Join a RHEL7/CentOS7 host to Microsoft Active Directory Domain

When I’m lucky enough to be setting up a pure Linux domain Red Hat Identity Manager (idM) or even FreeIPA is my first choice for a unified authentication service every time. More often though I’m asked to bring Linux machines onto a pre-existing Windows Domain which, of course means integrating with Microsoft Active Directory. Doing this used to be much more difficult and involved hand configuration of config files but now, thanks to realmd, it couldn’t be easier.

First, you’re going to need some packages:

# yum -y install realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation

Next, configure the host to be joined to AD so that it can resolve the hostname of the AD server. Generally this is as easy as pointing the host to be joined to a DNS server that knows about the AD server. For example, let’s say we’re joining to the domain hosted by A DNS server for lives at Edit’s /etc/resolve.conf to look like this:


Now, try to ping by hostname. If it’s configured to return ICMP requests, you should get a successful ping.

Enable and start the realmd:

# systemctl enable --now realmd

And attempt to discover a directory services service on the network:

# realm discover

You can also get a lot of information about the AD server courtesy of adcli:

# adcli info

Now, join to the domain with realm join. Note, this will command will prompt for the domain administrator’s password, also known as Administrator on the AD server itself. It is a pretty common security practice to disable this account and create one or more accounts with domain admin privileges. If this is the situation you find yourself in, give the -U switch to realm join and specify the username required to join hosts to the domain.

# realm join


# realm join -U <domain_admin_username>

After a short pause while negotiations occur the prompt will return and your host will be joined to the AD domain. You can verify this with the id command:

# id <some_domain_username>

As an addition verification step you can attempt to ssh to the host using the AD server as the authentication source:

# ssh <some_domain_username>

Finally, you can log out of and attempt to log back in as a domain user. Note: you’ll need to specify the username as: username@local.lan for now. We’ll fix this in the next step.

If you’re on a single domain system it’s relatively trivial to allow domain users to login to with username only by editing the sssd.conf file. Open /etc/sssd/sssd.conf in a text editor and look for the line:


and change True to False. Then restart sssd:

systemctl restart sssd

Now logout and attempt to log back in as simply username, rather than

A word of caution: is used in this how-to for demonstration purposes only. Don’t actually use in a test environment that touches the internet. It’s taken. If you try to use you’re going to have a bad time!



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.