In this article, we will show you how to join servers or workstations running CentOS 8, RHEL, or Rocky Linux to an Active Directory domain using realmd, and how to authenticate to a Linux host using an Active Directory account. The Realmd (Realm Discovery) service makes discovering and adding Linux hosts to an AD domain much easier. Realmd uses SSSD (via Kerberos and LDAP) or Winbind to verify and authenticate Active Directory accounts.
First, you need to install the required packages:
$ sudo dnf install realmd sssd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation authselect-compatHint. On a new RHEL host, you first need to register the host and activate the subscription:
$ sudo subscription-manager register
$ sudo subscription-manager attach –autoIn the DNS settings, make sure that the IP addresses of the hosts that can resolve names in the Active Directory domain are specified (usually the AD domain controllers closest to you are defined here).
$ cat /etc/resolv.confnameserver 192.168.42.10
nameserver 192.168.142.10
search poweradm.com
Check that your Linux host is able to resolve your AD domain name:
$ realm discover poweradm.compoweradm.com
type: kerberos
realm-name: POWERADM.COM
domain-name: poweradm.com
configured: no
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
Make sure the time on your host is synchronized with NTP sources in the domain (or a shared external NTP).
To join a Linux host to an Active Directory domain, you will need an AD account with domain administrator permission (or an account delegated to join computers to the domain).
To add a Linux host to a domain, run:
$ sudo realm join poweradm.com -U a.mullerPassword for a.muller:
Check that your computer has established a trust relationship with the domain:
$ sudo realm listpoweradm.com
type: kerberos
realm-name: POWERADM.COM
domain-name: poweradm.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U@poweradm.com
login-policy: allow-realm-logins
Your Linux host account should appear in the Computers root OU (Organizational Unit) in AD.
To use Active Directory and configure sssd, run the commands:
$ sudo authselect select sssd
$ sudo authselect select sssd with-mkhomedirYour /etc/sssd/sssd.conf file should look something like this:
$ cat /etc/sssd/sssd.conf[sssd]
domains = poweradm.com
config_file_version = 2
services = nss, pam
default_domain_suffix = poweradm.com
[nss]
homedir_substring = /home
[pam]
[domain/example.com]
ad_domain = poweradm.com
krb5_realm = POWERADM.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
After making the change to sssd.conf, restart the service:
$ sudo systemctl restart sssdYou can now authenticate to Linux using an Active Directory account (use the UPN user format to login Linux: user@poweradm.com).
Make sure you can now get information about any AD user:
$ id muller1@poweradm.comTo allow domain users to log in Linux host (console + SSH), run:
$ realm permit muller1@poweradm.com smith2@poweradm.comOr allow access to domain security group:
$ ream permit -g LinuxAdmins@poweradm.comTo allow or deny access to all domain users:
$ sudo realm permit --all$ sudo realm deny --allBy default, domain users cannot escalate privileges via sudo. Create a file:
$ sudo nano /etc/sudoers.d/linux-adminsAnd add users and groups to it that are allowed privilege escalation with sudo:
%LinuxAdminx@poweradm.com ALL=(ALL) ALL
aivanov@poweradm.com ALL=(ALL) ALL
Change file permissions:
$ chmod 0440 /etc/sudoers.d/linux-adminsNow try to authenticate to your Linux host with your AD domain account.
The next article will show how to join Ubuntu or Debian host to an AD domain.