I am currently in the middle of a project in which we are migrating to AD. We have been using openldap for auth for a few years and it's been fine. My favorite part is having sudoers in LDAP. But for this project we are just joining hosts to AD using realmd. It's really simple and works well. I create an ansible role for adding machines to the domain. Part of the role is creating a group for each server. Then when users want access to a host they request that they be added to that group. Realmd has a simple_allow_group directive that is in sssd. The process added the group.
My only gripe is now we are moving back to handling sudo locally per machine. It's not horrible, we actually manage it via ansible as well. I have been using this role to manage sudo on hosts.
Since the functionality is there, I did not opt for having a separate IDM that syncs with AD.
Nice! That is what I am thinking as well but still need to gain more knowledge with Ansible. I like the way you are doing it as that is what I am envisioning as well. Don't want to over complicate this and in a dominant Windows environment I am dealing with less than 150 Oracle Linux servers. Several are web servers that users just access the web dirs with Samba so they don't SSH into them at all.
I'll check out your Ansible stuff, thanks for the share!
From what I understand, Centrify Authentication Service allows to join Linux and UNIX to Active Directory, whereas Linux idM is AD for Linux, designed to provide an integrated identity management service for a wide range of clients, including Linux, Mac, and Windows.
What is the reason to replace Centrify?
What about Red Hat SSSD?
For our use case and in my opinion we are paying way too much money for a product that we use a 1/3 of its capability for. I am looking at SSSD and have a few test systems running with just that and it appears to be find. My issue is the administration of the sudo file files which I am going to look more into the suggestion the feeble provided. Just needing a way to allow only AD users to access a Linux server I believe SSSD will fit the bill. One major issue will be when I migrate those Centrify machines over maintaining the UID and GIDs that are currently in place. I also didn't know about maintaining sudo within AD so going to research that as an option as well.
Again, we disable authenticated users and have AD groups assigned to each server. When users get placed into these AD groups they get access to the OL Linux server. I don't think paying what we do for that is necessary. Would be nice to take those funds and put it towards something more useful. If that makes sense.
Thanks for the links!
One issue I am experiencing is how to prevent all authenticated users from gaining access. I thought the 'realm permit -g activedirectorydomaingroup@domain' would deny everyone and only allow users in this group but on my test server this doesn't appear to be the case. I have a user who tried to ssh into the server and was able to do so even though they weren't part of the AD group I permitted to have access.
Is there something else I need to do?
I'm no expert to configure AD access under Linux, but the following URL seems to address your problem.
You can create a developer ID without paying for a subscription to browse the knowledge-base.
From what I understand, realm -g restricts AD access to a specific group, but you need to configure /etc/security/access.conf or /etc/sssd/sssd.conf to restrict local access. Apparently PAM offers more security options if you require more complexity.
Btw, I suggest to create a new thread for better topic alignment and avoid creating single threads that address multiple topics.