Microsoft has its Identity Management suite to build around the Active Directory, and Red Hat has its identity management directory server. In this article I will share the steps to add Linux to Windows Active Directory Domain. This article was written while using CentOS 7, so it is safe to say that it also fully covers RHEL 7, Fedora, Oracle Enterprise Linux and generally the whole Red Hat family of operating systems and possibly Novell’s SLES and OpenSUSE.

Steps to Add Linux to Windows AD Domain - Realm & Adcli (CentOS / RHEL 7)

 

An overview of the lab environment

For demonstrations in this article to add Linux to Windows AD Domain on CentOS 7, we will use two virtual machines running in an Oracle VirtualBox virtualization environment.

We have a Microsoft Server 2012R2 Active Directory Domain Controller with the IP address 192.168.0.105 and the CentOS 7.4 host with the IP address 192.168.0.106. In this article I will only cover the part to add Linux to Windows AD Domain on the client side. So this article requires a pre-configured Windows Active Directory.

 

Preparing to add Linux to Windows AD Domain on CentOS/RHEL 7

IMPORTANT NOTE: 
Before we join the AD domain, we need to ensure that we have set up the time services and DNS

Make sure RHEL machine is able to resolve Active Directory servers so update your /etc/resolv.conf on the RHEL / CentOS 7 Client host.

[root@adcli-client ~]# cat /etc/resolv.conf
search golinuxcloud.com
nameserver 192.168.0.105
[root@adcli-client ~]# nslookup golinuxcloud.com
Server:         192.168.0.105
Address:        192.168.0.105#53

Name:   golinuxcloud.com
Address: 192.168.0.105
Name:   golinuxcloud.com
Address: 10.0.2.13

For minimal install servers, you need to install krb5-workstation package , which provides klist command. Install adcli package along with sssd:

Here,

  • sssd: The System Security Services daemon can be used to divert client authentication as required
  • adcli: These are the tools for joining and managing AD domains
NOTE: 
On RHEL system you must have an active subscription to RHN or you can configure a local offline repository using which “yum” package manager can install the provided rpm and it’s dependencies.
[root@adcli-client ~]# yum install adcli sssd authconfig realmd krb5-workstation

 

Using realm to add Linux to Windows AD Domain

With all the packages installed, we can use the realm command to add Linux to Windows AD Domain and manage our enrolments. This command is part of the realmd package that we added.

We can use the list subcommand to ensure that we are not currently part of a domain:

[root@realm-client ~]# realm list

The output should be blank.

Now, we are ready to proceed with the next step i.e. to add Linux to Windows AD Domain. With a simple environment, you will know the domain that you want to join; at least we certainly hope that you do. In our case, we do know it and this is golinuxcloud.com.

Using the discover subcommand, we can verify that we have all the required packages installed, as shown in the following command extract:

[root@realm-client ~]# realm discover golinuxcloud.com
GOLINUXCLOUD.COM
  type: kerberos
  realm-name: GOLINUXCLOUD.COM
  domain-name: GOLINUXCLOUD.COM
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
golinuxcloud.com
  type: kerberos
  realm-name: GOLINUXCLOUD.COM
  domain-name: golinuxcloud.com
  configured: no

As this is a Kerberos domain type, the join subcommand will join the server to the domain as a member server and initialize the /etc/krb5.keytab Kerberos keytab file and the /etc/krb5.conf configuration file.

To add Linux to Windows AD domain, add the computer to the default folder in the AD domain using the following command:

[root@realm-client ~]# realm join --user=Administrator golinuxcloud.com
Password for Administrator:

Should you want to add it to a designated Organizational Unit within the Active Directory, you will first need to create the OU, or at least ensure that it exists. With the OU being present, the command will be similar to the following, where we add to the Linux OU:

# realm join --computer-ou="OU=Linux" --user=Administrator golinuxcloud.com

This is the method we will use to add the RHEL server to a path:

OU=Linux,DC=example,DC=com

With either of these methods, you will be prompted for the domain administrator’s password or the password of a user with delegated rights to add computers to the AD domain.

As a standard user, you can then list the domain you have joined using the realm list command again. We should note that the output at first may seem similar to the realm discover golinuxcloud.com command that we ran earlier; however, on closer examination, we will see that we are now a member server, as shown by configured: kerberos-member in the following command:

[root@realm-client ~]# realm list
GOLINUXCLOUD.COM
  type: kerberos
  realm-name: GOLINUXCLOUD.COM
  domain-name: golinuxcloud.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U@golinuxcloud.com
  login-policy: allow-realm-logins

Here we can see from the resulting information that we require sssd package among others.

 

Using adcli to add Linux to Windows AD Domain

We are not just restricted to consuming these domain accounts; we also have a level of management of Active Directory from the command line of our Linux servers. With the correct privileges in Active Directory, we can:

  • Create users and groups
  • Modify group memberships
  • Delete users and groups

If you are a Linux administrator and work mainly on Linux, it does make sense for you to add Active Directory users to groups that you use for delegation on Linux. For example, you can maintain an Active Directory group called LinuxAdmins and delegate rights via the /etc/sudoers file to this group. It’s quite correct that you maintain and control the AD group and not necessarily the Domain Admins group in the AD.

