Add Linux to Windows Domain using realm (CentOS/RHEL 7/8)


FreeIPA

Microsoft has its Identity Management suite to build around the Active Directory, and Red Hat has its identity management directory server. In this article I will share the steps to add Linux to Windows Active Directory Domain. The steps are validated by adding RHEL/CentOS 7 and 8 Linux to Windows Active Directory configured on Windows Server 2012 R2.

 

Some more articles on similar topic:

 

1. Overview on realmd tool

RealmD is a tool that will easily configure network authentication and domain membership. With RHEL/CentOS 7, RealmD is fully supported and can be used to join IdM, AD, or Kerberos realms. The main advantage of using realmd is the ability to provide a simple one-line command to enroll into a domain as well as configure network authentication.

For example, realmd can easily configure:

  • PAM Stack
  • NSS Layer
  • Kerberos
  • SSSD
  • Winbind

 

The realmd system supports the following domain types:

  • Microsoft Active Directory
  • Red Hat Enterprise Linux Identity Management

 

The following domain clients are supported by realmd:

  • SSSD for both RHEL/CentOS Identity Management and Microsoft Active Directory
  • Winbind for Microsoft Active Directory

 

Following table lists some of the most used realm commands:

Command Description
realm discover Run a discovery scan for domains on the network.
realm join Add the system to the specified domain.
realm leave Remove the system from the specified domain.
realm list List all configured domains for the system or all discovered and configured domains.
realm permit Enable access for specified users or for all users within a configured domain to access the local system
realm deny Restrict access for specified users or for all users within a configured domain to access the local system

 

2. Lab Environment

For demonstrations in this article to add Linux to Windows AD Domain on RHEL/CentOS 7/8, we will use two virtual machines running in an Oracle VirtualBox installed on my Linux Server virtualization environment.

I have written another article with the steps to add Linux to Windows AD Domain on RHEL/CentOS 8 setup using Samba winbind.

We have a Microsoft Server 2012R2 Active Directory Domain Controller with the IP address 192.168.0.107 and the CentOS 8 host with the IP address 192.168.0.117. In this article I will only cover the part to add Linux to Windows AD Domain on the client side. So this article to add Linux to Windows AD Domain requires a pre-configured Windows Active Directory.

 

3. Pre-requisites to add Linux to Windows AD Domain

IMPORTANT NOTE:
Before we join Linux to Windows domain, we need to ensure that we have set up the time services and DNS Service

 

3.1 Update /etc/resolv.conf

Make sure RHEL/CentOS client machine is able to resolve Active Directory servers. To do this update your /etc/resolv.conf with the IP address of your Domain Controller on your RHEL / CentOS 7/8 client host.

[root@adcli-client ~]# cat /etc/resolv.conf
search www.golinuxcloud.com
nameserver 192.168.0.107

 

3.2 Verify Domain Name Resolution

Verify if the client is able to resolve the domain name:

[root@centos8 ~]# nslookup www.golinuxcloud.com
Server:         192.168.0.107
Address:        192.168.0.107#53

Name:   www.golinuxcloud.com
Address: 192.168.0.107

Verify the configuration for name resolution. In particular, verify the DNS SRV records.

 ~]# host -t SRV _kerberos._udp.golinuxcloud.com.
_kerberos._udp.golinuxcloud.com has SRV record 0 100 88 win-71humtros3m.golinuxcloud.com.

 ~]# host -t SRV _ldap._tcp.golinuxcloud.com.
_ldap._tcp.golinuxcloud.com has SRV record 0 100 389 win-71humtros3m.golinuxcloud.com.

~]# host -t SRV _ldap._tcp.dc._msdcs.golinuxcloud.com
_ldap._tcp.dc._msdcs.golinuxcloud.com has SRV record 0 100 389 win-71humtros3m.golinuxcloud.com.

 

3.3 Install packages (RHEL/CentOS 7)

For minimal install servers, you need to install krb5-workstation package , which provides klist command. Install adcli package along with sssd:

Here,

  • sssd: The System Security Services daemon can be used to divert client authentication as required
  • adcli: These are the tools for joining and managing AD domains
NOTE:
On RHEL system you must have an active subscription to RHN or you can configure a local offline repository using which "yum" package manager can install the provided rpm and it's dependencies.
[root@adcli-client ~]# yum install adcli sssd authconfig realmd krb5-workstation oddjob oddjob-mkhomedir

 

3.4 Install packages (RHEL/CentOS 8)

Following list of packages are required for integrating Linux client to Windows domain using realm. We need oddjob oddjob-mkhomedir to make sure the home directory is automatically created for domain users.

[root@centos8 ~]# dnf -y install realmd adcli sssd oddjob oddjob-mkhomedir samba-common-tools krb5-workstation authselect-compat

 

4. Using realm to join Linux to Windows Domain

With all the packages installed, we can use the realm command to add Linux to Windows AD Domain and manage our enrolments. This command is part of the realmd package that we added.

