I've managed Linux user accounts more ways than I can remember, and the best technique I've found is to use a little Windows. Active Directory can easily manage a handful of computers, users and groups just as easily as it can manage thousands. And it's easy to set up:
You'll need to have already set up an Active Directory service <<Link to whitepaper>>, as well as launched the Oracle Linux instance you'd like to join to the domain.
On the instance you want to join to Active Directory, collect the following information. I'll use the bold name for the variable later, and my example values are in monospace.
10.0.0.14
)unicorn-painter-998
)lilwoods.us
)unicorn-painter-998.lilwoods.us
)10.0.0.13
)mia427
)Unicorn-Admins
)All the following commands require superuser, so escalate privileges to root
:
sudo -i
Edit /etc/resolv.conf to use the Active Directory IP address as its nameserver, removing any other nameserver records. Change the line from its default:
nameserver 169.254.169.254
To:
nameserver {dns-ip-address}
Example:
nameserver 10.0.0.14
Ensure the /etc/hosts
file has a record with the instance’s ip-address
, fqdn
and hostname
by editing the top line of the file to:
{ip-address} {fqdn} {hostname}
Note: OCI instances default to an FQDN and hostname generated from the instance name provided when launching the instance. Make sure that there are no other records for the instance’s ip-address
in the file.
Example:
10.0.0.14 unicorn-painter-998.lilwoods.us unicorn-painter-998
Install the following packages:
yum -y install realmd sssd krb5-workstation krb5-lids samba-common-tools
Discover the active directory realm (which is also our DNS domain):
realm discover ${DOMAIN}
Example:
realm discover lilwoods.us
Join the active directory realm:
realm join --verbose ${REALM} -U ${JOIN_USER}
Enter your admin password when prompted.
You should get a message that reads:
Successfully enrolled machine in realm
Example:
realm join --verbose lilwoods.us -U mia427@lilwoods.us
when the Linux server is successfully joined to the managed domain.
Allow members of the Admins
group to have sudo
permission by editing the sudoers file:
visudo
Navigate half way down the file to the wheel
group and under this group append the AD group name to the sudoers config file. Please add a description for future reference. Please add the below group so that anyone from CSS team will have SUDO permissions.
# Allow users in the admin group to run all commands
{REALM}\\{AD-Group-Name} ALL=(ALL) ALL
Example:
# Allow users in the Unicorn-Admins group to run all commands
%LILWOODS.US\\Unicorn-Admins ALL=(ALL) ALL
Allow password authentication in the SSH service to accept credentials from Active Directory by editing /etc/ssh/sshd_config
:
PasswordAuthentication no
to PasswordAuthentication yes
Restart sshd
to apply config changes:
systemctl restart sshd
And you're done! Your instance has now: