• Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
  • Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

Securing an AD Domain-joined CentOS7 server

Scheduled Pinned Locked Moved Solved
Linux Problems
3
6
2.7k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    sudburr
    last edited by Jul 7, 2017, 8:48 PM

    Server
    • FOG Version: n/a
    • OS: CentOS 7.3.1611
    Client
    • Service Version:
    • OS:
    Description

    Playing with fire here. I have a CentOS 7.3.1611 GUI server with xRDP installed, joined to an Active Directory domain.

    I want to restrict the wide-open access AD accounts have to it so only the AD group “ABC” can SSH telnet and RDP to it.

    [ Standing in between extinction in the cold and explosive radiating growth ]

    W 1 Reply Last reply Jul 7, 2017, 11:24 PM Reply Quote 0
    • S
      sudburr
      last edited by Jul 11, 2017, 3:00 PM

      That did the trick!

      # Join to an AD Domain
      # --------------------------
      # Elevate Access Level
      	sudo su
      
      # Install Pre-requisites for joining to an AD Domain
      	yum install -y sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python
      
      # Join to domain
      # ( http://www.unix.com/man-page/centos/8/realm/ )
      	realm join --user=DomainJoinCapableADAccount domain.name
      
      # Restrict access from domain
      	realm deny --all
      
      # Permit access by Domain User Group "ADGroupName" (A-z only)
      	realm permit -R domain.name -g ADGroupName
      
      # Do not require FQDN for username
      	sed -i "s|use_fully_qualified_names = True|use_fully_qualified_names = False|g" /etc/sssd/sssd.conf
      	systemctl restart sssd
      
      # Permit Access to SUDO
      	echo "%ADGroupName    ALL=(ALL)       ALL" >> /etc/sudoers.d/sudoers
      
      # Reboot to Commit
      	reboot
      

      Now for the next hurdle.

      [ Standing in between extinction in the cold and explosive radiating growth ]

      W 1 Reply Last reply Jul 11, 2017, 5:51 PM Reply Quote 2
      • G
        george1421 Moderator
        last edited by Jul 7, 2017, 9:06 PM

        I can’t access our DMS system at the office right now because I have the complete instructions on doing this (not with xRDP), but to restrict ssh access to specific AD groups.

        This one should get you started with AD logging in: https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/

        And this one shows you how to limit access based on an AD group: https://www.centos.org/forums/viewtopic.php?t=53403

        we have ours setup so that only linux admin group has access to our linux server and the rest of the admins (not in the group) can not.

        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

        1 Reply Last reply Reply Quote 0
        • W
          Wayne Workman @sudburr
          last edited by Wayne Workman Jul 11, 2017, 11:49 AM Jul 7, 2017, 11:24 PM

          @sudburr It’s just a simple realm command to deny all, then another realm command to allow a specific security group. What you are trying to do is not only possible, but a typical industry practice.
          Here’s a snippit:

          #Locking down who can log in from the domain.
          #Block everyone:
          realm deny -R domainname.com -a
          
          #permit a specific group
          # Security group needs made in Active Directory first.
          #MUST BE domain local type group.
          
          #SYNTAX:
          #realm permit -R full.domain.name -g group_name_here full.domain.name\group_name_here
          #To add group securitygroupname as able to log in:
          
          realm permit -R domainname.com -g securitygroupname
          
          ####To remove if necessary:  
          realm permit --withdraw domainname.com -g securitygroupname
          

          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
          Daily Clean Installation Results:
          https://fogtesting.fogproject.us/
          FOG Reporting:
          https://fog-external-reporting-results.fogproject.us/

          G 1 Reply Last reply Jul 8, 2017, 1:05 AM Reply Quote 2
          • G
            george1421 Moderator @Wayne Workman
            last edited by Jul 8, 2017, 1:05 AM

            @Wayne-Workman said in Securing an AD Domain-joined CentOS7 server:

            What you are trying to do is not only possible, but a typical industry practice.

            Well said.

            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

            1 Reply Last reply Reply Quote 0
            • S
              sudburr
              last edited by Jul 11, 2017, 3:00 PM

              That did the trick!

              # Join to an AD Domain
              # --------------------------
              # Elevate Access Level
              	sudo su
              
              # Install Pre-requisites for joining to an AD Domain
              	yum install -y sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python
              
              # Join to domain
              # ( http://www.unix.com/man-page/centos/8/realm/ )
              	realm join --user=DomainJoinCapableADAccount domain.name
              
              # Restrict access from domain
              	realm deny --all
              
              # Permit access by Domain User Group "ADGroupName" (A-z only)
              	realm permit -R domain.name -g ADGroupName
              
              # Do not require FQDN for username
              	sed -i "s|use_fully_qualified_names = True|use_fully_qualified_names = False|g" /etc/sssd/sssd.conf
              	systemctl restart sssd
              
              # Permit Access to SUDO
              	echo "%ADGroupName    ALL=(ALL)       ALL" >> /etc/sudoers.d/sudoers
              
              # Reboot to Commit
              	reboot
              

              Now for the next hurdle.

              [ Standing in between extinction in the cold and explosive radiating growth ]

              W 1 Reply Last reply Jul 11, 2017, 5:51 PM Reply Quote 2
              • W
                Wayne Workman @sudburr
                last edited by Jul 11, 2017, 5:51 PM

                @sudburr The reboot isn’t necessary, but otherwise great job on the post below - it’ll help many folks in the future.

                Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                Daily Clean Installation Results:
                https://fogtesting.fogproject.us/
                FOG Reporting:
                https://fog-external-reporting-results.fogproject.us/

                1 Reply Last reply Reply Quote 0
                • 1 / 1
                1 / 1
                • First post
                  5/6
                  Last post

                164

                Online

                12.0k

                Users

                17.3k

                Topics

                155.2k

                Posts
                Copyright © 2012-2024 FOG Project