 

4.1 List configured domains

We can use the list subcommand to ensure that we are not currently part of a domain:

[root@realm-client ~]# realm list

The output should be blank.

 

4.2 Discover available domains in the network

Now, we are ready to proceed with the next step i.e. to add Linux to Windows AD Domain. With a simple environment, you will know the domain that you want to join; at least we certainly hope that you do. In our case, we do know it and this is www.golinuxcloud.com.

The realm discover command returns complete domain configuration and a list of packages that must be installed for the system to be enrolled in the domain.

[root@realm-client ~]# realm discover www.golinuxcloud.com
GOLINUXCLOUD.COM
  type: kerberos
  realm-name: GOLINUXCLOUD.COM
  domain-name: GOLINUXCLOUD.COM
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
www.golinuxcloud.com
  type: kerberos
  realm-name: GOLINUXCLOUD.COM
  domain-name: www.golinuxcloud.com
  configured: no

 

4.3 Join Linux client to Windows domain

The realm join command then sets up the local machine for use with a specified domain by configuring both the local system services and the entries in the identity domain. The process run by realm join follows these steps:

  • Running a discovery scan for the specified domain.
  • Automatic installation of the packages required to join the system to the domain.
  • Joining the domain by creating an account entry for the system in the directory.
  • Creating the /etc/krb5.keytab host keytab file.
  • Configuring the domain in SSSD and restarting the service.
  • Enabling domain users for the system services in PAM configuration and the /etc/nsswitch.conf file.
[root@realm-client ~]# realm join --user=Administrator www.golinuxcloud.com
Password for Administrator:

Initially I was getting following error while trying to join my Linux client to Windows domain using realm:

 ~]# realm join  --user=Administrator www.golinuxcloud.com
Password for Administrator:
See: journalctl REALMD_OPERATION=r597.2528
realm: Couldn't join realm: Failed to join the domain

In the journalctl logs I could find the following logs:

Mar 04 12:11:21 centos8 realmd[2314]:  ! Couldn't authenticate as: Administrator@GOLINUXCLOUD.COM: KDC has no support for encryption type
Mar 04 12:11:21 centos8 realmd[2314]:  ! Couldn't authenticate as: Administrator@GOLINUXCLOUD.COM: KDC has no support for encryption type
Mar 04 12:11:21 centos8 realmd[2314]: adcli: couldn't connect to GOLINUXCLOUD.COM domain: Couldn't authenticate as: Administrator@GOLINUXCLOUD.COM: KDC has no support for encryption type
Mar 04 12:11:21 centos8 realmd[2314]: adcli: couldn't connect to GOLINUXCLOUD.COM domain: Couldn't authenticate as: Administrator@GOLINUXCLOUD.COM: KDC has no support for encryption type
Mar 04 12:11:21 centos8 realmd[2314]: process exited: 2534
Mar 04 12:11:21 centos8 realmd[2314]:  ! Failed to join the domain
Mar 04 12:11:21 centos8 realmd[2314]:  ! Failed to join the domain

 

4.4 How to fix "KDC has no support for encryption type"?

Method-1
With RHEL/CentOS 8, rc4 is not in the DEFAULT crypto policy anymore, see man crypto-policies for details. Unfortunately it is still the common fallback in AD.

So we can add rc4-hmac in /etc/krb5.conf.d/crypto-policies as permitted_enctypes as shown below.

[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac rc4-hmac

Now you can re-try to join Linux client to windows domain using realm:

[root@realm-client ~]# realm join --user=Administrator www.golinuxcloud.com
Password for Administrator:

 

Method-2
Here also we add rc4 encryption policy but instead of using /etc/krb5.conf.d/crypto-policies, we will add following content in a new file under /etc/krb5.conf.d/

~]# cat /etc/krb5.conf.d/enctypes
[libdefaults]
   default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac rc4-hmac
   default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac rc4-hmac

Now you can try to join Linux client to the windows domain using realm:

[root@realm-client ~]# realm join --user=Administrator www.golinuxcloud.com
Password for Administrator:

 

Method-3
You can allow weak encryption by defining the following under [libdefaults] in /etc/krb5.conf file:

allow_weak_crypto = true
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5

Now you can try to join Linux client to the windows domain using realm:

[root@realm-client ~]# realm join --user=Administrator www.golinuxcloud.com
Password for Administrator:

For more information you can follow Ensuring support for common encryption types in AD and RHEL

 

5. Verify if Linux client is integrated to windows domain

As a standard user, you can then list the domain you have joined using the realm list command again. We should note that the output at first may seem similar to the realm discover www.golinuxcloud.com command that we ran earlier; however, on closer examination, we will see that we are now a member server, as shown by configured: kerberos-member in the following command:

Add Linux to Windows Domain using realm (CentOS/RHEL 7/8)

 

6. Configure NSS for SSSD service

Next we need to configure NSS to authenticate the users in the Linux client and create home directories for AD users:

 

6.1 On RHEL/CentOS 7

You can use authconfig on RHEL/CentOS 7 server to configure PAM and make sure the home directories of AD users are automatically created:

