I've configured our RHEL7 instance to support Active Directory login integration by using the documentation HERE. This describes using the "realm
" command to configure the "sssd
" service allowing for AD Integration.
I've used the following commands to configure sssd
via realmd
:
realm join usw.example.com -U myusername
realm deny --all
realm permit --groups "usw.example.com\\Linux Admins"
I can then login to the box with "uswuser@usw.example.com
" assuming "uswuser
" is in the "USW\Linux Admins
" AD group. The RHEL7 box also (of course) shows up as a computer account in AD.
I would also like to grant users in our "use.example.com
" (note USE instead of USW) domain access to this box:
[root@oel7template ~]# realm permit "useuser@use.example.com" --verbose
! Invalid login argument 'useuser@use.example.com' does not match the login format.
realm: Couldn't change permitted logins: Invalid login argument 'useuser@use.example.com' does not match the login format.
I've also tried other variations such as "use.example.com\\useuser
". I assume this command fails because the RHEL7 server is not joined to the USE.EXAMPLE.COM
domain in addition to the USW.EXAMPLE.COM
domain. I can do a "realm join'
for use.wlgore.com
but that creates two different computer accounts, which is undesirable.
Is it possible to configure Linux authentication to work in a similar way that a traditional Windows server does? That is, the server has a single computer account in one sub-domain, but can authenticate against any of the other domains. For example, join this RHEL7 server to "usw.example.com
" but also grant access to "use.example.com\useuser
"?
Please let me know if you see any other issues with this architecture. There may be something fundamental that I've missed.