Securing an AD Domain-joined CentOS7 server

  • Server
    • FOG Version: n/a
    • OS: CentOS 7.3.1611
    • Service Version:
    • OS:

    Playing with fire here. I have a CentOS 7.3.1611 GUI server with xRDP installed, joined to an Active Directory domain.

    I want to restrict the wide-open access AD accounts have to it so only the AD group “ABC” can SSH telnet and RDP to it.

  • @sudburr The reboot isn’t necessary, but otherwise great job on the post below - it’ll help many folks in the future.

  • That did the trick!

    # Join to an AD Domain
    # --------------------------
    # Elevate Access Level
    	sudo su
    # Install Pre-requisites for joining to an AD Domain
    	yum install -y sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python
    # Join to domain
    # ( )
    	realm join --user=DomainJoinCapableADAccount
    # Restrict access from domain
    	realm deny --all
    # Permit access by Domain User Group "ADGroupName" (A-z only)
    	realm permit -R -g ADGroupName
    # Do not require FQDN for username
    	sed -i "s|use_fully_qualified_names = True|use_fully_qualified_names = False|g" /etc/sssd/sssd.conf
    	systemctl restart sssd
    # Permit Access to SUDO
    	echo "%ADGroupName    ALL=(ALL)       ALL" >> /etc/sudoers.d/sudoers
    # Reboot to Commit

    Now for the next hurdle.

  • Moderator

    @Wayne-Workman said in Securing an AD Domain-joined CentOS7 server:

    What you are trying to do is not only possible, but a typical industry practice.

    Well said.

  • @sudburr It’s just a simple realm command to deny all, then another realm command to allow a specific security group. What you are trying to do is not only possible, but a typical industry practice.
    Here’s a snippit:

    #Locking down who can log in from the domain.
    #Block everyone:
    realm deny -R -a
    #permit a specific group
    # Security group needs made in Active Directory first.
    #MUST BE domain local type group.
    #realm permit -R -g group_name_here\group_name_here
    #To add group securitygroupname as able to log in:
    realm permit -R -g securitygroupname
    ####To remove if necessary:  
    realm permit --withdraw -g securitygroupname

  • Moderator

    I can’t access our DMS system at the office right now because I have the complete instructions on doing this (not with xRDP), but to restrict ssh access to specific AD groups.

    This one should get you started with AD logging in:

    And this one shows you how to limit access based on an AD group:

    we have ours setup so that only linux admin group has access to our linux server and the rest of the admins (not in the group) can not.