This article provides instructions for joining Linux computers to the Active Directory.
In This Article:
Prerequisites
Before proceeding you will need an account with domain join privileges and an OU for the Linux server's computer accounts in AD. You can use the same account that you use to join Windows systems to the domain. If you don't already know your account and OU, contact your Active Directory OU Administrator (i.e. if you are in the School of Medicine, this will be someone in the School of Medicine IT staff). Please see Basic Prechecks Steps article if they need the permissions required for an account they have to create. If you don't have an OU, open a Request with ITS-Systems-Administration.
The process for joining a host to the domain differs slightly from Operating System (OS) version to version so check out the OS version specifics reference page to know the specifics that apply to the OS version you are working with. If you don't have an access.redhat.com account, send a service request to ITS-Systems-Administration.
Procedure
Consider automating this procedure with Ansible. Red Hat actually contributes to and supports an Ansible role to join RHEL systems to AD. See Direct AD Integration Role article for more information.
Join the domain
- First you must install the required packages. For example, on a rhel8/CentOS8 host you would need to install the following:
yum install adcli realmd sssd oddjob oddjob-mkhomedir samba-common-tools krb5-workstation authselect-compat sssd-tools
- Once installed ensure that sssd.service is enabled and running.
systemctl enable --now sssd.service
- Next, run the following to discover the realm. For example, discovery of ad.unc.edu.
realm discover ad.unc.edu
- Join the domain with the OU.
realm join ad.unc.edu --user=YOUR-ACCOUNT-NAME --computer-ou=OU=DeptLinux,OU=FOO,OU=BAR,OU=UNC,DC=ad,DC=unc,DC=edu --automatic-id-mapping=no
- Verify the realm information.
realm list
sssd.conf configuration
- If you don't want usernames and home directories to include @ad.unc.edu, sssd.conf needs changes to fallback_homedir and use_fully_qualified_names = False
Edit /etc/sssd/sssd.conf
[sssd]
domains = ad.unc.edu
config_file_version = 2
services = nss, pam
[domain/ad.unc.edu]
...
use_fully_qualified_names = False
fallback_homedir = /home/%u
...
systemctl restart sssd.service
- At this point, you should be able to use commands to enumerate AD users and groups that have posix attributes.
ex. getent group rc_greatgroup_psx
ex. getent passwd jdoe
Authorization
By default, AD group policy for the computer OU is used to control access. If you already have a group policy in your OU, you probably want to create a Linux child OU. See man sssd-ad and the RHEL 8 documentation
In our environment, you will need to add 'ad_gpo_ignore_unreadable = True' to the end of /etc/sssd/sssd.conf for this to work.
Red Hat's documentation does not make clear that SSSD uses 'Allow log on locally' to control console login and 'Allow log on through Terminal Services' to control ssh access. For example:
Note that the group in this example does not have posix attributes such as a gid. Therefore, even though the group can be used to permit a set of users, the group will not show up for users on the Linux system using the procedure above. You can work with ITS-Identity-Management to have posix enabled groups added to AD from grouper.
If you do not want to deal with group policy, you can add access for users or groups one at a time!
realm permit jdoe@ad.unc.edu.
If you work with IDM to create groups of onyens with posix attributes in grouper and have them synced to AD, you can permit access for all of the users in the group.
realm permit -g GROUP_NAME
Using the realm permit command will change access_provider=ad to access_provider=simple in /etc/sssd/sssd.conf and add the allowed users and/or groups to that file.
See man realm for other options.
Finally, you can now test access for users
sssctl user-checks jdoe -s sshd
sssctl user-checks jdoe -s login