Linux Active Directory
How To Join Linux Host To AD and Login With AD User
You should create a user in AD first.
On AD server
Open Active Directory Users and Computers.
Enable Advanced Features: View > Advanced Features
Open User Properties > Attribute Editor
Add user's public SSH key(s) to altSecurityIdentities attribute. *(ed25519 is supported)*
Configure the user's attributes: uidNumber, gidNumber, unixHomeDirectory, and loginShell.
On Host
sudo yum install samba-common-tools realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation
realm discover lambnet.us
sudo realm join --automatic-id-mapping=no -v -U 'dave@LAMBNET.US' lambnet.us
realm list to verify host is joined.
Add to /etc/krb5.conf:
[realms]
LAMBNET.US = {
kdc=dc1.lambnet.us
kpasswd_server=dc1.lambnet.us
admin_server=dc1.lambnet.us
default_domain=lambnet.us
}
[domain_realm] lambnet.us = LAMBNET.US
On AD Server
Unset msDS-SupportedEncryptionTypes on the newly-created host object in AD.
On Host
Append ssh to services parameter in /etc/sssd/sssd.conf:
services = nss, pam, ssh
Also, add to the [domain/example.com] section of /etc/sssd/sssd.conf:
ldap_user_extra_attrs = altSecurityIdentities ldap_user_ssh_public_key = altSecurityIdentities auto_private_groups = True
Clear sssd cache and restart sssd:
systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd
Add below lines to /etc/ssh/sshd_config:
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser root
Restart sshd:
systemctl restart sshd
Test:
id {user}@{domain} to verify correct uid/gid shows up for AD user.
getent passwd dave@lambnet.us to verify POSIX attributes can be read from AD (unixHomeDirectory, etc.)