Securing an AD Domain-joined CentOS7 server

  • Server
    • FOG Version: n/a
    • OS: CentOS 7.3.1611
    • Service Version:
    • OS:

    Playing with fire here. I have a CentOS 7.3.1611 GUI server with xRDP installed, joined to an Active Directory domain.

    I want to restrict the wide-open access AD accounts have to it so only the AD group “ABC” can SSH telnet and RDP to it.

  • @sudburr The reboot isn’t necessary, but otherwise great job on the post below - it’ll help many folks in the future.

  • That did the trick!

    # Join to an AD Domain
    # --------------------------
    # Elevate Access Level
    	sudo su
    # Install Pre-requisites for joining to an AD Domain
    	yum install -y sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python
    # Join to domain
    # ( )
    	realm join --user=DomainJoinCapableADAccount
    # Restrict access from domain
    	realm deny --all
    # Permit access by Domain User Group "ADGroupName" (A-z only)
    	realm permit -R -g ADGroupName
    # Do not require FQDN for username
    	sed -i "s|use_fully_qualified_names = True|use_fully_qualified_names = False|g" /etc/sssd/sssd.conf
    	systemctl restart sssd
    # Permit Access to SUDO
    	echo "%ADGroupName    ALL=(ALL)       ALL" >> /etc/sudoers.d/sudoers
    # Reboot to Commit

    Now for the next hurdle.

  • Moderator

    @Wayne-Workman said in Securing an AD Domain-joined CentOS7 server:

    What you are trying to do is not only possible, but a typical industry practice.

    Well said.

  • @sudburr It’s just a simple realm command to deny all, then another realm command to allow a specific security group. What you are trying to do is not only possible, but a typical industry practice.
    Here’s a snippit:

    #Locking down who can log in from the domain.
    #Block everyone:
    realm deny -R -a
    #permit a specific group
    # Security group needs made in Active Directory first.
    #MUST BE domain local type group.
    #realm permit -R -g group_name_here\group_name_here
    #To add group securitygroupname as able to log in:
    realm permit -R -g securitygroupname
    ####To remove if necessary:  
    realm permit --withdraw -g securitygroupname

  • Moderator

    I can’t access our DMS system at the office right now because I have the complete instructions on doing this (not with xRDP), but to restrict ssh access to specific AD groups.

    This one should get you started with AD logging in:

    And this one shows you how to limit access based on an AD group:

    we have ours setup so that only linux admin group has access to our linux server and the rest of the admins (not in the group) can not.

Log in to reply