How can I log on my linux machine with my Active Directory credentials?
Solution 1
After my instructor himself tried to solve this he noticed that it wasn't possible without the Administrator password, so we got one of the Administrators to enter it remotely. I was then able to add a domain account to my local machine, however, I couldn't log in using domain accounts that weren't already created on the machine. To solve this, I used the command realm permit --all
, which allows all domain users (if they provided the correct credentials) to log onto the machine. Now all that's left to do is enable those users to use sudo.
Solution 2
You can use sssd with RHEL7
Take a look at this guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/pdf/Windows_Integration_Guide/Red_Hat_Enterprise_Linux-7-Windows_Integration_Guide-en-US.pdf
(verify that you have it installed first: yum info sssd)
sssd.conf:
[sssd] domains = mycompany.local services = nss config_file_version = 2
[nss] filter_groups = root filter_users = root
[domain/mycompany.local] id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad ad_server = srv-ad.mycompancy.local ad_hostname = SRV-DEV008.mycompancy.local ad_domain = mycompancy.local
Related videos on Youtube
BIfrost
Updated on September 18, 2022Comments
-
BIfrost almost 2 years
I'm on a windows computer RDPing to a RHEL 7 Server. I now want to be able to log into that server using my windows domain credentials(over SSH, preferably RDP too but not necessary). Here's what I have so far :
-
realm list
returns my domain information -
kinit [email protected]
works fine -
ldapsearch -H ldap://srv-ad.mycompancy.local/ -Y GSSAPI -N -b "dc=mycompany,dc=local" "(sAMAccountName=SRV-DEV008$)"
returns all information about that account from the LDAP. srv-dev008 is my RHEL server. - I configured my PAM like this : Archlinux Wiki
However, I can not log in using my domain credentials. I do NOT have direct access to the AD, as I'm not an administrator in my company. I'm supposed to be able to do this task without their help (this is for an apprenticeship), all they did was add the SRV-DEV008 machine account to the AD. What am I missing? I appreciate any help.
-
Janne Pikkarainen almost 10 yearsWhat kind of errors you see in the logs?
-
BIfrost almost 10 years
/var/log/secure
shows that the usernames I tried (they exist on the domain) are invalid. I have also tried DOMAIN\username and username@DOMAIN, no success. -
Janne Pikkarainen almost 10 yearsOk. Dear apprentice, we then need also some config files for us to see. You might also try
ldapsearch
with a more verbose debug level. -
BIfrost almost 10 yearskrb5.conf : pastebin.com/8zzB3ewN smb.conf : pastebin.com/DBM7y8tP
-
BIfrost almost 10 yearsldapsearch -v : pastebin.com/feFBJds6
-
Pablo Montepagano almost 10 yearsCan you show us also sshd_config too? Yo need to enable PAM auth. (If it's not already enabled.)
-
BIfrost almost 10 yearsI'm pasting the entries that I think are important.
KerberosAuthentication yes
,usePAM yes
.
-
-
BIfrost almost 10 yearsThanks for your answer. I edited the sssd.conf according to your info, but I am still unable to log in.
/var/log/secure
still says the user is unknown. Do I have to edit anything else to make the login use sssd? Also, I'd like all domain users to be able to log in on the machine, not just members of a certain group. Edit: I tried starting the sssd service, but I'm getting an error. "<group/member="root"> ldap_results() failed: Operations error: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vldb1