In most environments, the Active Directory domain is the central hub for user information, which means that there needs to be some way for Linux systems to access that user information for authentication requests. In this article we will show you how to join a CentOS 7 / RHEL 7 system to an Active Directory Domain.
Before we join the AD domain, we need to ensure that we have set up the time services (NTP) and DNS. With these infrastructure services in place, we will need the following packages installed on the CentOS / RHEL server:
- realmd: This manages enrolment and membership to the Active Directory domains
- samba: This denotes the Samba services
- samba-common: This denotes the shared tools for servers and clients
- oddjob: This is a D-bus service that runs the odd jobs for clients
- oddjob-mkhomedir: This is used with the odd job services to create home directories for AD accounts, if needed
- sssd: The System Security Services daemon can be used to divert client authentication as required
- adcli: These are the tools for joining and managing AD domains
– Use the following command to install the required packages:
[root@ylclsrv001 ~]# sudo yum install oddjob realmd samba samba-common oddjob-mkhomedir sssd adcli
– To discover a Domain Identity we will use the realm discover command, that will return a complete domain configuration and a list of packages that must be installed for the system to be enrolled in the domain.
[root@ylclsrv001 ~]# realm discover yallalabs.local YALLALABS.LOCAL type: kerberos realm-name: YALLALABS.LOCAL domain-name: YALLALABS.LOCAL configured: no server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools yallalabs.local type: kerberos realm-name: YALLALABS.LOCAL domain-name: yallalabs.local configured: no
– To join the AD domain, add the computer to the default folder in the AD domain using the following command:
sudo realm join --email@example.com yallalabs.local Password for firstname.lastname@example.org:
– If you want to add it to a designated Organizational Unit within the Active Directory, you will first need to create the OU, or at least ensure that it exists. The following command we will join the server to AD Domain and add Computer Account to the Linux OU:
[root@ylclsrv001 ~]# sudo realm join --email@example.com --computer-ou=OU=Linux,OU=Servers,DC=YALLALABS,DC=LOCAL yallalabs.local Password for firstname.lastname@example.org:
– If you got this error ” realm: Couldn’t join realm: Joining the domain YALLALABS.LOCAL failed“, just restart the realmd and retry again
– To test the system was successfully joined the domain use the below command:
[root@ylclsrv001 ~]# realm list YALLALABS.LOCAL type: kerberos realm-name: YALLALABS.LOCAL domain-name: yallalabs.local configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U@yallalabs.local login-policy: allow-realm-logins
– To display information about a user from the domain, run the following command:
# id email@example.com uid=344601106(yl01@YALLALABS.LOCAL) gid=344600513(domain users@YALLALABS.LOCAL) groups=344600513(domain users@YALLALABS.LOCAL),344601107(linuxadmins@YALLALABS.LOCAL)
– To permit only specific accounts from the domain to log in, use the following command: this command will change the mode to only allow logins by specific accounts, and then add the specified accounts to the list of accounts to permit.
[root@ylclsrv001 ~]# realm permit User1@yallalabs.local User2@yallalabs.local
– To permit only one Active Directory group to logon use the following command: in this Example we will allow the LinuxAdmins AD group to logon to the system
[root@ylclsrv001 ~]# realm permit -g LinuxAdmins@yallalabs.local
– To give sudo permissions to an Active Directory group, in this example we will add LinuxAdmins AD group to sudoers by running the visudo command and add the follwoing line:
# visudo %LinuxAdmins@yallalabs.local ALL=(ALL) ALL
– To leave an Active Directory domain, you can use the below command:
# realm leave --firstname.lastname@example.org yallalabs.local
– If you want to leave the domain and to delete the comuter Account you can use the additional option –remove in the end of the command
# realm leave --email@example.com yallalabs.local --remove Password for firstname.lastname@example.org:
We hope this tutorial was enough Helpful. If you need more information, or have any questions, just comment below and we will be glad to assist you!
PS. If you like this post please share it with your friends on the social networks using the buttons below.Thanks.