How to join RHEL 8 system to an Active Directory server using Samba Winbind. How to authenticate RHEL 8 server against to a Windows 2003 R2 / 2008 / 2008 R2 / 2012 AD domain. How to add CentOS 8 to Windows Domain Controller. Step by Step Guide to add CentOS 8 to Windows Domain Controller. Steps to join RHEL 8 to Active Directory. How to join CentOS 8 to Active Directory on Windows Server. Steps to join CentOS 8 to Windows Domain Controller running on WIndows Server 2012. Steps to join linux to windows active directory.
The winbind service is part of the Samba suite. It enables a Linux server to become a full member in Windows domains and to use Windows users and group accounts in Linux.
An overview of the lab environment
For demonstrations of this article to add CentOS 8 to Windows Domain Controller (Active Directory), we will use virtual machines running in an Oracle VirtualBox virtualization environment.
We have a Microsoft Server 2012R2 Active Directory Domain Controller with the IP address 192.168.0.101, CentOS 8 host with the IP address 192.168.0.115 and RHEL 8 with IP Address 192.168.0.106. In this article I will only cover the part to add CentOS 8 to Windows Domain Controller on the client side. So this article requires a pre-configured Windows Active Directory.
I have only used snippets from my CentOS 8 Server but I have verified the steps on both RHEL 8 and CentOS 8.
Preparing the Linux Client to join Windows Active Directory
To add CentOS 8 to Windows Domain Controller, we need to change the DNS settings so that the Active Directory domain DNS server is queried first:
[root@centos-8 ~]# cat /etc/resolv.conf # Generated by NetworkManager search golinuxcloud.com nameserver 192.168.0.101
Here 192.168.0.101 is the IP Address of my Windows Active Directory which is also configured as DNS Server.
To make sure that our server can resolve hostname, either through queries to the DNS server or to the internal /etc/hosts file, we can use the
[root@centos-8 ~]# getent hosts golinuxcloud.com 192.168.0.101 golinuxcloud.com 10.0.2.13 golinuxcloud.com
Install Samba Package
To add CentOS 8 to Windows Domain Controller we will install the required samba packages on our client host
[root@centos-8 ~]# dnf install samba samba-client samba-winbind samba-winbind-clients
/etc/samba/smb.conf by adding the below content under [global] section to add Linux to windows active directory. Modify the realm and workgroup value as per your environment.
[global] kerberos method = secrets and keytab realm = GOLINUXCLOUD.COM security = ADS template shell = /bin/bash winbind enum groups = Yes winbind enum users = Yes winbind separator = + workgroup = GOLINUXCLOUD idmap config * : rangesize = 1000000 idmap config * : range = 1000000-19999999 idmap config * : backend = autorid
security=ads describes the membership in an Active Directory domain.
The parameters idmap* and winbind enum* map Windows users and groups to Unix users and groups.
For the winbind separator you should select a Unix-compatible character, normally
+, to separate the domain from the user name, as in
Usually system users and groups are assigned IDs in the range from 0 to 999, and local users and groups are assigned IDs starting from 1000. With this in mind, it seems pretty reasonable to start assigning IDs to domain users and groups starting from 1000000. We should also differentiate between the domain users and groups and the local built-in accounts existing on a member server, such as the local administrator, the local guest, and so on. These two groups must not overlap, so we assign the range 1000000 to 19999999 to domain built-in user and group accounts
Join/Add CentOS 8 to Windows Domain Controller
We join the Linux client with Windows Active Directory by executing net on the client host:
[root@centos-8 ~]# net ads join -U Administrator golinuxcloud.com Enter Administrator's password: Using short domain name -- GOLINUXCLOUD Joined 'centos-8' to dns domain 'GOLINUXCLOUD.COM' DNS Update for centos-8.golinuxcloud.com failed: ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL
Here as you see we were successfully able to add CentOS 8 to Windows Domain Controller but there are few DNS related error messages.
How to fix “ERROR_DNS_UPDATE_FAILED”?
You can either choose to avoid doing any DNS updates while you add CentOS 8 to Windows Domain Controller by using
# net ads join -U Administrator --no-dns-updates golinuxcloud.com
Or to fix
ERROR_DNS_UPDATE_FAILED error observed above, perform the following steps
Add following information to /etc/hosts.
# echo "192.168.0.115 centos-8.golinuxcloud.com centos-8" >> /etc/hosts
Make sure that the IP address of the DNS server is in /etc/resolv.conf. The IP address should be the DNS server you want to update the new DNS ‘A’ record.
# cat /etc/resolv.conf search golinuxcloud.com nameserver 192.168.0.101
Select the Dynamic updates to “Secure only” or “Nonsecure and secure” on the Windows DNS server.
Next you can re-try to add CentOS 8 to Windows Domain Controller
[root@centos-8 ~]# net ads join -U Administrator golinuxcloud.com Enter Administrator's password: Using short domain name -- GOLINUXCLOUD Joined 'centos-8' to dns domain 'GOLINUXCLOUD.COM'
We can easily check that the server is a member of the domain with the
[root@centos-8 ~]# testparm Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[homes]" Processing section "[printers]" Processing section "[print$]" Loaded services file OK. 'winbind separator = +' might cause problems with group membership. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions # Global parameters [global] kerberos method = secrets and keytab printcap name = cups realm = GOLINUXCLOUD.COM security = ADS template shell = /bin/bash winbind enum groups = Yes winbind enum users = Yes winbind separator = + workgroup = GOLINUXCLOUD idmap config * : range = 1000000-19999999 idmap config * : rangesize = 1000000 idmap config * : backend = autorid cups options = raw [homes] browseable = No comment = Home Directories inherit acls = Yes read only = No valid users = %S %D%w%S [printers] browseable = No comment = All Printers create mask = 0600 path = /var/tmp printable = Yes [print$] comment = Printer Drivers create mask = 0664 directory mask = 0775 force group = @printadmin path = /var/lib/samba/drivers write list = @printadmin root
After successfully joining Linux server to Windows Active Directory, it is essential that you restart Winbind and enable the service to auto start at boot:
[root@centos-8 ~]# systemctl enable winbind --now Created symlink /etc/systemd/system/multi-user.target.wants/winbind.service → /usr/lib/systemd/system/winbind.service.
Check the status of Winbind service
[root@centos-8 ~]# systemctl status winbind ● winbind.service - Samba Winbind Daemon Loaded: loaded (/usr/lib/systemd/system/winbind.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2019-10-18 14:48:25 IST; 20s ago Docs: man:winbindd(8) man:samba(7) man:smb.conf(5) Main PID: 1756 (winbindd) Status: "winbindd: ready to serve connections..." Tasks: 2 (limit: 11506) Memory: 6.6M CGroup: /system.slice/winbind.service ├─1756 /usr/sbin/winbindd --foreground --no-process-group └─1758 /usr/sbin/winbindd --foreground --no-process-group Oct 18 14:48:25 centos-8.golinuxcloud.com systemd: Starting Samba Winbind Daemon...
After you add CentOS 8 to Windows Domain Controller it is necessary that you run some checks on the client host i.e. CentOS 8 to make sure it is able to reach Active Directory properly.
You can test whether everything is working properly with wbinfo -t. The command runs an encrypted RPC call, which is only possible if the server really is a member in the domain:
[root@centos-8 ~]# wbinfo -t checking the trust secret for domain GOLINUXCLOUD via RPC calls succeeded
List AD users.
[root@centos-8 ~]# wbinfo -u GOLINUXCLOUD+administrator GOLINUXCLOUD+guest GOLINUXCLOUD+krbtgt
List AD groups.
[root@centos-8 ~]# wbinfo -g GOLINUXCLOUD+winrmremotewmiusers__ GOLINUXCLOUD+domain computers GOLINUXCLOUD+domain controllers GOLINUXCLOUD+schema admins GOLINUXCLOUD+enterprise admins GOLINUXCLOUD+cert publishers GOLINUXCLOUD+domain admins GOLINUXCLOUD+domain users GOLINUXCLOUD+domain guests GOLINUXCLOUD+group policy creator owners GOLINUXCLOUD+ras and ias servers GOLINUXCLOUD+allowed rodc password replication group GOLINUXCLOUD+denied rodc password replication group GOLINUXCLOUD+read-only domain controllers GOLINUXCLOUD+enterprise read-only domain controllers GOLINUXCLOUD+cloneable domain controllers GOLINUXCLOUD+protected users GOLINUXCLOUD+dnsadmins GOLINUXCLOUD+dnsupdateproxy
Run authselect to list available profiles
# authselect list - nis Enable NIS for system authentication - sssd Enable SSSD for system authentication (also for local users only) - winbind Enable winbind for system authentication
Select winbind profile, Here we have used
--force to overwrite certain system files
[root@centos-8 ~]# authselect select winbind --force Backup stored at /var/lib/authselect/backups/2019-10-18-09-21-15.ah1i42 Profile "winbind" was selected. The following nsswitch maps are overwritten by the profile: - passwd - group Make sure that winbind service is configured and enabled. See winbind documentation for more information.
But before overwriting, the original files will be backed up which you can see in my case are available at below location
[root@centos-8 ~]# ls -l /var/lib/authselect/backups/2019-10-18-09-21-15.ah1i42/ total 24 -rw-r--r--. 1 root root 701 Oct 18 14:51 fingerprint-auth -rw-r--r--. 1 root root 1516 Oct 18 14:51 nsswitch.conf -rw-r--r--. 1 root root 760 Oct 18 14:51 password-auth -rw-r--r--. 1 root root 398 Oct 18 14:51 postlogin -rw-r--r--. 1 root root 743 Oct 18 14:51 smartcard-auth -rw-r--r--. 1 root root 760 Oct 18 14:51 system-auth
/etc/nsswitch.conf has the following
group entries. In this file, you have to tell Linux that it should use Winbind before trying to authenticate locally on Linux.
passwd: files winbind systemd group: files winbind systemd
Test resolving AD users and groups and authentication of users.
[root@centos-8 ~]# getent passwd GOLINUXCLOUD+Administrator GOLINUXCLOUD+administrator:*:2000500:2000513::/home/GOLINUXCLOUD/administrator:/bin/bash [root@centos-8 ~]# id GOLINUXCLOUD+Administrator uid=2000500(GOLINUXCLOUD+administrator) gid=2000513(GOLINUXCLOUD+domain users) groups=2000513(GOLINUXCLOUD+domain users),2000500(GOLINUXCLOUD+administrator),2000572(GOLINUXCLOUD+denied rodc password replication group),2000518(GOLINUXCLOUD+schema admins),2000519(GOLINUXCLOUD+enterprise admins),2000520(GOLINUXCLOUD+group policy creator owners),2000512(GOLINUXCLOUD+domain admins)
Getting a TGT from Kerberos
To get a TGT from Kerberos we can use the kinit command. This utility is included in the
[root@centos-8 ~]# yum -y install krb5-workstation
After installing it with yum we can obtain a TGT with
[root@centos-8 ~]# kinit Administrator@GOLINUXCLOUD.COM Password for Administrator@GOLINUXCLOUD.COM:
We can also list the ticket with
[root@centos-8 ~]# klist Ticket cache: KCM:0 Default principal: Administrator@GOLINUXCLOUD.COM Valid starting Expires Service principal 10/19/2019 04:12:40 10/19/2019 14:12:40 krbtgt/GOLINUXCLOUD.COM@GOLINUXCLOUD.COM renew until 10/26/2019 04:12:37
Lastly I hope the steps from the article to join/add CentOS 8 to Windows Domain Controller on Linux was helpful. So, let me know your suggestions and feedback using the comment section.