How to authenticate AD users without joining AD domain

# How to authenticate AD users without joining AD domain 關於整合外部LDAP Server，在我的Lab測試後，說明如下: 1.我LAB環境： - Windows Sever 2016 - Red Hat Enterprise 8.7, kernel 4.18.0-425.19.2.el8_7.x86_6 - sssd-2.8.2-3.el8_8.x86_64 - ssd-client-2.8.2-3.el8_8.x86_64 - sssd-tools-2.8.2-3.el8_8.x86_64 2. 參考 KB https://access.redhat.com/solutions/4683981, 我是使用start TLS來實做。我的sssd.conf 如下： ~~~ [sssd] config_file_version = 2 services = nss,pam domains = hunter.lab [nss] fallback_homedir = /home/%u default_shell = /bin/bash [pam] [domain/hunter.lab] id_provider = ldap auth_provider = ldap ldap_uri = ldap://dc01.hunter.lab ldap_search_base = dc=hunter,dc=lab ldap_default_bind_dn = administrator@hunter.lab ldap_default_authtok_type = obfuscated_password ldap_default_authtok = AAAQANqpb9eh1Tp8eiZBnL79sbjqcGYbxDfbimBS6XhcCSszgPooFVi5pvtuABAk8iVI/l27z/+8YYlOik1fNHPV7T8AAQID ldap_user_object_class = user ldap_group_object_class = group ldap_schema = ad ldap_referrals = False ldap_id_mapping = True enumerate = False cache_credentials = True ldap_id_use_start_tls = True #ldap_tls_reqcert specifies if the client requests a server certificate and what checks are performed on the certificate #ldap_tls_reqcert = demand ldap_tls_reqcert = never <---ssl 憑證的驗證，我改為never，因為若有自簽憑證，會報錯。 #ldap_tls_cacert specifies the file containing the certificate ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt #ldap_tls_cacertdir = /etc/pki/tls/certs/ access_provider = permit sudo_provider = ldap chpass_provider = ldap autofs_provider = ldap resolver_provider = ldap 藍色的部份，請修改成您的設定。紅色部份，我是因為SSL自簽報錯，我改為不檢杳SSL憑證。 ~~~ 3. 使用AD帳號登入驗證成功 ~~~ ssh aduser1@rhel8ga.hunter.lab aduser1@rhel8ga.hunter.lab's password: Activate the web console with: systemctl enable --now cockpit.socket Register this system with Red Hat Insights: insights-client --register Create an account or view all your systems at https://red.ht/insights-dashboard Last login: Thu Jul 4 13:58:16 2024 from 192.168.1.18 [aduser1@rhel8ga ~]$ id uid=1343001103(aduser1) gid=1343000513(Domain Users) groups=1343000513(Domain Users),1343001108(sales) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ~~~ 4. 提醒事項： - 使用者無法自行變更密碼，此部份我測試不成功，需要注意。 - AD administrator password可參考此KB加密： https://access.redhat.com/solutions/76813 - 若不使用AD Administrator，則要要AD上新建一個可以有權限Query windows AD的帳號給SSSD使用。 - Clinent的DNS需指向AD Server，才能找到AD domin ，可以用dig測試（KB: https://access.redhat.com/solutions/5444941)，範例如下： ~~~ [root@rhel8ga ~]# dig +short SRV _ldap._tcp.hunter.lab 0 100 389 DC01.hunter.lab. ~~~ 參考KB: https://access.redhat.com/solutions/4683981 https://access.redhat.com/solutions/76813 https://access.redhat.com/solutions/5444941 https://access.redhat.com/articles/704743#sssd18lo https://access.redhat.com/articles/3023861 https://medium.com/jerrynotes/linux-authentication-windows-ad-without-join-domain-7963c3fd44c5