Join a RHEL7/CentOS7 host to Microsoft Active Directory Domain

When I’m lucky enough to be setting up a pure Linux domain Red Hat Identity Manager (idM) or even FreeIPA is my first choice for a unified authentication service every time. More often though I’m asked to bring Linux machines onto a pre-existing Windows Domain which, of course means integrating with Microsoft Active Directory. Doing this used to be much more difficult and involved hand configuration of config files but now, thanks to realmd, it couldn’t be easier.

First, you’re going to need some packages:

# yum -y install realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation

Next, configure the host to be joined to AD so that it can resolve the hostname of the AD server. Generally this is as easy as pointing the host to be joined to a DNS server that knows about the AD server. For example, let’s say we’re joining rhel7.example.com to the domain hosted by dc1.example.com. A DNS server for example.com lives at 192.168.1.10. Edit rhel7.example.com’s /etc/resolve.conf to look like this:

search example.com
nameserver 192.168.1.10

Now, try to ping dc1.example.com by hostname. If it’s configured to return ICMP requests, you should get a successful ping.

Enable and start the realmd:

# systemctl enable --now realmd

And attempt to discover a directory services service on the network:

# realm discover example.com

You can also get a lot of information about the AD server courtesy of adcli:

# adcli info example.com

Now, join rhel7.example.com to the domain with realm join. Note, this will command will prompt for the domain administrator’s password, also known as Administrator on the AD server itself. It is a pretty common security practice to disable this account and create one or more accounts with domain admin privileges. If this is the situation you find yourself in, give the -U switch to realm join and specify the username required to join hosts to the domain.

# realm join example.com

or:

# realm join -U <domain_admin_username> example.com

After a short pause while negotiations occur the prompt will return and your host will be joined to the AD domain. You can verify this with the id command:

# id <some_domain_username>

As an addition verification step you can attempt to ssh to the host using the AD server as the authentication source:

# ssh <some_domain_username>@localhost.example.com

Finally, you can log out of rhel7.example.com and attempt to log back in as a domain user. Note: you’ll need to specify the username as: username@local.lan for now. We’ll fix this in the next step.

If you’re on a single domain system it’s relatively trivial to allow domain users to login to rhel7.example.com with username only by editing the sssd.conf file. Open /etc/sssd/sssd.conf in a text editor and look for the line:

use_fully_qualified_names=True

and change True to False. Then restart sssd:

systemctl restart sssd

Now logout and attempt to log back in as simply username, rather than username@example.com.

A word of caution: example.com is used in this how-to for demonstration purposes only. Don’t actually use example.com in a test environment that touches the internet. It’s taken. If you try to use example.com you’re going to have a bad time!

Cheers!

DCD

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.