 

Listing the Active Directory information

To begin with the adcli command, we will take a look at the info subcommand. This can display details on domains and the domain controllers that are discovered. We can run this command as a standard user, as shown in the following command:

[root@adcli-client ~]# adcli info golinuxcloud.com
[domain]
domain-name = golinuxcloud.com
domain-controller = win-f7k3tl1gh98.golinuxcloud.com
domain-controller-usable = maybe
domain-controllers = win-f7k3tl1gh98.golinuxcloud.com
[computer]

 

Join Windows AD using adcli

You can run adcli join <domain_name> to add Linux to Windows AD Domain

[root@adcli-client ~]# adcli join golinuxcloud.com
Password for Administrator@GOLINUXCLOUD.COM:

 

Creating Active Directory users

This command is probably not one of the most useful tools given that we can create the user, but can’t enable the account or set the password for the new user. In this way, the command is less useful than some of the other tools with adcli.
A sample command is as follows:

[root@adcli-client ~]# adcli create-user deepak --domain=golinuxcloud.com --display-name="Deepak Prasad"
Password for Administrator@GOLINUXCLOUD.COM:

This command will try to log on to a domain as an administrator and will prompt for the password. To log on as a different user, you may make use of the -U or --login-user option.

Now we will try to login as the domain user to check if the logging works.

[root@adcli-client ~]# su - deepak
Last login: Fri May 31 16:58:35 IST 2019 from 10.0.2.31 on pts/1
[deepak@adcli-client ~]$ logout

[root@adcli-client ~]# id deepak
uid=1000(deepak) gid=1001(techteam) groups=1001(techteam),1407600513(domain users)

For completeness, we cover the create user command, but in reality, the user will still need to be enabled and have the password set in the Active Directory.

To delete the account we just created, we will use the following command:

[root@adcli-client ~]# adcli delete-user --domain=golinuxcloud.com deepak
Password for Administrator@GOLINUXCLOUD.COM:

 

Configuring Kerberos

The join operation creates a keytab the machine will authenticate with. When inspect the with klist -kt, should show several entries that contain client hostname in some form:

[root@adcli-client ~]# klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 07/05/2019 08:35:35 adcli-client$@GOLINUXCLOUD.COM (des-cbc-crc)
   2 07/05/2019 08:35:35 adcli-client$@GOLINUXCLOUD.COM (des-cbc-md5)
   2 07/05/2019 08:35:35 adcli-client$@GOLINUXCLOUD.COM (arcfour-hmac)
   2 07/05/2019 08:35:35 adcli-client$@GOLINUXCLOUD.COM (aes128-cts-hmac-sha1-96)
   2 07/05/2019 08:35:35 adcli-client$@GOLINUXCLOUD.COM (aes256-cts-hmac-sha1-96)
   2 07/05/2019 08:35:35 host/adcli-client@GOLINUXCLOUD.COM (des-cbc-crc)
   2 07/05/2019 08:35:35 host/adcli-client@GOLINUXCLOUD.COM (des-cbc-md5)
   2 07/05/2019 08:35:35 host/adcli-client@GOLINUXCLOUD.COM (arcfour-hmac)
   2 07/05/2019 08:35:36 host/adcli-client@GOLINUXCLOUD.COM (aes128-cts-hmac-sha1-96)
   2 07/05/2019 08:35:36 host/adcli-client@GOLINUXCLOUD.COM (aes256-cts-hmac-sha1-96)
   2 07/05/2019 08:35:36 host/adcli-client.example.com@GOLINUXCLOUD.COM (des-cbc-crc)
   2 07/05/2019 08:35:36 host/adcli-client.example.com@GOLINUXCLOUD.COM (des-cbc-md5)
   2 07/05/2019 08:35:36 host/adcli-client.example.com@GOLINUXCLOUD.COM (arcfour-hmac)
   2 07/05/2019 08:35:36 host/adcli-client.example.com@GOLINUXCLOUD.COM (aes128-cts-hmac-sha1-96)
   2 07/05/2019 08:35:36 host/adcli-client.example.com@GOLINUXCLOUD.COM (aes256-cts-hmac-sha1-96)
   2 07/05/2019 08:35:36 RestrictedKrbHost/adcli-client@GOLINUXCLOUD.COM (des-cbc-crc)
   2 07/05/2019 08:35:36 RestrictedKrbHost/adcli-client@GOLINUXCLOUD.COM (des-cbc-md5)
   2 07/05/2019 08:35:36 RestrictedKrbHost/adcli-client@GOLINUXCLOUD.COM (arcfour-hmac)
   2 07/05/2019 08:35:36 RestrictedKrbHost/adcli-client@GOLINUXCLOUD.COM (aes128-cts-hmac-sha1-96)
   2 07/05/2019 08:35:36 RestrictedKrbHost/adcli-client@GOLINUXCLOUD.COM (aes256-cts-hmac-sha1-96)
   2 07/05/2019 08:35:36 RestrictedKrbHost/adcli-client.example.com@GOLINUXCLOUD.COM (des-cbc-crc)
   2 07/05/2019 08:35:36 RestrictedKrbHost/adcli-client.example.com@GOLINUXCLOUD.COM (des-cbc-md5)
   2 07/05/2019 08:35:36 RestrictedKrbHost/adcli-client.example.com@GOLINUXCLOUD.COM (arcfour-hmac)
   2 07/05/2019 08:35:36 RestrictedKrbHost/adcli-client.example.com@GOLINUXCLOUD.COM (aes128-cts-hmac-sha1-96)
   2 07/05/2019 08:35:36 RestrictedKrbHost/adcli-client.example.com@GOLINUXCLOUD.COM (aes256-cts-hmac-sha1-96)

