HOME RESTORATION DIGITAL PHOTOS DIGITAL BOOKS PROFESSIONAL HISTORY CONTACT ME


CentOS 7 Join Active Directory

Domain name: example.com     Realm name: EXAMPLE.COM

Workgroup: EXAMPLE     Server IP address: xx.xx.xx.xx

Server name: linuxsvr01     Client name: linuxclnt01

Root password: ?Pa55w0rd!

Install the required packages

# yum -y install realmd sssd sssd-tools oddjob oddjob-mkhomedir adcli samba-common samba-common-tools

Discover the Active Directory domain

# realm discover example.com
Example.com
  type: kerberos
  realm-name: EXAMPLE.COM
  domain-name: Example.com
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
example.com
  type: kerberos
  realm-name: EXAMPLE.COM
  domain-name: example.com
  configured: no

If your discovery printout is the same as above we can now join the domain. You will note that I have used the realm-name (all CAPS) not the domain-name, it may not be necessary but I have found that it is more likely to work this way.

# realm join -v -U user@EXAMPLE.COM EXAMPLE.COM
* Resolving: _ldap._tcp.example.com
* Performing LDAP DSE lookup on: xx.xx.xx.xx
* Performing LDAP DSE lookup on: xx.xx.xx.xx
* Successfully discovered: Example.com
Password for user@EXAMPLE.COM:
* Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
* LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.TB0XVY -U user@EXAMPLE.COM ads join Example.com
Enter user@EXAMPLE.COM's password:DNS update failed: NT_STATUS_INVALID_PARAMETER
Using short domain name -- EXAMPLE
Joined 'linuxsvr01' to dns domain 'Example.com'
No DNS domain configured for linuxsvr01. Unable to perform DNS Update.
* LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.TB0XVY  -U john@EXAMPLE.COM ads keytab create
Enter user@EXAMPLE.COM's password:>
* /usr/bin/systemctl enable sssd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/sssd.service to /usr/lib/systemd/system/sssd.service.
* /usr/bin/systemctl restart sssd.service
* /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
 * Successfully enrolled machine in realm

To leave the domain is simple, issue the following command

# realm leave -v -U username@HATHERLEY.COM HATHERLEY.COM

The following command shows the two important lines (highlight yellow) the "login-formats" and "login-policy", the first needs a user@example.com login, the second affirms that logins are possible from the domain.

# realm list
Example.com
  type: kerberos
  realm-name: EXAMPLE.COM
  domain-name: example
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common
  login-formats: %U@example.com
  login-policy: allow-realm-logins

If you wish to use only your user name without the FQDN then you must change the sssd.conf file as follows

# vi /etc/sssd/sssd.conf
[sssd]
domains = Example.com
config_file_version = 2
services = nss, pam

[domain/Example.com]
ad_domain = Example.com
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True  change to False
fallback_homedir = /home/%u@%d    delete @%d
access_provider = ad

Restart sssd

# systemctl restart sssd

To add your AD administrators to the sudoers you must first find out the exact name of the administrators group which can be done by the following

# id user

which will give the uid, gid groups etc and in my case I belonged to the group - domain admins - (all in lower case), which can be verified as follows, you must add a backslash when there is a space

# getent group domain\ admins

which will return a list of all who are in that group, so to change sudo permissions add the following at the end of the file that opens

# visudo
%domain\ admins    ALL=(ALL:ALL) ALL

To ensure that a home directory is created for each AD user issue the following command.

# echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" | sudo tee -a /etc/pam.d/common-session

All that is left is to login with your AD user name and try something using sudo, you will be asked for your password and that's it. If you are here from the Debian 8 page click here to go back.