How to Get CentOS 7 to Join a Windows Domain

I previously wrote an article on setting up a DNS ANAME for prepare for CentOS 7 to join a Windows domain. It’s a prerequisite for the steps in this article.

Steps

Let’s ssh into the CentOS 7 as root. I’m planning to use the VM as a Docker host, so I named it as dockerhost01.

$ ssh root@dockerhost01.homenet.iriumi.ad

Now I’m going to install the prerequisite packages using yum.

# yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python -y

Now using realm, we will join the domain. Make sure the credential you are using in the following command should be from the Windows domain. Make sure to replace [domain admin user] to an actual user.

# realm join --user=[domain admin user] homenet.iriumi.ad

You can alternatively add -v option to show verbose information.

Execute the following command to confirm that the OS is not a part of the Windows domain.

# realm list

Let’s see if I can check a user.

# id hiriumi@homenet.iriumi.ad

It shows the ID of the user and also which AD domain groups the user belongs to.

I would have to use [myusername]@homenet.iriumi.ad as my login name, which I would like to do. I’m going to make some changes in the configuration. Open up the configuration file executing the following command.

# vi /etc/sssd/sssd.conf

Change use_fully_qualified_names to False and I’m going to change fallback_homedir to /home/%u instead of /home/%u@%d

use_fully_qualified_names indicates whether you want to use [your username]@domain.foo.com as your username or not. fallback_homedir indicates how and where you want SSSD to create your home directory. My sssd.conf looks like the following.

[sssd]                                         
domains = homenet.iriumi.ad                    
config_file_version = 2                        
services = nss, pam                            
                                               
[domain/homenet.iriumi.ad]                     
ad_domain = homenet.iriumi.ad                  
krb5_realm = HOMENET.IRIUMI.AD                 
realmd_tags = manages-system joined-with-samba 
cache_credentials = True                       
id_provider = ad                               
krb5_store_password_if_offline = True          
default_shell = /bin/bash                      
ldap_id_mapping = True                         
use_fully_qualified_names = False              
fallback_homedir = /home/%u                    
access_provider = ad                           

Save the change and get out (:wq).

Next restart SSSD.

# systemctl restart sssd

At this point, you can logout and ssh back into CentOS 7 as a domain user. Let’s try it.

$ ssh [your username]@dockerhost01.homenet.iriumi.ad

If you enter pwd, it created /home/[your username] directory as your home directory.

Now when you execute a command that requires sudoer permission, you will get message like the following.

[your username] is not in the sudoers file.  This incident will be reported.

We are going to logout and ssh back into it as root to fix this issue.

Add a new file at /etc/sudoers.d/sudoers

# vi /etc/sudoers.d/sudoers

Add a line like the following in the file. I’m going add a single user as a sudoer for now.

[your username] ALL=(ALL) ALL

You can also add AD groups as sudoers by adding a line like below.

%domain\ admins@homenet.iriumi.ad ALL=(ALL) ALL

Now that you added yourself as a sudoer, logout as root and login as the domain user. You should be able to execute sudo commands.

Recap

Having a centralized credential manager like Windows domain controller is quite essential to efficiently manage many servers. I have introduced a way to get CentOS 7 to join a Windows domain but this technique can be used for RedHat line of Linux distro. I’m not sure how it can be done for Debian/Ubuntu line of Linux distro and it might be a good topic for another blog article.

Author: admin

A software engineer in greater Seattle area

Leave a Reply

Your email address will not be published. Required fields are marked *