Securing an AD Domain-joined CentOS7 server
- FOG Version: n/a
- OS: CentOS 7.3.1611
- Service Version:
Playing with fire here. I have a CentOS 7.3.1611 GUI server with xRDP installed, joined to an Active Directory domain.
I want to restrict the wide-open access AD accounts have to it so only the AD group “ABC” can SSH telnet and RDP to it.
@sudburr The reboot isn’t necessary, but otherwise great job on the post below - it’ll help many folks in the future.
That did the trick!
# Join to an AD Domain # -------------------------- # Elevate Access Level sudo su # Install Pre-requisites for joining to an AD Domain yum install -y sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python # Join to domain # ( http://www.unix.com/man-page/centos/8/realm/ ) realm join --user=DomainJoinCapableADAccount domain.name # Restrict access from domain realm deny --all # Permit access by Domain User Group "ADGroupName" (A-z only) realm permit -R domain.name -g ADGroupName # Do not require FQDN for username sed -i "s|use_fully_qualified_names = True|use_fully_qualified_names = False|g" /etc/sssd/sssd.conf systemctl restart sssd # Permit Access to SUDO echo "%ADGroupName ALL=(ALL) ALL" >> /etc/sudoers.d/sudoers # Reboot to Commit reboot
Now for the next hurdle.
What you are trying to do is not only possible, but a typical industry practice.
@sudburr It’s just a simple
realmcommand to deny all, then another
realmcommand to allow a specific security group. What you are trying to do is not only possible, but a typical industry practice.
Here’s a snippit:
#Locking down who can log in from the domain. #Block everyone: realm deny -R domainname.com -a #permit a specific group # Security group needs made in Active Directory first. #MUST BE domain local type group. #SYNTAX: #realm permit -R full.domain.name -g group_name_here full.domain.name\group_name_here #To add group securitygroupname as able to log in: realm permit -R domainname.com -g securitygroupname ####To remove if necessary: realm permit --withdraw domainname.com -g securitygroupname
I can’t access our DMS system at the office right now because I have the complete instructions on doing this (not with xRDP), but to restrict ssh access to specific AD groups.
This one should get you started with AD logging in: https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/
And this one shows you how to limit access based on an AD group: https://www.centos.org/forums/viewtopic.php?t=53403
we have ours setup so that only linux admin group has access to our linux server and the rest of the admins (not in the group) can not.