Chapter 3. Managing direct connections to AD

This section describes how to modify and manage your connection to Active Directory.

Prerequisites

  • You have connected your RHEL system to the Active Directory domain.

3.1. Modifying the default Kerberos host keytab renewal interval

SSSD automatically renews the Kerberos host keytab file in an AD environment if the adcli package is installed. The daemon checks daily if the machine account password is older than the configured value and renews it if necessary.

The default renewal interval is 30 days. To change the default, follow the steps in this procedure.

Procedure

  1. Add the following parameter to the AD provider in your /etc/sssd/sssd.conf file:

    ad_maximum_machine_account_password_age = value_in_days
  2. Restart SSSD:

    # systemctl restart sssd
  3. To disable the automatic Kerberos host keytab renewal, set ad_maximum_machine_account_password_age = 0.

Additional resources

  • The adcli(8) man page.
  • The sssd.conf(5) man page.

3.2. Removing a RHEL system from an AD domain

This procedure describes how to remove a RHEL system from an Active Directory (AD) domain.

Procedure

  1. Remove a system from an identity domain using the realm leave command. The command removes the domain configuration from SSSD and the local system.

    # realm leave ad.example.com
    Note

    When a client leaves a domain, the account is not deleted from AD; the local client configuration is only removed. If you want to delete the AD account, run the command with the --remove option. You are prompted for your user password and you must have the rights to remove an account from Active Directory.

  2. Use the -U option with the realm leave command to specify a different user to remove a system from an identity domain.

    By default, the realm leave command is executed as the default administrator. For AD, the administrator account is called Administrator. If a different user was used to join to the domain, it might be required to perform the removal as that user.

    # realm leave [ad.example.com] -U [AD.EXAMPLE.COM\user]'

The command first attempts to connect without credentials, but it prompts for a password if required.

Verification steps

  • Verify the domain is no longer configured:

    # realm discover [ad.example.com]
    ad.example.com
        type: kerberos
        realm-name: EXAMPLE.COM
        domain-name: example.com
        configured: no
        server-software: active-directory
        client-software: sssd
        required-package: oddjob
        required-package: oddjob-mkhomedir
        required-package: sssd
        required-package: adcli
        required-package: samba-common-tools

Additional resources

  • See the realm(8)` man page.

3.3. Managing login permissions for domain users

By default, domain-side access control is applied, which means that login policies for Active Directory (AD) users are defined in the AD domain itself. This default behavior can be overridden so that client-side access control is used. With client-side access control, login permission is defined by local policies only.

If a domain applies client-side access control, you can use the realmd to configure basic allow or deny access rules for users from that domain.

Note

Access rules either allow or deny access to all services on the system. More specific access rules must be set on a specific system resource or in the domain.

3.3.1. Enabling access to users within a domain

This section describes how to enable access to users within a domain.

Important

It is safer to only allow access to specific users or groups than to deny access to some, while enabling it to everyone else. Therefore, it is not recommended to allow access to all by default while only denying it to specific users with realm permit -x. Instead, Red Hat recommends maintaining a default no access policy for all users and only grant access to selected users using realm permit.

Prerequisites

  • Your RHEL system is a member of the Active Directory domain.

Procedure

  1. Grant access to all users:

    # realm permit --all
  2. Grant access to specific users:

    $ realm permit aduser01@example.com
    $ realm permit 'AD.EXAMPLE.COM\aduser01'

Currently, you can only allow access to users in primary domains and not to users in trusted domains. This is due to the fact that user login must contain the domain name and SSSD cannot currently provide realmd with information about available child domains.

Verification steps

  1. Use SSH to log in to the server as the aduser01@example.com user:

    $ ssh aduser01@example.com@server_name
    [aduser01@example.com@server_name ~]$
  2. Use the ssh command a second time to access the same server, this time as the aduser02@example.com user:

    $ ssh aduser02@example.com@server_name
    Authentication failed.

Notice how the aduser02@example.com is denied access to the system. You have granted the permission to log in to the system to the aduser01@example.com user only. All other users from that Active Directory domain are rejected because of the specified login policy.

Note

If you set use_fully_qualified_names to true in the sssd.conf file, all requests must use the fully qualified domain name. However, if you set use_fully_qualified_names to false, it is possible to use the fully-qualified name in the requests, but only the simplified version is displayed in the output.

Additional resources

  • See the realm(8)` man page.

3.3.2. Denying access to users within a domain

This section describes how to deny access to all users within a domain.

Important

It is safer to only allow access to specific users or groups than to deny access to some, while enabling it to everyone else. Therefore, it is not recommended to allow access to all by default while only denying it to specific users with realm permit -x. Instead, Red Hat recommends maintaining a default no access policy for all users and only grant access to selected users using realm permit.

Prerequisites

  • Your RHEL system is a member of the Active Directory domain.

Procedure

  1. Deny access to all users within the domain:

    # realm deny --all

    This command prevents realm accounts from logging into the local machine. Use realm permit to restrict login to specific accounts.

  2. Verify that the domain user’s login-policy is set to deny-any-login:

    [root@replica1 ~]# realm list
    example.net
      type: kerberos
      realm-name: EXAMPLE.NET
      domain-name: example.net
      configured: kerberos-member
      server-software: active-directory
      client-software: sssd
      required-package: oddjob
      required-package: oddjob-mkhomedir
      required-package: sssd
      required-package: adcli
      required-package: samba-common-tools
      login-formats: %U@example.net
      login-policy: deny-any-login
  3. Deny access to specific users by using the -x option:

    $ realm permit -x 'AD.EXAMPLE.COM\aduser02'

Verification steps

  • Use SSH to log in to the server as the aduser01@example.net user.

    $ ssh aduser01@example.net@server_name
    Authentication failed.
Note

If you set use_fully_qualified_names to true in the sssd.conf file, all requests must use the fully qualified domain name. However, if you set use_fully_qualified_names to false, it is possible to use the fully-qualified name in the requests, but only the simplified version is displayed in the output.

Additional resources

  • See the realm(8)` man page.