Steps to join/add CentOS 8 to Windows Domain Controller (RHEL 8)

How to join RHEL 8 system to an Active Directory server using Samba Winbind. How to authenticate RHEL 8 server against to a Windows 2003 R2 / 2008 / 2008 R2 / 2012 AD domain. How to add CentOS 8 to Windows Domain Controller. Step by Step Guide to add CentOS 8 to Windows Domain Controller. Steps to join RHEL 8 to Active Directory. How to join CentOS 8 to Active Directory on Windows Server. Steps to join CentOS 8 to Windows Domain Controller running on WIndows Server 2012. Steps to join linux to windows active directory.

Steps to join/add CentOS 8 to Windows Domain Controller (RHEL 8)

The winbind service is part of the Samba suite. It enables a Linux server to become a full member in Windows domains and to use Windows users and group accounts in Linux.

 

An overview of the lab environment

For demonstrations of this article to add CentOS 8 to Windows Domain Controller (Active Directory), we will use virtual machines running in an Oracle VirtualBox installed on my Linux Server virtualization environment.

We have a Microsoft Server 2012R2 Active Directory Domain Controller with the IP address 192.168.0.101, CentOS 8 host with the IP address 192.168.0.115 and RHEL 8 with IP Address 192.168.0.106. In this article I will only cover the part to add CentOS 8 to Windows Domain Controller on the client side. So this article requires a pre-configured Windows Active Directory.

I have only used snippets from my CentOS 8 Server but I have verified the steps on both RHEL 8 and CentOS 8.

 

Preparing the Linux Client to join Windows Active Directory

To add CentOS 8 to Windows Domain Controller, we need to change the DNS settings so that the Active Directory domain DNS server is queried first:

[root@centos-8 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search golinuxcloud.com
nameserver 192.168.0.101

Here 192.168.0.101 is the IP Address of my Windows Active Directory which is also configured as DNS Server.

To make sure that our server can resolve hostname, either through queries to the DNS server or to the internal /etc/hosts file, we can use the getent command.

[root@centos-8 ~]# getent hosts golinuxcloud.com
192.168.0.101   golinuxcloud.com
10.0.2.13       golinuxcloud.com

 

Install Samba Package

NOTE:

On RHEL system you must have an active subscription to RHN or you can configure a local offline repository using which "yum" or "dnf" package manager can install the provided rpm and it's dependencies.

To add CentOS 8 to Windows Domain Controller we will install the required samba packages on our client host

[root@centos-8 ~]# dnf install samba samba-client  samba-winbind samba-winbind-clients

Configure /etc/samba/smb.conf by adding the below content under [global] section to add Linux to windows active directory. Modify the realm and workgroup value as per your environment.

[global]
        kerberos method = secrets and keytab
        realm = GOLINUXCLOUD.COM
        security = ADS
        template shell = /bin/bash
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind separator = +
        workgroup = GOLINUXCLOUD
        idmap config * : rangesize = 1000000
        idmap config * : range = 1000000-19999999
        idmap config * : backend = autorid

security=ads describes the membership in an Active Directory domain.

The parameters idmap* and winbind enum* map Windows users and groups to Unix users and groups.

For the winbind separator you should select a Unix-compatible character, normally +, to separate the domain from the user name, as in EXAMPLE+wob

Usually system users and groups are assigned IDs in the range from 0 to 999, and local users and groups are assigned IDs starting from 1000. With this in mind, it seems pretty reasonable to start assigning IDs to domain users and groups starting from 1000000. We should also differentiate between the domain users and groups and the local built-in accounts existing on a member server, such as the local administrator, the local guest, and so on. These two groups must not overlap, so we assign the range 1000000 to 19999999 to domain built-in user and group accounts

 

Join/Add CentOS 8 to Windows Domain Controller

We join the Linux client with Windows Active Directory by executing net on the client host:

[root@centos-8 ~]# net ads join -U Administrator  golinuxcloud.com
Enter Administrator's password:
Using short domain name -- GOLINUXCLOUD
Joined 'centos-8' to dns domain 'GOLINUXCLOUD.COM'
DNS Update for centos-8.golinuxcloud.com failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL

Here as you see we were successfully able to add CentOS 8 to Windows Domain Controller but there are few DNS related error messages.

 

How to fix "ERROR_DNS_UPDATE_FAILED"?

You can either choose to avoid doing any DNS updates while you add CentOS 8 to Windows Domain Controller by using

# net ads join -U Administrator --no-dns-updates  golinuxcloud.com

Or to fix ERROR_DNS_UPDATE_FAILED error observed above, perform the following steps

Add following information to /etc/hosts.

# echo "192.168.0.115   centos-8.golinuxcloud.com centos-8" >> /etc/hosts

Make sure that the IP address of the DNS server is in /etc/resolv.conf. The IP address should be the DNS server you want to update the new DNS 'A' record.

# cat /etc/resolv.conf
search golinuxcloud.com
nameserver 192.168.0.101

Select the Dynamic updates to "Secure only" or "Nonsecure and secure" on the Windows DNS server.

Steps to add CentOS 8 to Windows Domain Controller (AD) (RHEL 8)

 

Next you can re-try to add CentOS 8 to Windows Domain Controller

[root@centos-8 ~]# net ads join -U Administrator  golinuxcloud.com
Enter Administrator's password:
Using short domain name -- GOLINUXCLOUD
Joined 'centos-8' to dns domain 'GOLINUXCLOUD.COM'

 

We can easily check that the server is a member of the domain with the testparm command.

[root@centos-8 ~]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
        kerberos method = secrets and keytab
        printcap name = cups
        realm = GOLINUXCLOUD.COM
        security = ADS
        template shell = /bin/bash
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind separator = +
        workgroup = GOLINUXCLOUD
        idmap config * : range = 1000000-19999999
        idmap config * : rangesize = 1000000
        idmap config * : backend = autorid
        cups options = raw


[homes]
        browseable = No
        comment = Home Directories
        inherit acls = Yes
        read only = No
        valid users = %S %D%w%S


[printers]
        browseable = No
        comment = All Printers
        create mask = 0600
        path = /var/tmp
        printable = Yes


[print$]
        comment = Printer Drivers
        create mask = 0664
        directory mask = 0775
        force group = @printadmin
        path = /var/lib/samba/drivers
        write list = @printadmin root

After successfully joining Linux server to Windows Active Directory, it is essential that you restart Winbind and enable the service to auto start at boot:

[root@centos-8 ~]# systemctl enable winbind --now
Created symlink /etc/systemd/system/multi-user.target.wants/winbind.service → /usr/lib/systemd/system/winbind.service.

Check the status of Winbind service

[root@centos-8 ~]# systemctl status winbind
● winbind.service - Samba Winbind Daemon
   Loaded: loaded (/usr/lib/systemd/system/winbind.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2019-10-18 14:48:25 IST; 20s ago
     Docs: man:winbindd(8)
           man:samba(7)
           man:smb.conf(5)
 Main PID: 1756 (winbindd)
   Status: "winbindd: ready to serve connections..."
    Tasks: 2 (limit: 11506)
   Memory: 6.6M
   CGroup: /system.slice/winbind.service
           ├─1756 /usr/sbin/winbindd --foreground --no-process-group
           └─1758 /usr/sbin/winbindd --foreground --no-process-group

Oct 18 14:48:25 centos-8.golinuxcloud.com systemd[1]: Starting Samba Winbind Daemon...

 

Client Validation

After you add CentOS 8 to Windows Domain Controller it is necessary that you run some checks on the client host i.e. CentOS 8 to make sure it is able to reach Active Directory properly.

You can test whether everything is working properly with wbinfo -t. The command runs an encrypted RPC call, which is only possible if the server really is a member in the domain:

[root@centos-8 ~]# wbinfo -t
checking the trust secret for domain GOLINUXCLOUD via RPC calls succeeded

List AD users.

[root@centos-8 ~]# wbinfo -u
GOLINUXCLOUD+administrator
GOLINUXCLOUD+guest
GOLINUXCLOUD+krbtgt

List AD groups.

[root@centos-8 ~]# wbinfo -g
GOLINUXCLOUD+winrmremotewmiusers__
GOLINUXCLOUD+domain computers
GOLINUXCLOUD+domain controllers
GOLINUXCLOUD+schema admins
GOLINUXCLOUD+enterprise admins
GOLINUXCLOUD+cert publishers
GOLINUXCLOUD+domain admins
GOLINUXCLOUD+domain users
GOLINUXCLOUD+domain guests
GOLINUXCLOUD+group policy creator owners
GOLINUXCLOUD+ras and ias servers
GOLINUXCLOUD+allowed rodc password replication group
GOLINUXCLOUD+denied rodc password replication group
GOLINUXCLOUD+read-only domain controllers
GOLINUXCLOUD+enterprise read-only domain controllers
GOLINUXCLOUD+cloneable domain controllers
GOLINUXCLOUD+protected users
GOLINUXCLOUD+dnsadmins
GOLINUXCLOUD+dnsupdateproxy

Run authselect to list available profiles

# authselect list 
- nis            Enable NIS for system authentication
- sssd           Enable SSSD for system authentication (also for local users only)
- winbind        Enable winbind for system authentication

Select winbind profile, Here we have used --force to overwrite certain system files

[root@centos-8 ~]# authselect select winbind --force
Backup stored at /var/lib/authselect/backups/2019-10-18-09-21-15.ah1i42
Profile "winbind" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group

Make sure that winbind service is configured and enabled. See winbind documentation for more information.

But before overwriting, the original files will be backed up which you can see in my case are available at below location

[root@centos-8 ~]# ls -l /var/lib/authselect/backups/2019-10-18-09-21-15.ah1i42/
total 24
-rw-r--r--. 1 root root  701 Oct 18 14:51 fingerprint-auth
-rw-r--r--. 1 root root 1516 Oct 18 14:51 nsswitch.conf
-rw-r--r--. 1 root root  760 Oct 18 14:51 password-auth
-rw-r--r--. 1 root root  398 Oct 18 14:51 postlogin
-rw-r--r--. 1 root root  743 Oct 18 14:51 smartcard-auth
-rw-r--r--. 1 root root  760 Oct 18 14:51 system-auth

Ensure that /etc/nsswitch.conf has the following passwd and group entries. In this file, you have to tell Linux that it should use Winbind before trying to authenticate locally on Linux.

passwd:     files winbind systemd
group:      files winbind systemd

Test resolving AD users and groups and authentication of users.

[root@centos-8 ~]# getent passwd GOLINUXCLOUD+Administrator
GOLINUXCLOUD+administrator:*:2000500:2000513::/home/GOLINUXCLOUD/administrator:/bin/bash

[root@centos-8 ~]# id GOLINUXCLOUD+Administrator
uid=2000500(GOLINUXCLOUD+administrator) gid=2000513(GOLINUXCLOUD+domain users) groups=2000513(GOLINUXCLOUD+domain users),2000500(GOLINUXCLOUD+administrator),2000572(GOLINUXCLOUD+denied rodc password replication group),2000518(GOLINUXCLOUD+schema admins),2000519(GOLINUXCLOUD+enterprise admins),2000520(GOLINUXCLOUD+group policy creator owners),2000512(GOLINUXCLOUD+domain admins)

 

Getting a TGT from Kerberos

To get a TGT from Kerberos we can use the kinit command. This utility is included in the krb5-workstation package.

[root@centos-8 ~]# yum -y install krb5-workstation

After installing it with yum we can obtain a TGT with kinit:

[root@centos-8 ~]# kinit Administrator@GOLINUXCLOUD.COM
Password for Administrator@GOLINUXCLOUD.COM:

We can also list the ticket with klist .

[root@centos-8 ~]# klist
Ticket cache: KCM:0
Default principal: Administrator@GOLINUXCLOUD.COM

Valid starting       Expires              Service principal
10/19/2019 04:12:40  10/19/2019 14:12:40  krbtgt/GOLINUXCLOUD.COM@GOLINUXCLOUD.COM
        renew until 10/26/2019 04:12:37

 

Lastly I hope the steps from the article to join/add CentOS 8 to Windows Domain Controller on Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

References:
How to join RHEL8 to Active Directory using Winbind

 

4 thoughts on “Steps to join/add CentOS 8 to Windows Domain Controller (RHEL 8)”

  1. The instructions work perfectly, there is only one issue, how can I configure the systen to automatically create the user home directory whe login?

    thanks

    Reply
  2. Hi, thanks for you guide!! one question: I have a CentOS 8 and when I login with a domainuser and I create a file, the group permission of the file is shown like DOMAIN+domaingroup. How I have to setup CentOS, that the usergroup will be shown like domaingroup@DOMAIN.LOCAL?

    Reply

Leave a Comment

Please use shortcodes <pre class=comments>your code</pre> for syntax highlighting when adding code.