Joining Centos 6.x / RHEL 7.x machines to Active Directory

This blog entry is more of a ‘recipe’ for those who, like me, have to join Linux VMs (Centos 6.x and RHEL 7.x, in this case) to a Windows AD domain. Something I have no bloody idea about, being a Linux guy 🙂 But alas, I figured it out – see below for the how-tos!

RHEL 7.x

For RHEL 7.x, install the packages needed (after registering the system, enabling repo’s, etc  – i’m going to assume you’ve already done this).

yum -y install adcli sssd authconfig pam_krb5 samba4-common

Next, lets authenticate against our domain. For reference, my domain is ‘ehertz.uk.local’ in this example:

authconfig --enablekrb5 --krb5kdc=ehertz.uk.local --krb5adminserver=ehertz.uk.local --krb5realm=EHERTZ.UK.LOCAL --enablesssd --enablesssdauth --update

Next, lets see if we can get info from our domain, and if we can, then join it!

adcli info EHERTZ.UK.LOCAL
adcli join EHERTZ.UK.LOCAL

Now, we’re going to /etc/sssd/sssd.conf and add the following information to it:

[sssd]
domains = ehertz.uk.local
config_file_version = 2
services = nss, pam

[domain/ehertz.uk.local]
ad_domain = ehertz.uk.local
krb5_realm = EHERTZ.UK.LOCAL
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
access_provider = ad 

Next, set the permissions appropriately:

chmod 600 /etc/sssd/sssd.conf

Restart the service to ensure its running:

service sssd restart

Ensure sssd starts on boot:

chkconfig sssd on

And finally, test! I added a user within my AD realm called ‘Backup’. To prove that user isnt already on the system, i run the ‘users’ command first. You can now su into users within your AD realm, thus showing it is successfully joined to AD:

[[email protected] sam]# users
root sam
[[email protected] sam]# su - Backup
Last login: Tue Jan 24 08:23:33 GMT 2017 on pts/0
su: warning: cannot change directory to /home/ehertz.uk.local/backup: No such file or directory
-bash-4.2$ exit
logout
[[email protected] sam]# id Backup
uid=1285003335(backup) gid=1285003335(domain users) groups=1285003335(domain users)

CentOS 6.x

For CentOS 6.x, install the packages needed after enabling the EPEL repos (again, i’m going to assume you’ve already done this).

yum -y install adcli sssd authconfig pam_krb5 samba4-common

Next, lets authenticate against our domain. For reference, my domain is ‘ehertz.uk.local’ in this example:

authconfig --enablekrb5 --krb5kdc=ehertz.uk.local --krb5adminserver=ehertz.uk.local --krb5realm=EHERTZ.UK.LOCAL --enablesssd --enablesssdauth --updatee

Next, lets see if we can get info from our domain, and if we can, then join it!

adcli info EHERTZ.UK.LOCAL
adcli join EHERTZ.UK.LOCAL

Now, we’re going to /etc/sssd/sssd.conf and add the following information to it:

[sssd]

[sssd]
services = nss, pam, ssh, autofs
config_file_version = 2
domains = EHERTZ.UK.LOCAL

[domain/EHERTZ.UK.LOCAL]
id_provider = ad
# Uncomment if service discovery is not working
ad_server = win2012.ehertz.uk.local

Next, set the permissions appropriately:

chmod 600 /etc/sssd/sssd.conf

Restart the service to ensure its running:

service sssd restart

Ensure sssd starts on boot:

chkconfig sssd on

And finally, test! I added a user within my AD realm called ‘Backup’. To prove that user isnt already on the system, i run the ‘users’ command first. You can now su into users within your AD realm, thus showing it is successfully joined to AD:

[[email protected] sam]# users
root sam
[[email protected] sam]# su - Backup
Last login: Tue Jan 24 08:23:33 GMT 2017 on pts/0
su: warning: cannot change directory to /home/ehertz.uk.local/backup: No such file or directory
-bash-4.2$ exit
logout
[[email protected] sam]# id Backup
uid=1285003335(backup) gid=1285003335(domain users) groups=1285003335(domain users)

Leave a Reply