How to Integrate RHEL 7 or CentOS 7 with Windows Active Directory

Update the host information

Update the file /etc/hosts and /etc/resolv.conf with the dns name of AD Server. myadserver.testdomain.local  myadserver

For resolv.conf,

search testdomain.local

Install required packages using yum command

yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python

Join Windows Domain using realm command

We need a bind user which have privieleges on AD. For this purpose, we can use admin account from AD.

[root@mycentos7~]# realm join --user=iambinduser myadserver.testdomain.local
Password for  iambinduser:

Now use realm list command to verify whether the server has succesfully joined domain.

realm list
  type: kerberos
  realm-name: TESTDOMAIN.LOCAL
  domain-name: testdomain.local
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U@testdomain.local
  login-policy: allow-realm-logins

Now you can use id username@domainname to get the uid , gid & groups of any domain users.

[root@mycentos7~]# id demouser@testdomain.local
uid=1568975386(demouser@testdomain.local) gid=1896548297(domain demouser@testdomain.local) groups=15697049678(domain users@testdomain.local)

By default, the realm will configure to use FQDN. But we can change this behavior by modifying /etc/sssd/sssd.conf

use_fully_qualified_names = False
fallback_homedir = /home/%u

Restart sssd and daemon-reload.

Adding AD domain groups to /etc/sudoers

To do this, you would need to add an entry to the /etc/sudoers file.

Adding the following entry to /etc/sudoers would allow you to give full sudo permissions to an AD group named ITadmins & Group Name With Spaces:

%DOMAIN\\Group\ Name\ With\ Spaces       ALL=(ALL) ALL
%DOMAIN\\ITadmins      ALL=(ALL) ALL

Anup Chhetri

IT system administrator

You may also like...

error: Content is protected !!