Red Hat Enterprise Linux 7 Windows Integration Guide Integrating Linux Systems with Active Directory Environments Ella Deon Ballard Red Hat Enterprise Linux 7 Windows Integration Guide Integrating Linux Systems with Active Directory Environments Ella Deon Ballard [email protected] Legal Notice Copyright © 2014 Red Hat. This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. Linux ® is the registered trademark of Linus Torvalds in the United States and other countries. Java ® is a registered trademark of Oracle and/or its affiliates. XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries. MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and other countries. Node.js ® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project. The OpenStack ® Word Mark and OpenStack Logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community. All other trademarks are the property of their respective owners. Abstract Identity and policy management — for both users and machines — is a core function for almost any enterprise environment. Identity Management provides a way to create an identity domain that allows machines to enroll to a domain and immediately access identity information required for single sign-on and authentication services, as well as policy settings that govern authorization and access. This manual covers all aspects of installing, configuring, and managing Identity Management domains, including both servers and clients. This guide is intended for IT and systems administrators. Table of Contents Table of Contents .P .r .e .f a. c. e. 3. ⁠1. Information for Managing Identity and Authentication Policies in Linux 3 ⁠2. Audience and Purpose 3 ⁠3. Giving Feedback 3 ⁠4. Document Change History 4 ⁠.C .h . a. p. t. e. r. 1. .W . a. y. s. .t .o . I.n .t .e .g .r .a .t e. A. c. t. i.v .e . D. .i r.e .c .t .o .r .y . a. n. d. .L . i.n .u .x . E. .n .v .i r.o . n. m. .e .n .t .s . 5. ⁠1.1. Defining Windows Integration 5 ⁠1.2. Small Environments: Using Windows as an Identity Source 6 ⁠1.3. Small Environments: Enrolling Individual Clients 6 ⁠1.4. Big Environments: Synchronizing Users 7 ⁠1.5. Big Environments: Trusted Realms 7 ⁠.P .a .r .t .I .. A. .d .d .i n. .g . a. .S . i.n .g .l e. .L . i.n .u .x . S. .y .s .t e. m. t. o. .a .n . .A .c .t .i v. e. .D . i.r e. c. t. o. r. y. .D .o . m. .a .i n. 9. ⁠.C .h . a. p. t. e. r. 2. .U .s .i n. g. A. c. t. i.v .e . D. .i r.e .c .t .o .r .y . a. s. .a .n . I.d . e. n. t. i.t y. .P . r.o .v .i d. .e .r .f .o .r .S . S. S. .D . 1. 0. ⁠2.1. About SSSD 10 ⁠2.2. Environments for SSSD 12 ⁠2.3. How SSSD Integrates with an Active Directory Environment 12 ⁠2.4. Configuring an Active Directory Domain with ID Mapping 16 ⁠2.5. Configuring an Active Directory Domain with POSIX Attributes 19 ⁠2.6. Configuring Active Directory as an LDAP Domain 23 ⁠2.7. Additional Configuration Examples 26 ⁠.C .h . a. p. t. e. r. 3. .. U. .s .i n. g. .r .e .a .l m. .d . .t o. .C . o. n. .n .e .c .t . t.o . a. .n . A. c. t. i.v .e . D. .i r.e . c. t.o .r .y . D. .o .m . a. i.n . 3. 1. ⁠3.1. About realmd 31 ⁠3.2. realmd Commands 31 ⁠3.3. Discovering and Joining Active Directory Domains 32 ⁠3.4. Managing User Logins from Active Directory 34 ⁠3.5. Adding Default User Configuration 34 ⁠3.6. Additional Configuration for the Active Directory Domain Entry 35 ⁠.C .h . a. p. t. e. r. 4. .. .U .s .i n. .g . S. a. .m . b. a. ,. K. .e .r b. .e .r o. .s ., .a .n .d . W. i.n .b .i n. d. 3. 7. ⁠4.1. About Samba and Active Directory Authentication 37 ⁠4.2. Summary of Configuration Files, Options, and Packages 40 ⁠4.3. Configuring a Domain Member Using authconfig 42 ⁠.P .a .r .t .I I.. .I n. .t e. g. .r a. t. i.n .g . a. L. i.n .u .x . D. .o .m . a. .i n. .w . i.t h. .a . n. .A .c .t .i v. e. .D . i.r e. .c .t o. r. y. .D . o. m. .a .i n. 4. 8. ⁠.C .h . a. p. t. e. r. 5. .C .r .e .a .t .i n. g. .C . r. o. s. s. -.R . e. a. l.m . .T . r.u . s. t.s . w. .i t.h . .A .c .t .i v. e. .D . i.r e. c. t. o. r. y. .a .n .d . I.d . e. n. t. i.t y. .M . a. n. .a .g .e .m . e. .n .t . ⁠5.1. The Meaning of "Trust" 49 4 9 ⁠5.2. Environment and Machine Requirements to Set up Trusts 59 ⁠5.3. Creating Trusts 62 ⁠5.4. Creating IdM Groups for Active Directory Users 84 ⁠5.5. Maintaining Trusts 86 ⁠5.6. Verifying That IdM Machines Have Resolvable Names 90 ⁠5.7. Setting PAC Types for Services 91 ⁠5.8. Using SSH from Active Directory Machines for IdM Resources 94 ⁠5.9. Using Trust with Kerberized Web Applications 95 ⁠.C .h . a. p. t. e. r. 6. .S .e .t .t i.n . g. .u .p . K. .e .r .b .e .r .o .s . C. .r o. s. s. -. R. e. .a .l m. A. u. .t h. e. .n .t i.c .a . t.i o. n. 9. 7. ⁠6.1. A Trust Relationship 97 ⁠6.2. Setting up a Realm Trust 100 ⁠.C .h . a. p. t. e. r. 7. .S .y .n .c .h . r.o .n . i.z .i n. g. .A . c. t.i v. e. .D . i.r .e .c .t o. .r y. .a .n . d. .I d. e. n. .t i.t .y . M. .a .n .a .g . e. m. .e .n .t . U. s. e. .r s. 1. 0. 1. ⁠7.1. Supported Windows Platforms 101 ⁠7.2. About Active Directory and Identity Management 101 ⁠7.3. About Synchronized Attributes 103 1 Red Hat Enterprise Linux 7 Windows Integration Guide ⁠7.3. About Synchronized Attributes 103 ⁠7.4. Setting up Active Directory for Synchronization 107 ⁠7.5. Managing Synchronization Agreements 107 ⁠7.6. Managing Password Synchronization 115 ⁠.I n. d. e. x. 1. 2. 0. ..