Tartalomjegyzék

LDAP konfiguráció

Linux

# yum install realmd krb5-workstation sssd sssd-ad authconfig openldap-clients oddjob-mkhomedir ntp adcli

/etc/krb5.conf

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
 
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_realm = DOMAIN.HU
 default_ccache_name = KEYRING:persistent:%{uid}
 
[realms]
 DOMAINEM.HU = {
  kdc = ad.domainem.hu
  admin_server = ad.domainem.hu
 }
 
[domain_realm]
 .ad.domainem.hu = AD.DOMAINEM.HU
 ad.domainem.hu = AD.DOMAINEM.HU

# kinit pagoston
# realm join -U pagoston -v pcs.hu

/etc/sssd/sssd.conf

[sssd]
domains = domainem.hu
config_file_version = 2
services = nss, pam
 
[domain/pcs.hu]
ad_domain = domainem.hu
krb5_realm = DOMAINEM.HU
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
#use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

# authconfig --enablesssdauth --enablesssd --enablemkhomedir --update
# systemctl restart sssd

Kivétel a domain alól:

# realm leave ad.example.com

Ellenőrzés:

net ads testjoin

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-ad https://outsideit.net/realmd-sssd-ad-authentication/

TSM konfiguráció

[tsm@tsm1 ~]$ gsk8capicmd_64 -cert -add -db "cert.kdb" -stashed -label "MyRootCA2023" -format ascii -file MyRootCA2023_pem.pem -trust enable
[tsm@tsm1 ~]$ gsk8capicmd_64 -cert -add -db "cert.kdb" -stashed -label "MyServerSubCA2023" -format ascii -file MyServerSubCA2023_pem.pem -trust enable
[tsm@tsm1 ~]$ gsk8capicmd_64 -cert -add -db "cert.kdb" -stashed -label "MyClientSubCA2023" -format ascii -file MyClientSubCA2023_pem.pem -trust enable

Miután a TSM szerver újraindult:

set ldapuser _tsm_ad_auth@ebh.erste.hu
set ldappassword bdgBgwRzI5GyVnMrGsys3RJW

Tools

menus and quick search

quick search

site status

Eszközök az oldalon

meta data for this page

LDAP konfiguráció

Linux

TSM konfiguráció