CentOS with Active Directory

 Todays blog will explain how you add a Linux machine(CentOS/RedHat/Fedora) to a Windows Server 2019 Active Directory.

 

NOTE: If you are using Fedora replace yum with dnf during this blog article.

 

Before installing anything on your Linux machine you need to know following things:

 

REQUIRMENTS:

  • NetBIOS Name of your domain (eg MyCorpDomain)
  • Full Qualified Domain Na,e (FQDN) (eg. MyCorpDomain.Com)
  • Name or IP of your Domain Controller
  • Have a Domain Admin Account

BEFORE YOU START:
Make sure you have updated your Linux first

# yum updateupdate

INSTALLATION:

Login as root or use sudo to be able to install following packages.
Depending on how your system are setup it may install a lot of dependency’s
# yum install sssd realmd ntp ntpupdate samba samba-common oddjob, oddjob-mkhomedir

NTP CONFIGURATION:

Before you start, make sure you have setup Network Time Protocal first (ntp)
A basic intro is to verify /etc/ntp.conf and that the service are up and running
You can use your Domain Controller as Time Server or a NTP server that I use in this case.

# cat /etc/ntp.conf
driftfile /var/lib/ntp/drift
restrict default nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1
server ntp1.mycorpdom.com iburst
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys
disable monitor

Verify that your NTP Service are running and restart it if you have done changes.# systemctl status ntpd
ntpd.service - Network Time Service
Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled; vendor preset: disabled)
Active: inactive (dead)
# systemctl restart ntpd

JOIN YOUR DOMAIN:

Now we can join the Windows Active Directory domain.

# realm join --user=adminaccount@mycorpdomain.com mycorpdomain.com

Now you can verify if it has joined the domain both from Windows and from Linux.# realm list
mycorpdomain.com
type: Kerberos
realm-name: MYCORPDOMAIN.COM
domain-name: mycorpdomain.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common
login-formats: %U@mycorpdomain.com
login-policy: allow-realm-logins

USE DEFAULT DOMAIN FOR LOGIN:

When I normally setup a Linux Server in our domain, I want to make sure it is easy to login with a username.
I’ll normally remove the FQDN part in your login. By modify sssd.conf you can make sure you only use your username and not Username@MyCorpDomain.com when you login.

In the sssd.conf file, find the use_fully_qualified_names line and make sure it says False, if not change that to False and save the file

# cat /etc/sssd/sssd.conf
[sssd]
domains = mycorpdomain.com
config_file_version = 2
services = nss, pam
[domain/ mycorpdomain.com]
ad_domain = mycorpdomain.com
krb5_realm = MYCORPDOMAIN.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = ad

Now try to login as one of your domain account users, if it doesn’t work, try to restart sssd service.

# su my.user.account
su: user my.user.account does not exist
# systemctl restart sssd
# su – my.user.account
[my.user.account@rss1 ~]$ exit

ADD SUDO ACCESS:

You can add either sudo access per user or for a Windows Active Directory User Group.
To see the fully name of all groups that the user belongs to in Active Directory and see how that will be presented in Linux, you can use the command id.
# id my.user.account
uid=288001152(my.user.account) gid=288001132(corp linux adm) grupper=288001132(corp linux adm),288001133(corp users),288002361(domain users)

In my case do I want to add the group “Corp Linux Adm” so everyone that belongs to that group can run any sudo command.

Let’s open /etc/sudoers with your favorite editor, (vi) and add following line
"%corp linux adm" ALL=(ALL) ALL

I have read many examples out there where you need to type DOMAIN\MY GROUP or DOMAIN\\MY GROUP and multiple others versions.

But because you are using default domain in your login account, Linux will automatic search for your group in your domain, so you don’t need to specify any domain in sudoers.

 

I hope this help,

Christian Petersson

Subscribe to blog