# authconfig  --enablesssd --enablesssdauth --enablemkhomedir --update

Next enable and start/restart oddjobd.service

~]# systemctl enable --now oddjobd.service

 

6.2 On RHEL/CentOS 8

We will use authselect which is the new version of authconfig in RHEL/CentOS 8 for configuring PAM files and making sure that home directories of AD users are automatically created when they login to the Linux client:

~]# authselect select sssd with-mkhomedir
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
  is present and oddjobd service is enabled and active
  - systemctl enable --now oddjobd.service

Next enable and start/restart oddjobd.service

~]# systemctl enable --now oddjobd.service

 

7. Login as Active Directory User on Linux Client

Let us try to login to our Linux client using Windows AD user and verify if the home directory is automatically created. But first we need to check if our Linux client is able to get the user details of AD users:

~]# id GOLINUXCLOUD\\Administrator
uid=111800500(administrator@GOLINUXCLOUD.COM) gid=111800513(domain users@GOLINUXCLOUD.COM) groups=111800513(domain users@GOLINUXCLOUD.COM),111800520(group policy creator owners@GOLINUXCLOUD.COM),111800512(domain admins@GOLINUXCLOUD.COM),111800572(denied rodc password replication group@GOLINUXCLOUD.COM),111800518(schema admins@GOLINUXCLOUD.COM),111800519(enterprise admins@GOLINUXCLOUD.COM)

So our Administrator user from the AD is detected by the Linux client, so let' try to switch user to Administrator:

Add Linux to Windows Domain using realm (CentOS/RHEL 7/8)

As expected the home directory for our AD user was automatically created.

 

8. Leaving Active Directory domain

There will be occurrences where the Linux server needs to be removed from active directory domain. Often, this is the case where it is removed from one active directory domain before being added to another active directory domain. Should this be required, the realm command makes the process easy.

The additional option: --remove will ensure that the computer account is also deleted from the domain; otherwise, it should be deleted separately.

[root@realm-client ~]# realm leave www.golinuxcloud.com --remove
Password for Administrator:

 

Summary

In this article we learned how we can join a Linux client (CentOS/RHEL 7/8) to Windows AD Domain using realmd tool. The realmd system provides a clear and simple way to discover and join identity domains. It does not connect to the domain itself but configures underlying Linux system services, such as SSSD or Winbind, to connect to the domain.

It can run a discovery search to identify available AD and Identity Management domains and then join the system to the domain, as well as set up the required client services used to connect to the given identity domain and manage user access. Additionally, because SSSD as an underlying service supports multiple domains, realmd can discover and support multiple domains as well.

 

Further Reading

You can go through the following articles to learn more about integrating Linux client to Windows domain using realmd
Using realmd to Connect to an Active Directory Domain
man page of krb5.conf [libdefaults]

 

Related Searches: linux login with active directory, join linux server to active directory, add linux server to windows domain, linux active directory authentication, how to add a linux system to a windows domain, linux windows domain authentication, linux ad integration

Deepak Prasad

Deepak Prasad

Deepak Prasad is the founder of GoLinuxCloud, bringing over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, Networking, and Security. His extensive experience spans development, DevOps, networking, and security, ensuring robust and efficient solutions for diverse projects.

Certifications and Credentials:

  • Certified Kubernetes Application Developer (CKAD)
  • Go Developer Certification
  • Linux Foundation Certified System Administrator (LFCS)
  • Certified Ethical Hacker (CEH)
  • Python Institute PCAP (Certified Associate in Python Programming)
You can connect with him on his LinkedIn profile and join his Facebook and LinkedIn page.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

8 thoughts on “Add Linux to Windows Domain using realm (CentOS/RHEL 7/8)”

  1. Hi I have succeeded with integration. Any way to pass the realm join password in an encrypted format.
    Since im planning to write it in a script and i dont want to disclose password in the script

    P.S:- echo “$joinpassword”|realm join -U username abc.com works well. But this isnt what is needed.

    Reply
    • Shell scripts will always have that limitation. If you want it automated in some way without prompting for input then you can go for other programming language which will compile the code making passwords not visible to end user.
      You can also compile shell script but they can also be easily uncompiled.

      Reply
  2. These steps worked for me:

    RHEL/CentOS 8, rc4 is not in the DEFAULT crypto policy anymore. Unfortunately, it is still the common fallback in AD.

    I added rc4-hmac in /etc/krb5.conf.d/crypto-policies as permitted_enctypes as shown below

    default_tgs_enctypes = aes256-cts-hmac-sha1-96
    default_tkt_enctypes = aes256-cts-hmac-sha1-96
    permitted_enctypes = aes256-cts-hmac-sha1-96
    allow_weak_crypto = false

    Restarting the service, and try again: realm join

    Reply
  3. Hi, after doing above steps, I was able to do a domain join but I was unable to SSH to the linux server with AD user id.. any advise?

    Thanks
    Raj

    Reply

Leave a Comment