When you join a domain using realm, the /etc/krb5.conf keytab file is created to authenticate the RHEL system to the domain alongside the /etc/krb5.conf file. Below is my sample krb5.conf

[root@adcli-client ~]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = GOLINUXCLOUD.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 GOLINUXCLOUD.COM = {
  kdc = kerberos.golinuxcloud.com:88
  admin_server = kerberos.golinuxcloud.com:749
  default_domain = golinuxcloud.com
 }


[domain_realm]
 .example.com = GOLINUXCLOUD.COM
 example.com = GOLINUXCLOUD.COM

[kdc]
   profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
        pam = {
                debug = false
                ticket_lifetime = 36000
                renew_lifetime = 36000
                forwardable = true
                hosts = kerberos.golinuxcloud.com
                max_timeout = 30
                timeout_shift = 2
                initial_timeout = 1
        }

 

Understanding Active Directory as an identity provider for sssd

The System Security Services Daemon (sssd) provides a set of daemons to manage access to remote directories and authenticate mechanisms, in our case, the Active Directory. The sssd service provides the NSS (Name Service Switch) and PAM (Pluggable Authentication Mechanism) interface for our system and a modular backend system to connect to multiple different account sources and the D-bus interface as well.

 

Configuring NSS and PAM

The NSS configuration file determines the sources from which you can obtain the name service information and its order from a range of categories. Each category of information is identified by a resource database name; this can be hosts for name resolution and passwd for a database to locate user accounts.

Use authconfig to set up the Name Service Switch(/etc/nsswitch.conf) and PAM stacks(password-authand system-auth):

[root@adcli-client ~]# authconfig --enablesssd --enablesssdauth --update

Above command will modify and add necessary entries in /etc/nsswitch.conf, /etc/pam.d/password-auth and /etc/pam.d/system-auth files .

 

Configuring SSSD

The final step to add Linux to Windows AD Domain is to configure the SSSD itself. The configuration for sssd can be found in the /etc/sssd/sssd.conf file.

NOTE: 
If the /etc/sssd/sssd.conf file is not there, create it manually.
[root@adcli-client ~]# cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam, ssh, autofs
config_file_version = 2
domains = GOLINUXCLOUD.COM

[domain/GOLINUXCLOUD.COM]
id_provider = ad
# Uncomment and configure below , if service discovery is not working
# ad_server = server.win.golinuxcloud.com

Make sure /etc/sssd/sssd.conf is owned by root:root and permissions are 600

[root@adcli-client ~]# chown root:root /etc/sssd/sssd.conf
[root@adcli-client ~]# chmod 600 /etc/sssd/sssd.conf

[root@adcli-client ~]# ls -l /etc/sssd/sssd.conf
-rw------- 1 root root 248 Jul  4 20:09 /etc/sssd/sssd.conf

Start the SSSD and make sure it’s up after reboots:

[root@adcli-client ~]# systemctl start sssd

[root@adcli-client ~]# systemctl is-active sssd
active

[root@adcli-client ~]# systemctl enable sssd

Try fetch user information for AD user:

[root@adcli-client ~]# id Administrator
uid=1407600500(administrator) gid=1407600513(domain users) groups=1407600513(domain users),1407600572(denied rodc password replication group),1407600520(group policy creator owners),1407600518(schema admins),1407600519(enterprise admins),1407600512(domain admins)

and then try to login as AD user:

[root@adcli-client ~]# ssh Administrator@localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:3RCFjBhKJLtOb78Jv+Yx2IPbwRT5P1hOGw9d08RlGzs.
ECDSA key fingerprint is MD5:b8:f9:09:06:91:48:de:a1:83:29:56:d5:94:3d:a6:d3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Administrator@localhost's password:
-sh-4.2$

Since Administrator is a windows user I do not have a proper shell which is expected.

 

Leaving a domain

There will be occurrences where the Linux server needs to be removed from a domain. Often, this is the case where it is removed from one domain before being added to another. Should this be required, the realm command makes the process easy.

The additional option: --remove will ensure that the computer account is also deleted from the domain; otherwise, it should be deleted separately.

[root@realm-client ~]# realm leave golinuxcloud.com --remove
Password for Administrator:

 

Lastly I hope the steps from the article to add Linux to Windows AD Domain using realm and adcli on RHEL/CentOS 7 was helpful. So, let me know your suggestions and feedback using the comment section.

 

Leave a Reply

Your email address will not be published. Required fields are marked *