How can I log on my linux machine with my Active Directory credentials?

12,403

Solution 1

After my instructor himself tried to solve this he noticed that it wasn't possible without the Administrator password, so we got one of the Administrators to enter it remotely. I was then able to add a domain account to my local machine, however, I couldn't log in using domain accounts that weren't already created on the machine. To solve this, I used the command realm permit --all, which allows all domain users (if they provided the correct credentials) to log onto the machine. Now all that's left to do is enable those users to use sudo.

Solution 2

You can use sssd with RHEL7

Take a look at this guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/pdf/Windows_Integration_Guide/Red_Hat_Enterprise_Linux-7-Windows_Integration_Guide-en-US.pdf

(verify that you have it installed first: yum info sssd)

sssd.conf:

[sssd] domains = mycompany.local services = nss config_file_version = 2

[nss] filter_groups = root filter_users = root

[domain/mycompany.local] id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad ad_server = srv-ad.mycompancy.local ad_hostname = SRV-DEV008.mycompancy.local ad_domain = mycompancy.local

Share:
12,403

Related videos on Youtube

BIfrost
Author by

BIfrost

Updated on September 18, 2022

Comments

  • BIfrost
    BIfrost almost 2 years

    I'm on a windows computer RDPing to a RHEL 7 Server. I now want to be able to log into that server using my windows domain credentials(over SSH, preferably RDP too but not necessary). Here's what I have so far :

    • realm list returns my domain information
    • kinit [email protected] works fine
    • ldapsearch -H ldap://srv-ad.mycompancy.local/ -Y GSSAPI -N -b "dc=mycompany,dc=local" "(sAMAccountName=SRV-DEV008$)" returns all information about that account from the LDAP. srv-dev008 is my RHEL server.
    • I configured my PAM like this : Archlinux Wiki

    However, I can not log in using my domain credentials. I do NOT have direct access to the AD, as I'm not an administrator in my company. I'm supposed to be able to do this task without their help (this is for an apprenticeship), all they did was add the SRV-DEV008 machine account to the AD. What am I missing? I appreciate any help.

    • Janne Pikkarainen
      Janne Pikkarainen almost 10 years
      What kind of errors you see in the logs?
    • BIfrost
      BIfrost almost 10 years
      /var/log/secure shows that the usernames I tried (they exist on the domain) are invalid. I have also tried DOMAIN\username and username@DOMAIN, no success.
    • Janne Pikkarainen
      Janne Pikkarainen almost 10 years
      Ok. Dear apprentice, we then need also some config files for us to see. You might also try ldapsearch with a more verbose debug level.
    • BIfrost
      BIfrost almost 10 years
    • BIfrost
      BIfrost almost 10 years
      ldapsearch -v : pastebin.com/feFBJds6
    • Pablo Montepagano
      Pablo Montepagano almost 10 years
      Can you show us also sshd_config too? Yo need to enable PAM auth. (If it's not already enabled.)
    • BIfrost
      BIfrost almost 10 years
      I'm pasting the entries that I think are important. KerberosAuthentication yes, usePAM yes.
  • BIfrost
    BIfrost almost 10 years
    Thanks for your answer. I edited the sssd.conf according to your info, but I am still unable to log in. /var/log/secure still says the user is unknown. Do I have to edit anything else to make the login use sssd? Also, I'd like all domain users to be able to log in on the machine, not just members of a certain group. Edit: I tried starting the sssd service, but I'm getting an error. "<group/member="root"> ldap_results() failed: Operations error: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vldb1