Many online manuals show how to use Samba and Winbind to join Linux to an Active Directory domain. In this article, we will show an alternative way to add your Linux computer or server to the domain using realmd (Realm Discovery) and SSSD (System Security Services Daemon). In this article, we will show how to join CentOS 8.1 server to your Active Directory domain (based on Windows Server 2016).
Realmd allows you to configure authentication and domain membership (on AD or IPA/FreeIPA) without complex settings. The domain information is automatically discovered. Realmd uses SSSD to authenticate and verify user accounts.
To successfully join an Active Directory domain, you need to fulfill the following requirements on your CentOS server:
- Configure time synchronization with the Active Directory domain controller (and your DC with the PDC role must synchronize time with the external NTP server). Otherwise, SSSD cannot work correctly. This service supports only Kerberos (and cannot be used for authentication using the NTLM). Accordingly, the time difference between DC and Linux client should not be more than 5 minutes.
- On Linux Centos, you must configure DNS client to use the DNS service on the domain controllers.
Install the NTP client (chrony) on CentOS:
# yum install -y chrony
Then, in the /etc/chrony.conf configuration file, specify the FQDNs or IP addresses of the NTP servers for synchronization (these may be your AD domain controllers):
# nano /etc/chrony.conf server dc01.test.com iburst
Start the NTP service and add it to autostart:
# systemctl start chronyd # systemctl enable chronyd
Now add the addresses of DNS servers that are responsible for resolving names in your Active Directory domain to your /etc/resolv.conf file:
# nano /etc/resolv.conf search test.com nameserver 192.168.1.201 nameserver 192.168.1.200
Now install the necessary packages from the CentOS repos:
# yum install adcli krb5-workstation realmd sssd
Note. If you are using another Linux distro or an older version of CentOS, make sure that the version of the SSSD package is newer than 1.9.0. Full support for AD in the SSDD appeared only since this version. In our example, sssd-2.2 is used.
Verify that rearm tool can discover your AD domain:
# realm discover test.com --verbos
If the utility successfully detects your AD domain, the following response will appear:
* Resolving: _ldap._tcp.test.com
* Performing LDAP DSE lookup on: 192.168.1.201
* Successfully discovered: test.com
test.com
type: kerberos
realm-name: TEST.COM
domain-name: test.com
configured: no
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
Now specify the values of the AD attributes operatingSystem and operatingSystemVersion in the configuration file /etc/realmd.conf:
# nano /etc/realmd.conf [active-directory] os-name = CentOS Linux os-version = 8.1.1911 (Core)
Now you can join your CentOS server to the Active Directory domain. To do this, use the realm join command. In the next command, we specified the username with the permissions to add the computer to domain and the Organizational Unit in which you want to put the account of your Linux computer.
# realm join --user=jbrion --computer-ou="OU=Servers,OU=UK,DC=test,DC=com" test.com
The utility will prompt you for the AD user password. After running the command, open the Active Directory Users and Computers console (dsa.msc), and make sure that the account of your CentOS server appears in the specified AD container.
Run the realm list command and verify that the server-software: active-directory line appears. This means that this server is a member of an Active Directory domain.
In order to not to specify the full domain name when users log in, you can add the line to the /etc/sssd/sssd.conf file:
use_fully_qualified_names = False
