Pages

RHEL Linux ioining to an active directory (AD) domain

Integrating Red Hat Enterprise Linux (RHEL) systems with Active Directory (AD) simplifies centralized authentication, user management, and access control. Using SSSD (System Security Services Daemon), Linux hosts can seamlessly authenticate AD users, manage permissions, and enforce access policies across your enterprise. This guide walks you through joining RHEL 7, 8, 9, or 10 to AD, with detailed steps, troubleshooting tips, and best practices.

Prerequisites
Before starting, ensure your system meets the following requirements:
RHEL Installation: RHEL 7/8/9/10 with root or sudo access.
Network Connectivity: The Linux host must reach AD Domain Controllers (DCs) on these ports:
  • 53 – DNS
  • 88 – Kerberos
  • 389 – LDAP
  • 464 – Kerberos password changes
  • 445 – SMB
DNS: Point /etc/resolv.conf to your AD DCs:
nameserver <DC_IP>
Verify SRV records:
# nslookup -type=SRV _ldap._tcp.example.com

Hostname: Set a fully qualified hostname:
# hostnamectl set-hostname myhost.example.com
# hostnamectl

Update /etc/hosts if short-name resolution is needed.
Time Synchronization: Install chrony or ntp. Sync with DC:
# ntpdate -u <DC_IP>
or
# chronyc sources
Kerberos authentication fails if clocks drift more than 5 minutes.
AD Account: A user with domain join permissions (Domain Admin or delegated rights).

Firewall: Temporarily disable with:
# systemctl stop firewalld

Install Required Packages
Install the necessary packages using DNF (RHEL 8+) or YUM (RHEL 7):
# sudo dnf install realmd sssd krb5-workstation samba-common-tools oddjob oddjob-mkhomedir adcli openldap-clients sssd-tools

Package Overview:
  • realmd: Automates domain discovery and joining.
  • sssd: Manages caching, authentication, and identity lookups.
  • krb5-workstation: Kerberos tools like kinit.
  • samba-common-tools: AD utilities such as net ads.
  • oddjob-mkhomedir: Creates home directories on login.
  • adcli & openldap-clients: AD enrollment and LDAP queries.
Enable and start the oddjobd service:
# sudo systemctl enable --now oddjobd

Configure Kerberos
Before joining the domain, configure /etc/krb5.conf for encryption types supported by modern AD:

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 renew_lifetime = 7d

[realms]
 EXAMPLE.COM = {
   kdc = dc.example.com
   admin_server = dc.example.com
   permitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 rc4-hmac
 }

Test Kerberos:
# kinit Administrator
# klist

Discover the AD Domain
Probe your domain to ensure connectivity:
# realm discover example.com


Use --verbose for detailed diagnostics.

If discovery fails, verify DNS, ports, and network connectivity.

Join the Domain
Join the domain using an AD admin account:
# sudo realm join --user=Administrator example.com

Optional Parameters:
  • --computer-ou="OU=Linux,DC=example,DC=com" – place the host in a specific AD OU.
  • --automatic-id-mapping=no – use explicit ID mapping.
  • --verbose – show detailed progress.
  • For RHEL 7, add --install=/.
Verify the join:
# realm list

Configure SSSD
realm join automatically generates a default /etc/sssd/sssd.conf. Customize if needed:

[sssd]
domains = example.com
config_file_version = 2
services = nss, pam, sudo, autofs, ssh

[domain/example.com]
ad_domain = example.com
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
auth_provider = ad
chpass_provider = ad
sudo_provider = ad
fallback_homedir = /home/%u@%d
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
access_provider = ad
dyndns_update = True

Secure the configuration:
# sudo chmod 600 /etc/sssd/sssd.conf
# sudo systemctl restart sssd
# sss_cache -E

Verification and Testing

Check users/groups:
# id user@example.com
# getent passwd user@example.com
# getent group "Domain Users@example.com"

SSH Login: Home directories are auto-created if oddjob-mkhomedir is installed.
Kerberos Ticket:
# klist
Logs:
# journalctl -u sssd
less /var/log/sssd/*

Grant Sudo Access to AD Users

Create a sudoers file for AD groups:
# sudo tee /etc/sudoers.d/admins <<EOF
%Domain\ Admins@example.com ALL=(ALL) ALL
EOF

Validate syntax:
# visudo -c
AD users in the group can now use sudo without local accounts. Using sudo_provider = ad in SSSD allows dynamic rule management.

Troubleshooting
  • Join fails: Check DNS (dig SRV _ldap._tcp.example.com), time sync, ports (telnet dc.example.com 389), firewall.
  • Auth fails: sss_cache -E, systemctl restart sssd, verify /etc/nsswitch.conf has sss for passwd/group.
  • ID mapping: Set ldap_id_mapping = True or use adcli update for range allocation.
  • Home dirs: Ensure pam_oddjob_mkhomedir.so in /etc/pam.d/sshd.
  • Leave domain: realm leave --remove.
Conclusion
Joining RHEL systems to Active Directory with SSSD provides a secure, centralized authentication framework. By following this guide, your Linux hosts can seamlessly integrate into AD environments, simplifying user management and enforcing enterprise access policies.
by

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)