• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar
OpenTechTips

OpenTechTips

Comprehensive IT Guides for Pros and Enthusiasts

MENUMENU
  • HOME
  • ALL TOPICS
    • Exchange
    • InfoSec
    • Linux
    • Networking
    • Scripting
      • PowerShell
    • SSL
    • Tools
    • Virtualization
    • Web
    • Windows
  • ABOUT
  • SUBSCRIBE
Home » Join RHEL or CentOS 8 to an Active Directory Domain using SSSD

Join RHEL or CentOS 8 to an Active Directory Domain using SSSD

April 12, 2020 - by Zsolt Agoston - last edited on May 8, 2020

The task for today is to join a Microsoft Active Directory domain with our CentOS box.

We use the sssd package to accomplish this, first we start with a basic CentOS installation, we go through the initial setup, then the joining process, lastly, we log in with a domain user to the box.

Before You Begin

We will be working with the following configuration

Domain to join:  jd0e.com
Domain Contoller: DC.jd0e.com
  10.0.1.1
AD user account: JD0E\admin
RHEL computer:  CentOSBox
  10.0.2.10

Make sure your computer hostname is added to the AD DNS system. It is not critical but adds consistency to our network.

It is critical is to add a domain controller to the /etc/resolv.conf file as this is needed for the CentOS box to find the AD server and initiate the domain joining process.

Also very important to have the ntp (or in CentOS 8: chrony) service running to make sure the time on the server is always correct, otherwise Kerberos will not work correctly! By default only 5 minute difference in the clocks can be tolerated 🙂

# Change the username and domain locally
echo CentOSBox.jd0e.com CentOSBox | sudo tee /etc/hostname

# Add the AD domain controller as the DNS server to query
echo nameserver 10.0.1.1 | sudo tee /etc/resolv.conf

# Reboot the server
sudo reboot

If NetworkManager keeps overwriting your DNS entries in /etc/resolv.conf after reboots, that means the DNS servers are set in the network interface file.

Search for it:
ls -l /etc/sysconfig/network-scripts/ifcfg-ens*

Here the interface is ens18, so I edit the file, leaving only DNS1 as 10.0.1.1
vi /etc/sysconfig/network-scripts/ifcfg-ens18

1. Install sssd and the required packages

We need to have the following packages on our machine to take advantage of the AD authentication with kerberos, and have access to CIFS utils to mount windows SMB shares

sudo yum install -y sssd realmd samba-common krb5-workstation oddjob oddjob-mkhomedir sssd adcli

2. Joining the domain

We are going to join our jd0e.com AD realm with the JD0E\admin user account

sudo realm join --user admin DC.jd0e.com

After the command run we see if it was completed successfully

[john@CentOSBox root]$ sudo realm list
jd0e.com
type: kerberos
realm-name: JD0E.COM
domain-name: jd0e.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U@jd0e.com
login-policy: allow-realm-logins

Excellent, we are a member of the jd0e.com domain now. We can even verify that the CentOSBox computer account appeared in the “CN=Computers,DC=jd0e,DC=com” container on our domain controller.

Join RHEL or CentOS 8 to an Active Directory Domain using SSSD

3. Tweak the sssd.conf file

As we use a single-domain environment we want the system to accept simple usernames without the domain specified or the FQDN format of the usernames being used, also say we want the JD0E\Domain Administrators group to have superuser rights on the CentOS box.

We edit the /etc/sssd/sssd.conf file accordingly

[sssd]
domains = jd0e.com
config_file_version = 2
services = nss, pam

[domain/jd0e.com]
ad_server = dc.jd0e.com
ad_domain = jd0e.com
krb5_realm = JD0E.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = simple
simple_allow_groups = Domain Admins

Now restart the ssd service

systemctl restart sssd

4. Make the [domain]\Domain Admins superusers

We also want the Domain Administrators in the AD system to have superuser rights, for that we create an additional config file for sudoers in /etc/sudoers.d and add the “domain admin” group there

vi /etc/sudoers.d/sudoers

%domain\ admins ALL=(ALL:ALL) NOPASSWD:ALL

5. Add the CentOS server to the AD DNS system

Not a critical step but it’s nice to add the CentOSBox A record to the jd0e.com zone.

Join RHEL or CentOS 8 to an Active Directory Domain using SSSD

It will make administration easier later as we don’t need to remember the IP address of the box, the name will be enough: CentOSBox.jd0e.com or simply using the NETBIOS name on a domain computer: CentOSBox

6. Log in with a domain account

We log in to the linux box with the admin@jd0e.com admin account, and make sure it has superuser rights 🙂

Join RHEL or CentOS 8 to an Active Directory Domain using SSSD

Reader Interactions

Comments Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Tools

Secondary Sidebar

CONTENTS

  • Before You Begin
  • 1. Install sssd and the required packages
  • 2. Joining the domain
  • 3. Tweak the sssd.conf file
  • 4. Make the [domain]\Domain Admins superusers
  • 5. Add the CentOS server to the AD DNS system
  • 6. Log in with a domain account

  • Terms of Use
  • Disclaimer
  • Privacy Policy
Manage your privacy

To provide the best experiences, we and our partners use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us and our partners to process personal data such as browsing behavior or unique IDs on this site and show (non-) personalized ads. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Click below to consent to the above or make granular choices. Your choices will be applied to this site only. You can change your settings at any time, including withdrawing your consent, by using the toggles on the Cookie Policy, or by clicking on the manage consent button at the bottom of the screen.

Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}
Manage your privacy
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}