When I’m lucky enough to be setting up a pure Linux domain Red Hat Identity Manager (idM) or even FreeIPA is my first choice for a unified authentication service every time. More often though I’m asked to bring Linux machines onto a pre-existing Windows Domain which, of course means integrating with Microsoft Active Directory. Doing this used to be much more difficult and involved hand configuration of config files but now, thanks to realmd, it couldn’t be easier.
First, you’re going to need some packages:
# yum -y install
realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation
Next, configure the host to be joined to AD so that it can resolve the hostname of the AD server. Generally this is as easy as pointing the host to be joined to a DNS server that knows about the AD server. For example, let’s say we’re joining rhel7.example.com to the domain hosted by dc1.example.com. A DNS server for example.com lives at 192.168.1.10. Edit rhel7.example.com’s /etc/resolve.conf to look like this:
search example.com nameserver 192.168.1.10
Now, try to ping dc1.example.com by hostname. If it’s configured to return ICMP requests, you should get a successful ping.
Enable and start the realmd:
# systemctl enable --now realmd
And attempt to discover a directory services service on the network:
# realm discover example.com
You can also get a lot of information about the AD server courtesy of adcli:
# adcli info example.com
Now, join rhel7.example.com to the domain with
realm join. Note, this will command will prompt for the domain administrator’s password, also known as Administrator on the AD server itself. It is a pretty common security practice to disable this account and create one or more accounts with domain admin privileges. If this is the situation you find yourself in, give the -U switch to
realm join and specify the username required to join hosts to the domain.
# realm join example.com
# realm join -U <domain_admin_username> example.com
After a short pause while negotiations occur the prompt will return and your host will be joined to the AD domain. You can verify this with the
# id <some_domain_username>
As an addition verification step you can attempt to ssh to the host using the AD server as the authentication source:
# ssh <some_domain_username>@localhost.example.com
Finally, you can log out of rhel7.example.com and attempt to log back in as a domain user. Note: you’ll need to specify the username as:
email@example.com for now. We’ll fix this in the next step.
If you’re on a single domain system it’s relatively trivial to allow domain users to login to rhel7.example.com with username only by editing the sssd.conf file. Open
/etc/sssd/sssd.conf in a text editor and look for the line:
and change True to False. Then restart sssd:
systemctl restart sssd
Now logout and attempt to log back in as simply username, rather than firstname.lastname@example.org.
A word of caution: example.com is used in this how-to for demonstration purposes only. Don’t actually use example.com in a test environment that touches the internet. It’s taken. If you try to use example.com you’re going to have a bad time!