An ansible role which configures direct Active Directory integration.
- RHEL7+, CentOS7+
- Fedora
In order to join to the domain, you must use an Active Directory user which has sufficient join permissions. It is not recommended to use the Administrator user as the security footprint of this user is too large.
See Delegated Permissions for the explicit permissions a user must have.
Time must be in sync with Active Directory servers. The ad_integration role will use the timesync system role for this if the user specifies ad_integration_manage_timesync to true and provides a value for ad_integration_timesync_source to use as a timesource.
RHEL8 (and newer) and Fedora no longer support RC4 encryption out of the box, it is recommended to enable AES in Active Directory, if not possible then the AD-SUPPORT crypto policy must be enabled. The integration role will use the crypto_policies system role for this if the user sets the ad_integration_manage_crypto_policies and ad_integration_allow_rc4_crypto parameters to true.
The Linux system must be able to resolve default AD DNS SRV records.
The following firewall ports must be opened on the AD server side, reachable from the Linux client.
| Source Port | Destination | Protocol | Service |
|---|---|---|---|
| 1024:65535 | 53 | TCP and UDP | DNS |
| 1024:65535 | 389 | TCP and UDP | LDAP |
| 1024:65535 | 636 | TCP | LDAPS |
| 1024:65535 | 88 | TCP and UDP | Kerberos |
| 1024:65535 | 464 | TCP and UDP | Kerberos change/set password (kadmin) |
| 1024:65535 | 3268 | TCP | LDAP Global Catalog |
| 1024:65535 | 3269 | TCP | LDAP Global Catalog SSL |
| 1024:65535 | 123 | UDP | NTP/Chrony(Optional) |
| 1024:65535 | 323 | UDP | NTP/Chrony (Optional) |
This role requires additional modules from external collections. Please use the following command to install them:
ansible-galaxy collection install -vv -r meta/collection-requirements.ymlActive Directory realm, or domain name to join
The password of the user used to authenticate with when joining the machine to the realm. Do not use cleartext - use Ansible Vault to encrypt the value.
The user name to be used to authenticate with when joining the machine to the realm.
Default: Administrator
an Active Directory domain controller's hostname (do not use IP address) may be specified to join via that domain controller directly.
Default: Not set
Leave existing domain prior to performing join. This might be needed if the keytab is unable to authenticate with the machine account to the AD domain.
Default: false
perform automatic UID/GID mapping for users and groups, set to false to rely on POSIX attributes already present in Active Directory.
Default: true
Only join realms for which we can use the given client software. Possible values include sssd or winbind. Not all values are supported for all realms.
Default: Automatic selection
The software to use when joining to the realm. Possible values include samba or adcli. Not all values are supported for all realms.
Default: Automatic selection
The distinguished name of an organizational unit to create the computer account. It can be relative to the Root DSE, or a complete LDAP DN.
Default: Default AD computer container
If true, the ad_integration role will use fedora.linux_system_roles.timesync. Requires providing a value for ad_integration_timesync_source to use as a time source.
Default: false
Hostname or IP address of time source to synchronize the system clock with. Providing this variable automatically sets ad_integration_manage_timesync to true.
If true, the ad_integration role will use fedora.linux_system_roles.crypto_policies as needed
Default: false
If true, the ad_integration role will set the crypto policy allowing RC4 encryption. Providing this variable automatically sets ad_integration_manage_crypto_policies to true
Default: false
If true, the ad_integration role will use fedora.linux_system_roles.network to add the provided dns server (see below) with manual DNS configuration to an existing connection. If true then the following variables are required:
ad_integration_dns_server- DNS server to addad_integration_dns_connection_name- Existing network connection name to configuread_integration_dns_connection_type- Existing network connection type to configure
IP address of DNS server to add to existing networking configuration. Only applicable if ad_integration_manage_dns is true
The name option identifies the connection profile to be configured by the network role. It is not the name of the networking interface for which the profile applies. Only applicable if ad_integration_manage_dns is true
Network connection type such as ethernet, bridge, bond...etc, the network role contains a list of possible values. Only applicable if ad_integration_manage_dns is true
If true, SSSD is configured to automatically update the AD DNS server with the IP address of the client.
Default: false
Optional. The TTL, in seconds, to apply to the client's DNS record when updating it. Only applicable if ad_dyndns_update is true
Note: This will override the TTL set by an administrator on the server.
Default: 3600
Optional. Interface or a list of interfaces whose IP addresses should be used for dynamic DNS updates. Special value "*" implies all IPs from all interfaces should be used. Only applicable if ad_dyndns_update is true
Default: Use the IP addresses of the interface which is used for AD LDAP connection
Optional. How often should, in seconds, periodic DNS updates be performed in addition to when the back end goes online. Only applicable if ad_dyndns_update is true
Note: lowest possible value is 60 seconds. If value less than 60 is specified sssd will assume lowest value only.
Default: 86400
Optional. If true, the PTR record should also be explicitly updated. Only applicable if ad_dyndns_update is true
Default: true
Optional. If true, the nsupdate utility should default to using TCP for communicating with the DNS server. Only applicable if ad_dyndns_update is true
Default: false
Optional. If true, GSS-TSIG authentication will be used for secure updates with the DNS server when updating A and AAAA records. Only applicable if ad_dyndns_update is true
Default: true
Optional. DNS server to use when performing a DNS update when autodetection settings fail. Only applicable if ad_dyndns_update is true
Default: None (let nsupdate choose the server)
Additional parameters (as a string) supplied directly to the realm join command. Useful if some specific configuration like --user-principal=host/name@REALM or --use-ldaps is needed. See man realm for details. Example: ad_integration_join_parameters: "--user-principal host/[email protected]"
A list of setting to be included into the [sssd] section
of the sssd.conf file. See sssd.conf man pages for details.
Example:
ad_integration_sssd_settings:
- key: "configuration_name"
value: "configuration_value"A list of custom setting to be included into the [domain/$REALM] section
of the sssd.conf file. See sssd.conf man pages for details.
Example:
ad_integration_sssd_custom_settings:
- key: "configuration_name"
value: "configuration_value"This is a boolean, default is false. If true, configure realmd.conf to
remove the authselect command from sssd-enable-logins to avoid overwriting
previous PAM/nsswitch changes, until
RHEL-5101 is addressed.
The following is an example playbook to setup direct Active Directory integration with AD domain domain.example.com, the join will be performed with user Administrator using the vault stored password. Prior to the join, the crypto policy for AD SUPPORT with RC4 encryption allowed will be set.
- hosts: all
vars:
ad_integration_realm: "domain.example.com"
ad_integration_password: !vault | …vault encrypted password…
ad_integration_manage_crypto_policies: true
ad_integration_allow_rc4_crypto: true
roles:
- linux-system-roles.ad_integrationSee README-ostree.md
MIT.
Justin Stephenson ([email protected])
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent