Redhat – How to log on the linux machine with the Active Directory credentials

active-directoryldappamredhatrhel7

I'm on a windows computer RDPing to a RHEL 7 Server. I now want to be able to log into that server using my windows domain credentials(over SSH, preferably RDP too but not necessary). Here's what I have so far :

realm list returns my domain information
kinit myuser@DOMAIN.LOCAL works fine
ldapsearch -H ldap://srv-ad.mycompancy.local/ -Y GSSAPI -N -b "dc=mycompany,dc=local" "(sAMAccountName=SRV-DEV008$)" returns all information about that account from the LDAP. srv-dev008 is my RHEL server.
I configured my PAM like this : Archlinux Wiki

However, I can not log in using my domain credentials. I do NOT have direct access to the AD, as I'm not an administrator in my company. I'm supposed to be able to do this task without their help (this is for an apprenticeship), all they did was add the SRV-DEV008 machine account to the AD. What am I missing? I appreciate any help.

Best Answer

You can use sssd with RHEL7

Take a look at this guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/pdf/Windows_Integration_Guide/Red_Hat_Enterprise_Linux-7-Windows_Integration_Guide-en-US.pdf

(verify that you have it installed first: yum info sssd)

sssd.conf:

[sssd] domains = mycompany.local services = nss config_file_version = 2

[nss] filter_groups = root filter_users = root

[domain/mycompany.local] id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad ad_server = srv-ad.mycompancy.local ad_hostname = SRV-DEV008.mycompancy.local ad_domain = mycompancy.local

Related Solutions

Ldap – How to set up Redmine => Active Directory authentication

Okay, so here are the specific settings that I needed in order to make this work:

Host: ims.example.com
Port: 389
User: MYDOMAIN\accountName
Password: *******
Base DN: dc=mydomain,dc=example,dc=com

On-The-Fly User Creation: YES
Login: sAMAccountName
Firstname: givenName
Lastname: sN
Email: mail

The trick was removing cn=Users from the Base DN, after which it all sort of came together.

The other notable thing was the inclusion of a user to read the directory.

Lastly, the user that logs in uses their user name without domain qualification, and their domain password as usual. Our domain does not require an email address, so there is an additional step where the email address has to be set during user creation, but that's pretty straightforward.

Ssh – LdapErr: DSID-0C0903AA, data 52e: authenticating against AD ’08 with pam_ldap

Tail between my legs I'll have to answer this one because I have the embarrassing inside information.

I did not realize that you had to create a regular Unix user on the system to be able to login. As soon as I created a user matching ivasta I was able to login with that users AD password.

Only thing I can't do is change the password, even with pam_password ad but that doesn't matter because this is only for username logging purposes.

Best Answer

Related Solutions

Ldap – How to set up Redmine => Active Directory authentication

Ssh – LdapErr: DSID-0C0903AA, data 52e: authenticating against AD ’08 with pam_ldap

Related Topic