In most environments, the Active Directory domain is the central hub for user information, which means that there needs to be some way for Linux systems to access that user information for authentication requests. In this article we will show you how to join a CentOS 7 / RHEL 7 system to an Active Directory Domain.
Before we join the AD domain, we need to ensure that we have set up the time services (NTP) and DNS. With these infrastructure services in place, we will need the following packages installed on the CentOS / RHEL server:
- realmd: This manages enrolment and membership to the Active Directory domains
- samba: This denotes the Samba services
- samba-common: This denotes the shared tools for servers and clients
- oddjob: This is a D-bus service that runs the odd jobs for clients
- oddjob-mkhomedir: This is used with the odd job services to create home directories for AD accounts, if needed
- sssd: The System Security Services daemon can be used to divert client authentication as required
- adcli: These are the tools for joining and managing AD domains
Join CentOS 7/ RHEL 7 Servers to Active Directory Domain
01- First, use the following command to install the required packages:
[root@ylclsrv001 ~]# sudo yum install oddjob realmd samba samba-common oddjob-mkhomedir sssd adcli
02- To discover a Domain Identity we will use the realm discover command, that will return a complete domain configuration and a list of packages that must be installed for the system to be enrolled in the domain.
[root@ylclsrv001 ~]# realm discover yallalabs.local YALLALABS.LOCAL type: kerberos realm-name: YALLALABS.LOCAL domain-name: YALLALABS.LOCAL configured: no server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools yallalabs.local type: kerberos realm-name: YALLALABS.LOCAL domain-name: yallalabs.local configured: no
03- Now, to join the AD domain, add the computer to the default folder in the AD domain using the following command:
sudo realm join [email protected] yallalabs.local Password for [email protected]:
– If you want to add it to a designated Organizational Unit within the Active Directory, you will first need to create the OU, or at least ensure that it exists. The following command we will join the server to AD Domain and add Computer Account to the Linux OU:
[root@ylclsrv001 ~]# sudo realm join [email protected] --computer-ou=OU=Linux,OU=Servers,DC=YALLALABS,DC=LOCAL yallalabs.local Password for [email protected]:
04- To test the system was successfully joined the domain use the below command:
[root@ylclsrv001 ~]# realm list YALLALABS.LOCAL type: kerberos realm-name: YALLALABS.LOCAL domain-name: yallalabs.local configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %[email protected] login-policy: allow-realm-logins
05- To display information about a user from the domain, run the following command:
# id [email protected] uid=344601106([email protected]) gid=344600513(domain [email protected]) groups=344600513(domain [email protected]),344601107([email protected])
06- To permit only specific accounts from the domain to log in, use the following command: this command will change the mode to only allow logins by specific accounts, and then add the specified accounts to the list of accounts to permit.
[root@ylclsrv001 ~]# realm permit [email protected] [email protected]
07- To permit only one Active Directory group to logon use the following command: in this Example we will allow the LinuxAdmins
AD group to logon to the system
[root@ylclsrv001 ~]# realm permit -g [email protected]
08- To give sudo
permissions to an Active Directory group, in this example we will add LinuxAdmins AD group to sudoers by running the visudo command and add the follwoing line:
# visudo %[email protected] ALL=(ALL) ALL
09- To leave an Active Directory domain, you can use the below command:
# realm leave [email protected] yallalabs.local
– If you want to leave the domain and to delete the comuter Account you can use the additional option --remove
in the end of the command
# realm leave [email protected] yallalabs.local --remove Password for [email protected]:
Conclusion
you can reach join CentOS 7/ RHEL 7 Servers to Active Directory using Ansible
check out this article:
How to Join CentOS 7/ RHEL 7 Servers to Active Directory Domain using Ansible
We hope this tutorial was enough Helpful. If you need more information, or have any questions, just comment below and we will be glad to assist you!
2 comments
Please post this article for Ubuntu 18.04 – thanks
A great post, thank you Lotfi! To add, it would be nice to configure the NTP client. The idea is that the NTP client synchronizes time with the domain controller (DC). Here is an interesting guide to check: https://www.sysadmit.com/2019/11/linux-anadir-equipo-al-dominio-windows.html