Commit 02a2bf80 authored by John Harris's avatar John Harris

add doco

parent 4369fbd6
......@@ -6,3 +6,7 @@ cl-adlinux git README.TXT file
-- fix the "REDACTED" strings in the /etc/sssd.conf
-- to see what is only from AD
# getent --service=sss passwd
# getent --service=sss group
HOWTO MANUALLY SETUP SSSD WITH CNETRAL SSH KEYS
Ubuntu:
apt install sssd libpam-sss libnss-sss
cd /root
git clone https://code.cablelabs.com/johnharris/cl-adlinux.git
mv or cp the file to /etc/sssd, check the perms
correct the REDACTED's in the /etc/sssd/sssd.conf file
systemctl enable sssd.service
systemctl start sssd.service
getent --service=sss passwd; getent --service=sss group
/etc/pam.d/common-session - insert after "pam_unix.so" line
session required pam_mkhomedir.so skel=/etc/skel/
/etc/pam.d/common-session - add "debug=yes" to pam_systemd.so
/usr/sbin/deluser the local accounts (leave homedirs in place)
move the "grabSshPubKey.sh" script into place and set owner and perms
update the /etc/ssh/sshd_config
## Added 12jun2018
AuthorizedKeysCommand /usr/local/bin/grabSshPubKey.sh %u
AuthorizedKeysCommandUser %u
create any local groups if needed
update the /etc/sudoers for proper groups
/etc/nsswitch.conf - remove the "sss" from "sudoers" line
add the lxadm user
adduser --home /home/lxadmin --shell /bin/bash --uid 65535 --gecos "Linux Admin" --gid 100 lxadmin
chage -l lxadmin
CentOS/RHEL 7.x:
yum install sssd
cd /root
git clone https://code.cablelabs.com/johnharris/cl-adlinux.git
mv or cp the file to /etc/sssd, check the perms
correct the REDACTED's in the /etc/sssd/sssd.conf file
authconfig --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir –-update
systemctl enable sssd.service; systemctl start sssd.service
getent --service=sss passwd; getent --service=sss group
/usr/sbin/userdel the local accounts (leave homedirs in place)
move the "grabSshPubKey.sh" script into place and set owner and perms
update the /etc/ssh/sshd_config
## Added 12jun2018
AuthorizedKeysCommand /usr/local/bin/grabSshPubKey.sh %u
AuthorizedKeysCommandUser %u
systemctl restart sshd.service
create any local groups if needed
update the /etc/sudoers for proper groups
create the lxadm user
adduser -u 65535 -g 100 -d /home/lxadmin -c "Linux Admin" -s /bin/bash -m lxadmin
chage -l lxadmin
CentOS/RHEL 6.x:
yum update authconfig nss openssh
yum install sssd
cd /root
wget --user=johnharris https://code.cablelabs.com/johnharris/cl-adlinux/raw/master/sssd.conf
wget --user=johnharris https://code.cablelabs.com/johnharris/cl-adlinux/raw/master/ad.cert
wget --user=johnharris https://code.cablelabs.com/johnharris/cl-adlinux/raw/master/grabSshPubKey.sh
mv or cp the file to /etc/sssd, check the perms
correct the REDACTED's in the /etc/sssd/sssd.conf file
update the filter and search statements for restriction by group
authconfig --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir –-update
chkconfig sssd on; service sssd start
getent --service=sss passwd; getent --service=sss group
/usr/sbin/userdel the local accounts (leave homedirs in place)
move the "grabSshPubKey.sh" script into place and set owner and perms
UPDATE the /usr/local/bin/grabSshPubKey.sh to add the "curl -1sf"
update the /etc/ssh/sshd_config
FOR 6.X...
## Added 12jun2018
AuthorizedKeysCommand /usr/local/bin/grabSshPubKey.sh
service sshd restart
update the /etc/sudoers for proper groups and members
create the lxadm user
adduser -u 65535 -g 100 -d /home/lxadmin -c "Linux Admin" -s /bin/bash -m lxadmin
chage -l lxadmin
NO SUDO FOR lxadmin
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment