Joining Enterprise Linux to Active Directory

In this post I’ll outline the steps to join an Enterprise Linux host to Microsoft Active Directory for user account management.

Why would you want to do this?

In an Enterprise environment it’s common to have a mix of Windows and Unix/Linux machines that offer different services across the organisation. To resolve the issues of user account management across a network of systems you’ll typically find a centralised directory service such as Microsoft Active Directory. Active Directory manages the creation and administration of user accounts for any system joined to the domain, so an administrator can create a single user account once and deploy it anywhere in the Enterprise.

If all the systems across the network are Windows machines it’s simple to join them to the domain. However when you introduce Linux hosts into the mix things can get a little complicated.

Fortunately there’s a lot of high quality tools that help make this process relatively simple.

For this post I’m not going to go into the details of setting up a Windows domain controller. I’ll be using an already configured DC running on Windows Server 2016 in VirtualBox. I’ve also set up a user account to test.

I’ve also got an Oracle Linux 7 host set up on the same host-only network. The steps here should work for any RHEL based Linux distribution, such as CentOS or Red Hat Enterprise Linux. The process for Debian based distributions should be similar however the package names might be slightly different.

Install the required packages.

$ sudo yum install adcli sssd authconfig realmd krb5-workstation oddjob oddjob-mkhomedir samba-common-tools

Once those are installed we can use realm to join to the Windows domain. For simplicity sake I’ve used my domain name for the domain controller. This isn’t a publicly accessible system and I’ve updated the /etc/hosts file to point the Linux host to the Windows machine.

$ sudo realm discover

realm discover will print the domain configuration for the domain.

Next we can use realm join to join the Linux host to the domain.

$ sudo realm join --verbose --user=Administrator

If the domain controller is setup correctly and everything worked you should see the message at the bottom of the screen ‘Successfully enrolled machine in realm’.

Verify the Linux client is connected to the Windows domain.

$ realm list

Now we can configure NSS to authenticate users.

$ authconfig --enablesssd --enablesssdauth --enablemkhomedir --update

I had to manually edit the /etc/samba/smb.conf, /etc/krb5.conf and /etc/sssd/sssd.conf files to make sure all the settings were correct. I’d also recommend updating your nameserver settings in /etc/resolv.conf to point to the Windows Server.

If everything went according to plan (which mine didn’t at first) you should be able to query Active Directory for a user and then login as that user.

$ id DAVIDRODDICK\\droddick
$ su - DAVIDRODDICK\\droddick

If you can now successfully log into the user account that was created in Active Directory from the Linux host everything should be set up correctly.