This is a brief to demo for joining a CentOS/RHEL 6 or 7 server to Active Directory. I am using Ansible to perform the automation of these tasks, but we can break this down to see what changes are occuring. One point that I want to make is that this is not a full fleshed out solution.
adcli tool in order to add this server to the domainAt this point, we are done. The host is now domain joined and will authenticate users in AD to Linux! There are still some follow-up steps that should be done (easily automated as well), and we’ll look at that here.
Below is what an admin would do manually. You will need to adjust the variables to work for you, obviously.
export adauth_domain=ISLAND.LOCAL
adauth_server_ou=”DC=ISLAND,DC=LOCAL”
export adauth_user=”lxadjoin”
export adauth_pass=”cya+SdhfWZBUze+q”
EOF
chmod 0600 /root/advars.env
source /root/advars.env
set | grep ^adauth.*$
2. Install the required packages:
yum install -y epel-release \ libselinux-python \ adcli \ oddjob \ oddjob-mkhomedir \ sssd-client \ sssd-ad \ sssd-krb5 \ sssd-krb5-common \ krb5-workstation
3. Join the server to the domain:
echo -n ${adauth_pass} | \ /usr/sbin/adcli join –stdin-password -O ${adauth_server_ou} \ -U ${adauth_user} -D ${adauth_domain} -H $(hostname -f) \ –user-principal=host/$(hostname -f)@${adauth_domain^^}
cp /etc/krb5.conf{,.$(date +%s)}
cat «EOF>/etc/krb5.conf
[libdefaults] default_realm = ${adauth_domain^^} default_keytab_name = /etc/krb5.keytab dns_lookup_kdc = true
[domain_realm]
.${adauth_domain,,} = ${adauth_domain^^}
${adauth_domain,,} = ${adauth_domain^^}
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
EOF
### set permissions on /etc/krb5.conf chmod 0644 /etc/krb5.conf
4. Configure SSSD
cat «EOF»/etc/sssd/sssd.conf [nss] filter_groups = root filter_users = root reconnection_retries = 3
[pam] reconnection_retries = 3
[ssh]
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam, ssh dns_discovery_domain = ${adauth_domain,,} domains = ${adauth_domain^^} debug_level = 0x0150
[domain/${adauth_domain^^}] debug_level = 0x0150 enumerate = false cache_credentials = false
id_provider = ad access_provider = ad auth_provider = ad
krb5_realm = ${adauth_domain^^}
ad_domain = ${adauth_domain,,} ad_hostname = $(hostname -f)
dyndns_refresh_interval = 14400
ad_gpo_access_control = disabled
ldap_id_mapping = true ldap_schema = ad override_homedir = /home/%u default_shell = /bin/bash ldap_user_shell = loginShell
ldap_user_ssh_public_key = altSecurityIdentities
EOF
5. Configure PAM modules
authconfig –enablesssd –enablesssdauth \ –disableldap –disableldapauth –disablekrb5 –enablemkhomedir –update
6. Enable the SSSD service & Make sure it has started
systemctl enable sssd systemctl restart sssd
7. Enable the oddjobd service & make sure it is started
systemctl enable oddjobd systemctl restart oddjobd ```
At this point the server should be joined to the domain. Test an AD account to validate. If you experience problems, try restarting the server and trying again. Some common trouble shooting issues: