Steps to join/add CentOS 8 to Windows Domain Controller (RHEL 8)


FreeIPA, How To, Linux

How to join RHEL 8 system to an Active Directory server using Samba Winbind. How to authenticate RHEL 8 server against to a Windows 2003 R2 / 2008 / 2008 R2 / 2012 AD domain. How to add CentOS 8 to Windows Domain Controller. Step by Step Guide to add CentOS 8 to Windows Domain Controller. Steps to join RHEL 8 to Active Directory. How to join CentOS 8 to Active Directory on Windows Server. Steps to join CentOS 8 to Windows Domain Controller running on WIndows Server 2012. Steps to join linux to windows active directory.

Steps to join/add CentOS 8 to Windows Domain Controller (RHEL 8)

The winbind service is part of the Samba suite. It enables a Linux server to become a full member in Windows domains and to use Windows users and group accounts in Linux.

 

Some more articles on similar topic:

 

1. An overview of the lab environment

For demonstrations of this article to add CentOS 8 to Windows Domain Controller (Active Directory), we will use virtual machines running in an Oracle VirtualBox installed on my Linux Server virtualization environment.

We have a Microsoft Server 2012R2 Active Directory Domain Controller with the IP address 192.168.0.107, CentOS 8 host with the IP address 192.168.0.117 and RHEL 8 with IP Address 192.168.0.106. In this article I will only cover the part to add CentOS 8 to Windows Domain Controller on the client side. So this article requires a pre-configured Windows Active Directory.

I have only used snippets from my CentOS 8 Server but I have verified the steps on both RHEL 8 and CentOS 8.

 

2. Preparing the Linux Client to join Windows Active Directory

To add CentOS 8 to Windows Domain Controller, we need to change the DNS settings so that the Active Directory domain DNS server is queried first:

[root@centos-8 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search www.golinuxcloud.com
nameserver 192.168.0.107

Here 192.168.0.107 is the IP Address of my Windows Active Directory which is also configured as DNS Server.

To make sure that our server can resolve hostname, either through queries to the DNS server or to the internal /etc/hosts file, we can use the getent command.

[root@centos-8 ~]# getent hosts www.golinuxcloud.com
192.168.0.107   www.golinuxcloud.com

 

3. Install WInbind Package(s)

NOTE:
On RHEL system you must have an active subscription to RHN or you can configure a local offline repository using which "yum" or "dnf" package manager can install the provided rpm and it's dependencies.

To add CentOS 8 to Windows Domain Controller we will install the required samba packages on our client host

[root@centos-8 ~]# dnf install samba samba-client  samba-winbind samba-winbind-clients oddjob oddjob-mkhomedir

 

4. Configure Winbind with smb.conf

Configure /etc/samba/smb.conf by replacing the existing content under [global] section with the following content to add Linux to windows active directory. Modify the realm and workgroup value as per your environment.

You can also use Red Hat's AD Integration Helper to help generate optimal configuration values for connecting to your organizations Active Directory.

[global]
        workgroup = GOLINUXCLOUD
        realm = GOLINUXCLOUD.COM
        security = ads
        idmap config * : backend = autorid
        idmap config * : range = 100000-19999999
        idmap config * : rangesize = 1000000
        template homedir = /home/%D/%U
        template shell = /bin/bash
        winbind use default domain = false
        winbind offline logon = true
        log file = /var/log/samba/log.%m
        max log size = 50
        log level = 0

security=ads describes the membership in an Active Directory domain.

The parameters idmap* and winbind enum* map Windows users and groups to Unix users and groups.

Usually system users and groups are assigned IDs in the range from 0 to 999, and local users and groups are assigned IDs starting from 1000. With this in mind, it seems pretty reasonable to start assigning IDs to domain users and groups starting from 1000000. We should also differentiate between the domain users and groups and the local built-in accounts existing on a member server, such as the local administrator, the local guest, and so on. These two groups must not overlap, so we assign the range 1000000 to 19999999 to domain built-in user and group accounts

 

Run the following command to verify that you can resolve the standard SRV records:

[root@centos8 ~]# host -t SRV _kerberos._udp.golinuxcloud.com.
_kerberos._udp.golinuxcloud.com has SRV record 0 100 88 win-71humtros3m.golinuxcloud.com.


[root@centos8 ~]# host -t SRV _ldap._tcp.golinuxcloud.com.
_ldap._tcp.golinuxcloud.com has SRV record 0 100 389 win-71humtros3m.golinuxcloud.com.

Stop the winbind service if it is in running state:

[root@centos8 ~]# systemctl stop winbind

 

5. Join/Add CentOS 8 to Windows Domain Controller

We join the Linux client with Windows Active Directory by executing net ads join -U Administrator on the client host:

Steps to join/add CentOS 8 to Windows Domain Controller (RHEL 8)

It is possible that you may get the following ERROR while joining Linux client to Windows AD using Samba Winbind.

Joined 'centos-8' to dns domain 'GOLINUXCLOUD.COM'
DNS Update for centos-8.golinuxcloud.com failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL

 

5.1 How to fix "DNS Update for DOMAIN failed. ERROR_DNS_UPDATE_FAILED"?

You can either choose to avoid doing any DNS updates while you add CentOS 8 to Windows Domain Controller by using

# net ads join -U Administrator --no-dns-updates  www.golinuxcloud.com

Or to fix ERROR_DNS_UPDATE_FAILED error observed above, perform the following steps

Add following information to /etc/hosts.

# echo "127.0.0.1 `hostname` `hostname -a`" >> /etc/hosts

Make sure that the IP address of the DNS server is in /etc/resolv.conf. The IP address should be the DNS server you want to update the new DNS 'A' record.

# cat /etc/resolv.conf
search www.golinuxcloud.com
nameserver 192.168.0.107

On your Windows Domain Controller, select "DNS Manager" for your server. Select your server in the Forward Lookup Zone and right click to open Properties. Select the Dynamic updates to "Secure only" or "Nonsecure and secure" on the Windows DNS server.

Steps to add CentOS 8 to Windows Domain Controller (AD) (RHEL 8)

 

Next restart the DNS service to activate the changes and re-try to add CentOS 8 to Windows Domain Controller

[root@centos-8 ~]# net ads join -U Administrator www.golinuxcloud.com
Enter Administrator's password:
Using short domain name -- GOLINUXCLOUD
Joined 'centos-8' to dns domain 'GOLINUXCLOUD.COM'

 

6. Verify connectivity between Linux client and Windows AD

We can easily check that the server is a member of the domain with the testparm command.

[root@centos-8 ~]# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
        log file = /var/log/samba/log.%m
        max log size = 50
        realm = GOLINUXCLOUD.COM
        security = ADS
        template shell = /bin/bash
        winbind offline logon = Yes
        workgroup = GOLINUXCLOUD
        idmap config * : rangesize = 1000000
        idmap config * : range = 100000-19999999
        idmap config * : backend = autorid


[homes]
        browseable = No
        comment = Home Directories
        inherit acls = Yes
        read only = No
        valid users = %S %D%w%S


[printers]
        browseable = No
        comment = All Printers
        create mask = 0600
        path = /var/tmp
        printable = Yes


[print$]
        comment = Printer Drivers
        create mask = 0664
        directory mask = 0775
        force group = @printadmin
        path = /var/lib/samba/drivers
        write list = @printadmin root

After successfully joining Linux server to Windows Active Directory, it is essential that you restart Winbind and enable the service to auto start at boot:

[root@centos-8 ~]# systemctl enable winbind --now
Created symlink /etc/systemd/system/multi-user.target.wants/winbind.service → /usr/lib/systemd/system/winbind.service.

Check the status of Winbind service

[root@centos-8 ~]# systemctl status winbind
● winbind.service - Samba Winbind Daemon
   Loaded: loaded (/usr/lib/systemd/system/winbind.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2019-10-18 14:48:25 IST; 20s ago
     Docs: man:winbindd(8)
           man:samba(7)
           man:smb.conf(5)
 Main PID: 1756 (winbindd)
   Status: "winbindd: ready to serve connections..."
    Tasks: 2 (limit: 11506)
   Memory: 6.6M
   CGroup: /system.slice/winbind.service
           ├─1756 /usr/sbin/winbindd --foreground --no-process-group
           └─1758 /usr/sbin/winbindd --foreground --no-process-group

Oct 18 14:48:25 centos-8.golinuxcloud.com systemd[1]: Starting Samba Winbind Daemon...

 

7. Client Validation

After you add CentOS 8 to Windows Domain Controller it is necessary that you run some checks on the client host i.e. CentOS 8 to make sure it is able to reach Active Directory properly.

You can test whether everything is working properly with wbinfo -t. The command runs an encrypted RPC call, which is only possible if the server really is a member in the domain:

[root@centos-8 ~]# wbinfo -t
checking the trust secret for domain GOLINUXCLOUD via RPC calls succeeded

List AD users.

[root@centos-8 ~]# wbinfo -u
GOLINUXCLOUD\administrator
GOLINUXCLOUD\guest
GOLINUXCLOUD\krbtgt

List AD groups.

[root@centos-8 ~]# wbinfo -g
GOLINUXCLOUD\winrmremotewmiusers__
GOLINUXCLOUD\domain computers
GOLINUXCLOUD\domain controllers
GOLINUXCLOUD\schema admins
GOLINUXCLOUD\enterprise admins
GOLINUXCLOUD\cert publishers
GOLINUXCLOUD\domain admins
GOLINUXCLOUD\domain users
GOLINUXCLOUD\domain guests
GOLINUXCLOUD\group policy creator owners
GOLINUXCLOUD\ras and ias servers
GOLINUXCLOUD\allowed rodc password replication group
GOLINUXCLOUD\denied rodc password replication group
GOLINUXCLOUD\read-only domain controllers
GOLINUXCLOUD\enterprise read-only domain controllers
GOLINUXCLOUD\cloneable domain controllers
GOLINUXCLOUD\protected users
GOLINUXCLOUD\dnsadmins
GOLINUXCLOUD\dnsupdateproxy

 

8. Configure the NSS and PAM stack for authentication

Execute the following command to configure NSS and PAM stack. We use with-mkhomedir to make sure the home directory for active directory users are automatically created when they login.

[root@centos8 ~]# authselect select winbind with-mkhomedir --force
Backup stored at /var/lib/authselect/backups/2021-03-03-19-16-20.jS4CgG
Profile "winbind" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group

Make sure that winbind service is configured and enabled. See winbind documentation for more information.

- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
  is present and oddjobd service is enabled
  - systemctl enable oddjobd.service
  - systemctl start oddjobd.service

Ensure that /etc/nsswitch.conf has the following passwd and group entries. In this file, you have to tell Linux that it should use Winbind before trying to authenticate locally on Linux.

passwd:     files winbind
group:      files winbind

Enable and start/restart oddjobd service:

[root@centos8 ~]# systemctl enable oddjobd --now

Test resolving AD users and groups and authentication of users.

[root@centos8 ~]# getent passwd GOLINUXCLOUD\\administrator
GOLINUXCLOUD\administrator:*:1100500:1100513::/home/GOLINUXCLOUD/administrator:/bin/bash

[root@centos8 ~]# id GOLINUXCLOUD\\administrator
uid=1100500(GOLINUXCLOUD\administrator) gid=1100513(GOLINUXCLOUD\domain users) groups=1100513(GOLINUXCLOUD\domain users),1100500(GOLINUXCLOUD\administrator),1100572(GOLINUXCLOUD\denied rodc password replication group),1100518(GOLINUXCLOUD\schema admins),1100519(GOLINUXCLOUD\enterprise admins),1100520(GOLINUXCLOUD\group policy creator owners),1100512(GOLINUXCLOUD\domain admins),100001(BUILTIN\users),100000(BUILTIN\administrators)

 

9. Login as Active Directory User on Linux Client

Now you can try to login as any of the Active Directory user on this CentOS 8 client. You don't need to manually create home directory for the domain users as that would be handled by /usr/lib64/security/pam_oddjob_mkhomedir.so module provided by oddjob-mkhomedir rpm.

[root@centos8 ~]# su - GOLINUXCLOUD\\Administrator
Creating home directory for GOLINUXCLOUD\administrator.
Last login: Thu Mar  4 00:46:12 IST 2021 on pts/0

[GOLINUXCLOUD\administrator@centos8 ~]$ pwd
/home/GOLINUXCLOUD/administrator

As you see the the home directory for our Administrator user was automatically created at the first login.

In the next article I will share the steps to Integrate Samba Shares with Active Directory (Linux & Windows)

 

Summary

Winbind can be used with different idmap backends idmap_tdb, idmap_ldap, idmap_rid, idmap_sss and idmap_ad. These backends will help the Red Hat Enterprise Linux system figure out the SID to uid/gid mappings. If you are using winbind, you will need to choose most appropriate backend for your environment. i.e. If this is for a single system, where keeping the uid/gid info the same across multiple systems is not important. The default tdb backend may be appropriate. If you need uid/gid info to be consistent across many systems, one of the other backends will be more appropriate. i.e: autorid or rid.

Lastly I hope the steps from the article to join/add CentOS 8 to Windows Domain Controller on Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

 

Related Searches: join centos 8 to windows domain. rhel 8 active directory authentication. rhel 8 oddjob. centos 8 samba active directory. realm join. join centos to windows domain. how to join domain in redhat linux. centos 8 samba active directory. join centos 8 to windows domain

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

18 thoughts on “Steps to join/add CentOS 8 to Windows Domain Controller (RHEL 8)”

  1. Hi
    I configured the same in Red Hat Enterprise Linux Server release 6.2 (Santiago) but now i am getting the error below when i try to ssh to the server using active directory user.

    pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.X  user=domain\username 
    Aug 16 09:34:49 cssadmin1 sshd[15569]: Failed password for domain\\username from XX.XX.XX.X  port 59096 ssh2.

    Please advise?

    Reply
  2. Firstly, thank you for the guide it is most helpful. Especially, for a relative linux noob like myself.

    I was able get everything to check out with exception to “wbinfo -t”. I get an error there that the “…RPC calls failed” and “failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE”

    I have confirmed that winbind daemon is running.

    I am using Centos Stream 9…maybe an issue there?

    Reply
  3. Hello, when doing this step-by-step configuration everything is fine in the tests but in the end when I try to start a user of the domain, domain \ user and then the password does not enter the desktop, it only indicates the last date of the session and returns to the lock screen. If I put the wrong password or username, it tells me that it is wrong, so I deduce that everything is fine with the connection.

    I would appreciate your help.

    Reply
      • Thanks for your quick response, update and restart apparently that solved the problem.

        I have another query, I can tell you if you can help me, do the windows server policies apply correctly to linux? I ask why I have a university project with a windows server 2016 server, a Windows 10 client and a Centos client (thanks to you I was able to join it to the domain), when creating a policy (wallpaper in this case) for the Windows client it was applied correctly and the wallpaper becomes the one indicated by the policy but not in Centos, Centos always starts with its own wallpaper and does not load the background assigned by the policy.

        Reply
        • I am afraid currently I have not worked on applying group policy from Windows AD to CentOS so I may not be able to help. You may try some public form. We only use to for kerberos based authentication

          Reply
  4. Thank you for the help, it didn’t solve the problem. Possible related to our domain settings. Waiting for the new article.

    Reply
    • In your smb.conf, add the following section and modify the respective values

      [Samba_Share]
      comment = My Samba share
      path = /SAMBASHARE
      read only = yes
      guest ok = no
      valid users = +"DOMAIN\group1", +"DOMAIN\group2"
      write list = +"DOMAIN\group1"

      With this if you are part of DOMAIN\group1 or DOMAIN\group2 then you should have read only access to /SAMBASHARE and DOMAIN\group1 will have read/write access

      Restart your winbind services and give it a try.

      I am in the middle of testing this scenario myself and will put up an article in few days on this topic.

      Reply
  5. Hi, CentOS 8 connected to domain, can ssh linux box with domain credentials, can explore samba host by \\hostname, but can’t access any defined share, even “homes”. What am I missing?

    Reply
  6. Hi, thanks for you guide!! one question: I have a CentOS 8 and when I login with a domainuser and I create a file, the group permission of the file is shown like DOMAIN+domaingroup. How I have to setup CentOS, that the usergroup will be shown like domaingroup@DOMAIN.LOCAL?

    Reply
  7. The instructions work perfectly, there is only one issue, how can I configure the systen to automatically create the user home directory whe login?

    thanks

    Reply

Leave a Comment