Skip to content

Instantly share code, notes, and snippets.

@ceagan

ceagan/CentOS 7 AD Login.md

Last active May 28, 2022 05:25
Show Gist options
  • Star 11 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save ceagan/bdaa1495272cfb97e40f to your computer and use it in GitHub Desktop.
Save ceagan/bdaa1495272cfb97e40f to your computer and use it in GitHub Desktop.
Download ZIP
Setup CentOS 7 for Password/Kerberos-based SSH Logins with Active Directory
Raw
CentOS 7 AD Login.md

Introduction

The intent of this document to is record one method of enabling Kerberos logins on a CentOS 7 system using Windows Active Directory. There are many way to do this. For a very detailed document on all of these options, check out the Red Hat Enterprise Linux 7 Windows Integration Guide.

Note: At the time of this writing, a kickstart installation does not work correctly, possibly due to using an older version of adcli. The /etc/krb5.keytab file ends up containing entries that look like HOST/hostname.domain.com@DOMAIN.COM which is not what sshd is expecting. The sshd service is expecting entrieds that look like host/hostname.domain.com@DOMAIN.COM. This causes ssh Kerberos logins to fail, printing No key table entry found matching host/hostname.domain.com@ in the error log.

Setting up CentOS 7 for Active Directory Logins

Enter the following command to join the DOMAIN.COM. The user given as username must have permissions to add the computer to the DOMAIN.COM.

realm join -u username DOMAIN.COM

Login with Simple Username

At this point, it is possible to login to the server as long as your login name matches username@domain.com. This is not very nice though and only useful if you have multiple domains.

Fix this by editing /etc/sssd/sssd.conf. Add the following to the sssd section to automatically choose the primary domain.

[sssd]
 default_domain_suffix = domain.com

Restart System Security Services Daemon (SSSD).

systemctl restart sssd

Make System Username Simple

Usernames will still use a fully-qualified version to avoid conflicts other usernames from other domains. If you only have domain, you can change this so that the short username is used instead.

To do this, edit /etc/sssd/sssd.conf. Change the use_fully_qualified_names propety to False under the section specific to your domain.

[domain/domain.com]
 use_fully_qualified_names = False

Restart System Security Services Daemon (SSSD).

systemctl restart sssd

Limit Logins to a Domain Group

Some servers shouldn't let all users in the Realm login. To limit to a specific group, in this example Domain Admins, execute a command similar to the following. For more details, see the permit section of the realm man page.

realm permit --groups domain\ admins

Setting up SSH Client to use Kerberos Authentication

Note: This configuration is done entirely on the client, not the server.

Configure ~/.ssh/config to include following lines:

Host *.domain.com
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes

Execute the following commands to connect to the server using a Kerberos ticket.

kinit username
ssh username@host.domain.com

Note: Be sure to specify the domain. SSH will only submit the Kerberos ticket if the options are enabled and the hostname specified has to match the matcher in your local config file.

@sanugu2508
Copy link

Thank you , it helped me alot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment