Skip to content

Instantly share code, notes, and snippets.

@alparslanozturk

alparslanozturk/linux-direct-entegration-sssd-ad-sudo.md

Last active January 31, 2023 11:38
Show Gist options
  • Save alparslanozturk/753bc80517fbbe5e496a89577d380e32 to your computer and use it in GitHub Desktop.
Save alparslanozturk/753bc80517fbbe5e496a89577d380e32 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
linux-direct-entegration-sssd-ad-sudo.md

download the file. for create schema and its attiributes.

https://github.com/sudo-project/sudo/blob/main/docs/schema.ActiveDirectory

rename file name kt.ldf. open the file than find/replace the string...

Dc=x   ->    DC=ornek,DC=com

import the file on Active Directory server.

C:\Users\Administrator\Desktop\direct-entegration>ldifde -i -f kt.ldf
Connecting to "ad.ornek.com"
Logging in as current user using SSPI
Importing directory from file "kt.ldf"
Loading entries.............
12 entries modified successfully.

The command has completed successfully

C:\Users\Administrator\Desktop\direct-entegration>

install sssh on linux rhel8

yum install samba-common-tools realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation

check sssd

[root@rhel8 ~]# realm discover ad.ornek.com
ornek.com
  type: kerberos
  realm-name: ORNEK.COM
  domain-name: ornek.com
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools

join domain

realm join ad.ornek.com

[root@rhel8 ~]# getent passwd administrator@ornek.com
administrator@ornek.com:*:549800500:549800513:Administrator:/home/administrator@ornek.com:/bin/bash

### if you want to use posix attirubute on AD use that command. 
# realm join --automatic-id-mapping=no ornek.com
# or 
# change the file: /etc/sssd/sssd.conf   (  ldap_id_mapping = false  )
# and delete cache by this command:         rm -f /var/lib/sss/db/*
# finaly restart service by this command:   systemctl restart sssd

manual id mapping

You can take help from here: https://chat.openai.com/chat

Set-ADUser -identity test -Add @{uidNumber="5000"; gidNumber="100"; loginShell="/bin/bash"; unixHomeDirectory="/home/test"}
Get-ADUser -Identity test -Properties * | Out-String -Stream | Select-String "uidNumber","gidNumber","loginShell","unixHomeDirectory"

image

result here:

image

image

login here:

image

check dns record update

C:\Users\Administrator>ping rhel8

Pinging rhel8.ornek.com [192.168.1.228] with 32 bytes of data:
Reply from 192.168.1.228: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.1.228:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
Control-C
^C
C:\Users\Administrator>ping rhel8.ornek.com

Pinging rhel8.ornek.com [192.168.1.228] with 32 bytes of data:
Reply from 192.168.1.228: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.1.228:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
Control-C
^C

SUDO from Microsoft AD

  1. add highlighted word "sudo" to this file /etc/sssd/sssd.conf

image

  1. add a line to this file : /etc/nsswitch.conf
echo "sudoers: files sss" >>  /etc/nsswitch.conf

Final Result:

image

NOT: chronyd service might dont work "Could not step system clock" if installed open-vm-tools , you should enable it.

/usr/bin/vmware-toolbox-cmd timesync status
/usr/bin/vmware-toolbox-cmd timesync enable
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment