Categories
Linux Security

Add RHEL 8 server to Active Directory

So there I was looking for which accounts I created on my test VMs. Because, of course, I didn’t use the same account name on all of the test clients. That would have made too much sense. With some of the changes to Windows 10 20H2 that I’ll talk about in another posting, I thought it would be nice if I could just log into my test RHEL VMs using the same Active Directory credentials I use on my workstation. And now you get to benefit from my Google time. 😉

This one isn’t hard, and it has been documented numerous times on numerous blogs. My contribution will mostly repeat the good work done by Josephat Mutai @ Computing for Geeks.

The first step is to install the packages required. On a RHEL 7 system, you would install them like this:

# yum install -y realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation

On a RHEL 8 system, you can either use Yum or dnf to install this set of packages:

# yum install -y realmd sssd oddjob oddjob-mkhomedir samba-common-tools krb5-workstation authselect-compat 

Once the packages are installed, it’s important to ensure your domain controllers are listed in your DNS resolv.conf file like so:

# This is the contents of /etc/resolv.conf
nameserver 10.110.42.2
nameserver 192.168.21.2
search darkhonor.net

Once DNS is configured, you will want to verify the system can properly find all configured domain controllers on your network using dig:

$ dig -t SRV _ldap._tcp.example.com
$ dig -t SRV _kerberos._tcp.example.com
$ dig -t SRV _ldap._tcp.dc._msdcs.example.com

If all three commands return your configured domain controllers, we have one last check to make. We need to make sure the RealmD program can find your domain:

$ realm discover example.com

The result should return information that you have a Kerberos domain type that has not been configured. It should also tell you your server software is “active-directory.”

If all is well, go ahead and attempt to join the system to the domain. A couple of important points:

  • This command needs to be run as root or with an approved sudo account
  • You will need to specify an account in your active directory that is authorized to add systems to the domain
# realm join example.com -U <domain admin user>

After entering the password, you shouldn’t have any other output from the command. On your domain controller, you should be able to see the new account in the “Computers” OU. On a RHEL 8 system, you will need to run the following two commands:

# authselect select sssd
# authselect select sssd with-mkhomedir

This will configure the system to use Active Directory as an authentication source and configure /etc/sssd/sssd.conf. Here is my file:

That’s it! You should be able to log in using your active directory credentials. The key will be to use the full credential, i.e. [email protected]

Hopefully this is helpful! The link above to Computing for Geeks includes some additional steps you can take to limit logins, or add Domain Users/Groups to your sudoers file.

One reply on “Add RHEL 8 server to Active Directory”

Leave a Reply