simple access_provider:<\/strong><\/p>\n<p>Restricts\/allows login access based on members of a specified group.<\/p>\n<p><em>Example:<\/em><\/p>\n<pre class=\"code-block\"><code>\r\n \taccess_provider = simple\r\n \tsimple_allow_groups = groupname\r\n<\/code><\/pre>\n<p><strong>Pros:<\/strong> Simple way to restrict access based on group membership.<br \/>\n<strong>Cons:<\/strong> Does not check if account is active and will still allow login even though the account may be in the &#8220;expired&#8221; state.<\/p>\n<p>You can determine membership of the simple_allow_groups by doing:<\/p>\n<pre class=\"code-block\"><code>\r\n \tklist -k\r\n \tkinit -k 'DHCP240$' \u00a0\u00a0\u00a0(<em>replace with your machine account<\/em>)\r\n \tldapsearch -H ldap:\/\/ist-adc1.ad.bu.edu -b \"dc=ad,dc=bu,dc=edu\" \"(&amp;(objectCategory=group)(CN=[groupname]))\"|grep member:\r\n\r\n<\/code><\/pre>\n<p>kinit -k to get an authentication token as the domain joined machine (stored in \/etc\/krb5.keytab and viewable by running \/usr\/bin\/klist -k). \u00a0The ldapsearch then shows any members of the specified group. \u00a0Groups themselves can be determined by doing<\/p>\n<ul>\n<li>ldapsearch -H ldap:\/\/ist-adc1.ad.bu.edu -b &#8220;dc=ad,dc=bu,dc=edu&#8221; &#8220;(&amp;(objectCategory=group)(CN=*))&#8221;<\/li>\n<\/ul>\n<p><strong>ad access_provider:<\/strong><\/p>\n<p>Restricts\/allows login access based on an LDAP filter that selects members based on directory queries \/ matches.<\/p>\n<p><em>Examples:<\/em><\/p>\n<pre class=\"code-block\"><code>\r\n \taccess_provider = ad\r\n \tad_access_filter = (bu-ph-deptid=51*)\r\n \tad_access_filter = (|(sAMAccountName=moe)(sAMAccountName=larry)(sAMAccountName=curly))\r\n \tad_access_filter = (manager=CN=smith,OU=People,DC=ad,DC=bu,DC=edu)\r\n<\/code><\/pre>\n<p><strong>Pros:<\/strong> Powerful way of specifying who can access, honors Active Directory account &#8216;expiration&#8217; state.<br \/>\n<strong>Cons:<\/strong> Complex syntax can be hard to understand and tricky to implement.<\/p>\n<p>The ad_access_filter can contain anything normally found in the user account entry which can be queried with:<\/p>\n<pre class=\"code-block\"><code>\r\nklist -k\r\nkinit -k 'DHCP240$' \u00a0\u00a0\u00a0\u00a0(<em>replace with your machine account<\/em>)\r\nldapsearch -oldif-wrap=no -H ldap:\/\/ist-adc1.ad.bu.edu -b \"dc=ad,dc=bu,dc=edu\" \"(samaccountname=[some-account])\"\r\n<\/code><\/pre>\n<p><strong>Note:<\/strong>\u00a0The man page for <strong>sssd_ad<\/strong> shows examples of using memberOf in the filter. \u00a0At Boston University since we are covered by FERPA, memberOf data is not available. \u00a0But any other data as seen by the <strong>samaccountname= query<\/strong> above will be valid for use in the<strong> ad_access_filter<\/strong><\/p>\n<p>For examples of search filter syntax, see\u00a0<a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/aa746475(v=vs.85).aspx\">https:\/\/msdn.microsoft.com\/en-us\/library\/aa746475(v=vs.85).aspx<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Domain join your Linux system to Active Directory and take advantage of automatic account availability. Install pre-requisite RPMs: yum install realmd oddjob-mkhomedir sssd samba-common-tools Join the computer to Active Directory: realm join -v &#8211;computer-name=dhcp240 &#8211;computer-ou=&#8217;OU=Computers,OU=Systems Engineering,OU=IST,DC=ad,DC=bu,DC=edu&#8217; &#8211;user=[you]-adm &#8211;os-name=CentOS &#8211;os-version=7 &#8211;automatic-id-mapping=no ad.bu.edu &#8211;computer-name= &#8211; Optionally specify the computer-name. \u00a0Unix hosts can be any length but Windows&#8230;<\/p>\n","protected":false},"author":6621,"featured_media":0,"parent":1191,"menu_order":5,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"_links":{"self":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/113073"}],"collection":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/users\/6621"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/comments?post=113073"}],"version-history":[{"count":10,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/113073\/revisions"}],"predecessor-version":[{"id":119253,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/113073\/revisions\/119253"}],"up":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/1191"}],"wp:attachment":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/media?parent=113073"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}