5.6. Active Directory Trust for Legacy Linux Clients
nss-pam-ldapd, or SSSD version 1.8 or earlier. Clients running the following versions of Red Hat Enterprise Linux do not use SSSD 1.9 and are therefore considered to be legacy clients:
- Red Hat Enterprise Linux 5.7 or later
- Red Hat Enterprise Linux 6.0 – 6.3
- Kerberos authentication
- host-based access control (HBAC)
- SELinux user mapping
- information look-up
- password authentication
5.6.1. Server-side Configuration for AD Trust for Legacy Clients
- The ipa-server package for IdM and the ipa-server-trust-ad package for the IdM trust add-on have been installed.
ipa-server-installutility has been run to set up the IdM server.
ipa-adtrust-install --enable-compatcommand has been run, which ensures that the IdM server supports trusts with AD domains and that the compat LDAP tree is available.If you have already run
--enable-compatoption in the past, run it again, this time adding
ipa trust-add ad.example.orgcommand has been run to establish the AD trust.
allow_allrule is disabled, enable the
system-authservice on the IdM server, which allows authentication of the AD users.
allow_alldirectly from the command line using the
ipa hbacrule-showcommand. If the rule is disabled,
Enabled: FALSEis displayed in the output:
[user@server ~]$ kinit admin [user@server ~]$ ipa hbacrule-show allow_all Rule name: allow_all User category: all Host category: all Service category: all Description: Allow all users to access any host from any host Enabled: FALSE
system-authon the IdM server, create an HBAC service named
system-authand add an HBAC rule using this service to grant access to IdM masters. Adding HBAC services and rules is described in the Linux Domain Identity, Authentication, and Policy Guide. Note that HBAC services are PAM service names; if you add a new PAM service, make sure to create an HBAC service with the same name and then grant access to this service through HBAC rules.
5.6.2. Client-side Configuration Using the
ipa-adviseutility provides the configuration instructions to set up a legacy client for an AD trust.
ipa-advisecan provide configuration instructions, run
ipa-advisewithout any options. Running
ipa-adviseprints the names of all available sets of configuration instructions along with the descriptions of what each set does and when it is recommended to be used.
[root@server ~]# ipa-advise config-redhat-nss-ldap : Instructions for configuring a system with nss-ldap as a IPA client. This set of instructions is targeted for platforms that include the authconfig utility, which are all Red Hat based platforms. config-redhat-nss-pam-ldapd : Instructions for configuring a system (...)
ipa-adviseutility with an instruction set as a parameter:
[root@server ~]# ipa-advise config-redhat-nss-ldap #!/bin/sh # ---------------------------------------------------------------------- # Instructions for configuring a system with nss-ldap as a IPA client. # This set of instructions is targeted for platforms that include the # authconfig utility, which are all Red Hat based platforms. # ---------------------------------------------------------------------- # Schema Compatibility plugin has not been configured on this server. To # configure it, run "ipa-adtrust-install --enable-compat" # Install required packages via yum yum install -y wget openssl nss_ldap authconfig # NOTE: IPA certificate uses the SHA-256 hash function. SHA-256 was # introduced in RHEL5.2. Therefore, clients older than RHEL5.2 will not # be able to interoperate with IPA server 3.x. # Please note that this script assumes /etc/openldap/cacerts as the # default CA certificate location. If this value is different on your # system the script needs to be modified accordingly. # Download the CA certificate of the IPA server mkdir -p -m 755 /etc/openldap/cacerts wget http://idm.example.com/ipa/config/ca.crt -O /etc/openldap/cacerts/ca.crt (...)
ipa-adviseutility by running the displayed instructions as a shell script or by executing the instructions manually.
- Create the script file.
[root@server ~]# ipa-advise config-redhat-nss-ldap > setup_script.sh
- Add execute permissions to the file using the
[root@server ~]# chmod +x setup_script.sh
- Copy the script to the client using the
[root@server ~]# scp setup_script.sh root@client
- Run the script on the client.
[root@client ~]# ./setup_script.sh
ImportantAlways read and review the script file carefully before you run it on the client.
ipa-advisefrom the command line.