Joining Centos 6.x / RHEL 7.x machines to Active Directory

This blog entry is more of a ‘recipe’ for those who, like me, have to join Linux VMs (Centos 6.x and RHEL 7.x, in this case) to a Windows AD domain. Something I have no bloody idea about, being a Linux guy 🙂 But alas, I figured it out – see below for the how-tos!

RHEL 7.x

For RHEL 7.x, install the packages needed (after registering the system, enabling repo’s, etc  – i’m going to assume you’ve already done this).

[syntax type=”html|php|js|css”]yum -y install adcli sssd authconfig pam_krb5 samba4-common[/syntax]

Next, lets authenticate against our domain. For reference, my domain is ‘ehertz.uk.local’ in this example:

[syntax type=”html|php|js|css”]authconfig –enablekrb5 –krb5kdc=ehertz.uk.local –krb5adminserver=ehertz.uk.local –krb5realm=EHERTZ.UK.LOCAL –enablesssd –enablesssdauth –update[/syntax]

Next, lets see if we can get info from our domain, and if we can, then join it!

[syntax type=”html|php|js|css”]adcli info EHERTZ.UK.LOCAL
adcli join EHERTZ.UK.LOCAL[/syntax]

Now, we’re going to /etc/sssd/sssd.conf and add the following information to it:

[syntax type=”html|php|js|css”][sssd]
domains = ehertz.uk.local
config_file_version = 2
services = nss, pam

[domain/ehertz.uk.local]
ad_domain = ehertz.uk.local
krb5_realm = EHERTZ.UK.LOCAL
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
access_provider = ad [/syntax]

Next, set the permissions appropriately:

[syntax type=”html|php|js|css”]chmod 600 /etc/sssd/sssd.conf[/syntax]

Restart the service to ensure its running:

[syntax type=”html|php|js|css”]service sssd restart[/syntax]

Ensure sssd starts on boot:

[syntax type=”html|php|js|css”]chkconfig sssd on[/syntax]

And finally, test! I added a user within my AD realm called ‘Backup’. To prove that user isnt already on the system, i run the ‘users’ command first. You can now su into users within your AD realm, thus showing it is successfully joined to AD:

[syntax type=”html|php|js|css”][root@rhel7 sam]# users
root sam
[root@rhel7 sam]# su – Backup
Last login: Tue Jan 24 08:23:33 GMT 2017 on pts/0
su: warning: cannot change directory to /home/ehertz.uk.local/backup: No such file or directory
-bash-4.2$ exit
logout
[root@rhel7 sam]# id Backup
uid=1285003335(backup) gid=1285003335(domain users) groups=1285003335(domain users)[/syntax]

CentOS 6.x

For CentOS 6.x, install the packages needed after enabling the EPEL repos (again, i’m going to assume you’ve already done this).

[syntax type=”html|php|js|css”]yum -y install adcli sssd authconfig pam_krb5 samba4-common[/syntax]

Next, lets authenticate against our domain. For reference, my domain is ‘ehertz.uk.local’ in this example:

[syntax type=”html|php|js|css”]authconfig –enablekrb5 –krb5kdc=ehertz.uk.local –krb5adminserver=ehertz.uk.local –krb5realm=EHERTZ.UK.LOCAL –enablesssd –enablesssdauth –updatee[/syntax]

Next, lets see if we can get info from our domain, and if we can, then join it!

[syntax type=”html|php|js|css”]adcli info EHERTZ.UK.LOCAL
adcli join EHERTZ.UK.LOCAL[/syntax]

Now, we’re going to /etc/sssd/sssd.conf and add the following information to it:

[syntax type=”html|php|js|css”][sssd]
[sssd]
services = nss, pam, ssh, autofs
config_file_version = 2
domains = EHERTZ.UK.LOCAL

[domain/EHERTZ.UK.LOCAL]
id_provider = ad
# Uncomment if service discovery is not working
ad_server = win2012.ehertz.uk.local

[/syntax]

Next, set the permissions appropriately:

[syntax type=”html|php|js|css”]chmod 600 /etc/sssd/sssd.conf[/syntax]

Restart the service to ensure its running:

[syntax type=”html|php|js|css”]service sssd restart[/syntax]

Ensure sssd starts on boot:

[syntax type=”html|php|js|css”]chkconfig sssd on[/syntax]

And finally, test! I added a user within my AD realm called ‘Backup’. To prove that user isnt already on the system, i run the ‘users’ command first. You can now su into users within your AD realm, thus showing it is successfully joined to AD:

[syntax type=”html|php|js|css”][root@rhel7 sam]# users
root sam
[root@centos6 sam]# su – Backup
Last login: Tue Jan 24 08:23:33 GMT 2017 on pts/0
su: warning: cannot change directory to /home/ehertz.uk.local/backup: No such file or directory
-bash-4.2$ exit
logout
[root@centos6 sam]# id Backup
uid=1285003335(backup) gid=1285003335(domain users) groups=1285003335(domain users)[/syntax]