Integrating a Linux server with Active directory is documented in detail by the various Linux distributions and others. As such, the intent of this article is only to provide an overview of the process at each step as it relates to RStudio. It's important to note this is a general resource to assist with a topic outside of our support. These exact steps may not work in your specific environment, in which case we suggest reviewing the additional resources.
The use of # in front of each command signifies the need to be executed as root or with sudo.
1) Install the prerequisites
We'll be using realmd to join with the AD server. To use the realmd system, install the realmd
package:
# yum install realmd
In addition, install the packages which are required to be able to manage the system using realmd
with kerberos enabled.
RHEL/CentOS 7:
# yum install oddjob oddjob-mkhomedir sssd adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python
RHEL/binary equivalent:
# yum install oddjob oddjob-mkhomedir sssd adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python3
2) Join the underlying Linux server with Active Directory
Complete the join using the following syntax: realm join [-U user] [realm-name]
# realm join -U Administrator dc1.rstudio.example
You will be prompted for the password of the username entered. If the command completes without error, confirm with:
# realm list
Example output:
rstudio.example
type: kerberos
realm-name: RSTUDIO.EXAMPLE
domain-name: rstudio.example
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U@rstudio.example
login-policy: allow-realm-logins
The realm join completes these steps automatically:
-
Joining the domain by creating an account entry for the system in the directory.
-
Creating the
/etc/krb5.keytab
host keytab file. -
Configuring the domain in SSSD and restarting the service.
-
Enabling domain users for the system services in PAM configuration and the
/etc/nsswitch.conf
file.
Below is the example /etc/sssd/sssd.conf file automatically produced from the realm join:
[sssd]
domains = rstudio.example
config_file_version = 2
services = nss, pam
[domain/rstudio.example]
ad_server = dc1.rstudio.example
ad_domain = rstudio.example
krb5_realm = RSTUDIO.EXAMPLE
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_sasl_authid = RSP-ADSRV$
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
If you would prefer users authenticate with their username instead of username@domain, you can edit the above value in bold to False:
use_fully_qualified_names = True
The following additions under the [domain/rstudio.example] section above may be required to enumerate groups and allow the /etc/pam.d/rstudio-connect profile:
ad_gpo_map_service = +rstudio-connect
enumerate = true
You can now check and verify an AD account using the id
command and the username format before moving onto the next section. (The example below assumes use_fully_qualified_names = TRUE
)
# id user@rstudio.example
3) Configure the rstudio-connect PAM profile
After integrating the underlying Linux operating system with Active Directory, you can copy the /etc/pam.d/login PAM profile for use with RStudio Connect as suggested here:
# cp /etc/pam.d/login /etc/pam.d/rstudio-connect
Contents:
# cat /etc/pam.d/rstudio-connect
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
4) Configure RStudio Connect to use PAM
PAM authentication is used if the Authentication.Provider setting has a value of pam
.
; /etc/rstudio-connect/rstudio-connect.gcfg
[Authentication]
Provider = pam
You can change the PAM service name used for authentication by customizing the PAM.Service setting. The default PAM service name used for authentication is rstudio-connect
. (As we'll be using the default rstudio-connect profile name, the below entry is not necessary)
; /etc/rstudio-connect/rstudio-connect.gcfg
[PAM]
Service = rstudio-connect
Note that there are three types of PAM service that can be configured in the PAM configuration section (See the process management guide for more information):
Warning: If you're applying this change to an existing server and not a new installation, consult this link to the admin guide first. Please contact RStudio Support if you have any questions.
After the above edits are made to your configuration file, please restart the service:
# service rstudio-connect restart
5) Test RStudio Connect and AD integration
Login to your instance with an Active Directory ID to test. In a new installation, the first user account created will have Administrator privileges.
Any login failures will be logged to /var/log/secure
.
Additional resources:
Redhat: Using REALMD To Connect To an Active Directory Domain
Comments