Chapter 4. Configuring RHEL to use AD as an authentication provider

4.1. A standalone RHEL host using AD as an authentication provider

As a system administrator, you can use Active Directory (AD) as the authentication provider for a Red Hat Enterprise Linux (RHEL) host without joining the host to AD if, for example:

  • You do not want to grant AD administrators the control over enabling and disabling the host.
  • The host, which can be a corporate PC, is only meant to be used by one user in your company.
Important

Implement this procedure only in the rare cases where this approach is preferred.

Consider fully joining the system to AD or Red Hat Identity Management (IdM) instead. Joining the RHEL host to a domain makes the setup easier to manage. If you are concerned about client access licences related to joining clients into AD directly, consider leveraging an IdM server that is in a trust agreement with AD. For more information on an IdM-AD trust, see Planning a cross-forest trust between IdM and AD and Installing a trust between IdM and AD.

4.2. Configuring a RHEL host to use AD as an authentication provider

Complete this procedure to enable the user named AD_user to log in to the rhel8_host system using the password set in the Active Directory AD user database in the example.com domain. In this example, the EXAMPLE.COM Kerberos realm corresponds to the example.com domain.

Prerequisites

  • You have root access to rhel8_host.
  • The AD_user user account exists in the example.com domain.
  • The Kerberos realm is EXAMPLE.COM.
  • rhel8_host has not been joined to AD using the realm join command.

Procedure

  1. Create the AD_user user account locally without assigning a password to it:

    # useradd AD_user
  2. Open the /etc/nsswitch.conf file for editing, and make sure that it contains the following lines:

    passwd:     sss files systemd
    group:      sss files systemd
    shadow:     files sss
  3. Open the /etc/krb5.conf file for editing, and make sure that it contains the following sections and items:

    # To opt out of the system crypto-policies configuration of krb5, remove the
    # symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
    includedir /etc/krb5.conf.d/
    
    [logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
        dns_lookup_realm = false
        ticket_lifetime = 24h
        renew_lifetime = 7d
        forwardable = true
        rdns = false
        pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
        spake_preauth_groups = edwards25519
        default_realm = EXAMPLE.COM
        default_ccache_name = KEYRING:persistent:%{uid}
    
    [realms]
     EXAMPLE.COM = {
         kdc = ad.example.com
         admin_server = ad.example.com
     }
    
    [domain_realm]
     .example.com = EXAMPLE.COM
     example.com = EXAMPLE.COM
  4. Create the /etc/sssd/sssd.conf file and insert the following sections and lines into it:

    [sssd]
        services = nss, pam
        domains = EXAMPLE.COM
    
    [domain/EXAMPLE.COM]
        id_provider = files
        auth_provider = krb5
        krb5_realm = EXAMPLE.COM
        krb5_server = ad.example.com
  5. Change the permissions on the /etc/sssd/sssd.conf file:

    # chmod 600 /etc/sssd/sssd.conf
  6. Start the Security System Services Daemon (SSSD):

    # systemctl start sssd
  7. Enable SSSD:

    # systemctl enable sssd
  8. Open the /etc/pam.d/system-auth file, and modify it so that it contains the following sections and lines:

    # Generated by authselect on Wed May  8 08:55:04 2019
    # Do not modify this file manually.
    
    auth        required                                     pam_env.so
    auth        required                                     pam_faildelay.so delay=2000000
    auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
    auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
    auth        sufficient                                   pam_unix.so nullok try_first_pass
    auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
    auth        sufficient                                   pam_sss.so forward_pass
    auth        required                                     pam_deny.so
    
    account     required                                     pam_unix.so
    account     sufficient                                   pam_localuser.so
    account     sufficient                                   pam_succeed_if.so uid < 1000 quiet
    account     [default=bad success=ok user_unknown=ignore] pam_sss.so
    account     required                                     pam_permit.so
    
    password    requisite                                    pam_pwquality.so try_first_pass local_users_only
    password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok
    password    sufficient                                   pam_sss.so use_authtok
    password    required                                     pam_deny.so
    
    session     optional                                     pam_keyinit.so revoke
    session     required                                     pam_limits.so
    -session    optional                                     pam_systemd.so
    session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
    session     required                                     pam_unix.so
    session     optional                                     pam_sss.so
  9. Copy the contents of the /etc/pam.d/system-auth file into the /etc/pam.d/password-auth file. Enter yes to confirm the overwriting of the current contents of the file:

    # cp /etc/pam.d/system-auth /etc/pam.d/password-auth
    cp: overwrite '/etc/pam.d/password-auth'? yes

Verification steps

  1. Request a Kerberos ticket-granting ticket (TGT) for AD_user. Enter the password of AD_user as requested:

    # kinit AD_user
    Password for AD_user@EXAMPLE.COM:
  2. Display the obtained TGT:

    # klist
    Ticket cache: KEYRING:persistent:0:0
    Default principal: AD_user@EXAMPLE.COM
    
    Valid starting     Expires            Service principal
    11/02/20 04:16:38  11/02/20 14:16:38  krbtgt/EXAMPLE.COM@EXAMPLE.COM
    	renew until 18/02/20 04:16:34

AD_user has successfully logged in to rhel8_host using the credentials from the EXAMPLE.COM Kerberos domain.