How to Join Linux CentOS to the Active Directory Domain with SSSD?

Many online manuals show how to use Samba and Winbind to join Linux to an Active Directory domain. In this article, we will show an alternative way to add your Linux computer or server to the domain using realmd (Realm Discovery) and SSSD (System Security Services Daemon). In this article, we will show how to join CentOS 8.1 server to your Active Directory domain (based on Windows Server 2016).

Realmd allows you to configure authentication and domain membership (on AD or IPA/FreeIPA) without complex settings. The domain information is automatically discovered. Realmd uses SSSD to authenticate and verify user accounts.

To successfully join an Active Directory domain, you need to fulfill the following requirements on your CentOS server:

  1. Configure time synchronization with the Active Directory domain controller (and your DC with the PDC role must synchronize time with the external NTP server). Otherwise, SSSD cannot work correctly. This service supports only Kerberos (and cannot be used for authentication using the NTLM). Accordingly, the time difference between DC and Linux client should not be more than 5 minutes.
  2. On Linux Centos, you must configure DNS client to use the DNS service on the domain controllers.

Install the NTP client (chrony) on CentOS:

# yum install -y chrony

join linux to windows domain

Then, in the /etc/chrony.conf configuration file, specify the FQDNs or IP addresses of the NTP servers for synchronization (these may be your AD domain controllers):

READ ALSO  How to Reset Root Password in MySQL and MariaDB?
# nano /etc/chrony.conf

server dc01.test.com iburst

Start the NTP service and add it to autostart:

# systemctl start chronyd

# systemctl enable chronyd

Now add the addresses of DNS servers that are responsible for resolving names in your Active Directory domain to your /etc/resolv.conf file:

# nano /etc/resolv.conf

search test.com

nameserver 192.168.1.201

nameserver 192.168.1.200

add linux to windows domain

Now install the necessary packages from the CentOS repos:

# yum install adcli krb5-workstation realmd sssd

add linux machine to windows domain

Note. If you are using another Linux distro or an older version of CentOS, make sure that the version of the SSSD package is newer than 1.9.0. Full support for AD in the SSDD appeared only since this version. In our example, sssd-2.2 is used.

Verify that rearm tool can discover your AD domain:

# realm discover test.com --verbos

If the utility successfully detects your AD domain, the following response will appear:

* Resolving: _ldap._tcp.test.com

* Performing LDAP DSE lookup on: 192.168.1.201

* Successfully discovered: test.com

test.com

type: kerberos

realm-name: TEST.COM

domain-name: test.com

configured: no

server-software: active-directory

client-software: sssd

required-package: oddjob

required-package: oddjob-mkhomedir

required-package: sssd

required-package: adcli

required-package: samba-common-tools

centos sssd active directory

Now specify the values of the AD attributes operatingSystem and operatingSystemVersion in the configuration file /etc/realmd.conf:

# nano /etc/realmd.conf

[active-directory]

os-name = CentOS Linux

os-version = 8.1.1911 (Core)

centos 7 sssd active directory

Now you can join your CentOS server to the Active Directory domain. To do this, use the realm join command. In the next command, we specified the username with the permissions to add the computer to domain and the Organizational Unit in which you want to put the account of your Linux computer.

# realm join --user=jbrion --computer-ou="OU=Servers,OU=UK,DC=test,DC=com" test.com

sssd active directory centos 7

The utility will prompt you for the AD user password. After running the command, open the Active Directory Users and Computers console (dsa.msc), and make sure that the account of your CentOS server appears in the specified AD container.

READ ALSO  How to Use ntpdate to Sync Time in Linux?

centos 6 sssd join active directory

Run the realm list command and verify that the server-software: active-directory line appears. This means that this server is a member of an Active Directory domain.

In order to not to specify the full domain name when users log in, you can add the line to the /etc/sssd/sssd.conf file:

use_fully_qualified_names = False
Cyril Kardashevsky
Latest posts by Cyril Kardashevsky (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.