4

I've configured our RHEL7 instance to support Active Directory login integration by using the documentation HERE. This describes using the "realm" command to configure the "sssd" service allowing for AD Integration.

I've used the following commands to configure sssd via realmd:

realm join usw.example.com -U myusername
realm deny --all
realm permit --groups "usw.example.com\\Linux Admins"

I can then login to the box with "uswuser@usw.example.com" assuming "uswuser" is in the "USW\Linux Admins" AD group. The RHEL7 box also (of course) shows up as a computer account in AD.

I would also like to grant users in our "use.example.com" (note USE instead of USW) domain access to this box:

[root@oel7template ~]# realm permit "useuser@use.example.com" --verbose
 ! Invalid login argument 'useuser@use.example.com' does not match the login format.
realm: Couldn't change permitted logins: Invalid login argument 'useuser@use.example.com' does not match the login format.

I've also tried other variations such as "use.example.com\\useuser". I assume this command fails because the RHEL7 server is not joined to the USE.EXAMPLE.COM domain in addition to the USW.EXAMPLE.COM domain. I can do a "realm join' for use.wlgore.com but that creates two different computer accounts, which is undesirable.

Is it possible to configure Linux authentication to work in a similar way that a traditional Windows server does? That is, the server has a single computer account in one sub-domain, but can authenticate against any of the other domains. For example, join this RHEL7 server to "usw.example.com" but also grant access to "use.example.com\useuser"?

Please let me know if you see any other issues with this architecture. There may be something fundamental that I've missed.

Caesar Kabalan
  • 348
  • 1
  • 4
  • 12
  • Possible cross-dupe: [Multiple domains/one Forest RHEL7 with SSSD and REALMD - cannot login to another domain](https://stackoverflow.com/q/56440559/11942268) – stackprotector Apr 13 '22 at 07:42

3 Answers3

2

This was resolved by adding the following line to /etc/sssd/sssd.conf:

subdomain_enumerate = all

I suppose I should have fully read the man page (man sssd.conf).

Caesar Kabalan
  • 348
  • 1
  • 4
  • 12
1

I would be quite surprised if subdomain_enumerate did the trick. That option should only have an effect on "getent passwd" displaying the subdomain users.

What you can do is open the sssd.conf file and manually add the users to the simple_allow_users or simple_allow_groups lists. AFAIK the issue is just that realmd doesn't support the FQDN notation for allowing subdomain users.

jhrozek
  • 1,320
  • 6
  • 5
  • You may be correct here. I removed the `subdomain_enumerate` option from the config file and restarted the sssd service, the login still works. I will do more experimentation and report back. – Caesar Kabalan Mar 24 '15 at 16:47
  • It appears that if a user from a different domain (in this case USE) is a member of a group in the `simple_allow_groups` list authentication works. There doesn't seem to be a valid combination of domain and username for `simple_allow_users` to work correctly cross domain. Is it possible `subdomain_enumerate` assists in `sssd` resolving the domain correctly even if it's not necessary for actual authentication? If I add "`use.example.com\useuser`" to `simple_allow_users` and do a realm-list I get `permitted-logins: use.example.com\useuser@usw.example.com`. SSH logins also fail. – Caesar Kabalan Mar 24 '15 at 17:00
  • realm is a bit limited in this regard and always appends in the primary domain name to the username. Can you try the long FQDN format instead of the NetBIOS format? i.e. useruser@use.example.com. If that doesn't help, I'd suggest gathering the log files as per https://fedorahosted.org/sssd/wiki/Troubleshooting and continuing the conversation on sssd-users. This /is/ something that should work. – jhrozek Mar 25 '15 at 07:55
  • 1
    @CaesarKabalan did you ever end up figuring out how to ssh login in this scenario? I'm trying something similar to login to a user on a parent domain when the machine is on a child domain and i can't log on – projectdelphai Jul 21 '16 at 21:08
0

Instead of using realm permit to control logins on your domain joined RHEL, I recommend to use GPOs. There are very few GPOs that work on Linux, and they control the logins. Path to the GPs: Computer Configuration/Policies/Windows Settings/Security Settings/Local Settings/Security Options. There you have the settings:

  • Allow log on locally to control local logins
  • Allow log on through Remote Desktop Services to control remote logins (e. g. SSH)

Add domain-local groups to your default domain, e. g. rhel-login-local and rhel-login-ssh. Then add the users you want to authorize (you can also add users of the other domain) and everything can centrally be managed from AD.

stackprotector
  • 445
  • 1
  • 3
  • 20