I previously wrote an article on setting up a DNS ANAME for prepare for CentOS 7 to join a Windows domain. It’s a prerequisite for the steps in this article.
Steps
Let’s ssh into the CentOS 7 as root. I’m planning to use the VM as a Docker host, so I named it as dockerhost01.
$ ssh root@dockerhost01.homenet.iriumi.ad
Now I’m going to install the prerequisite packages using yum.
# yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python -y
Now using realm, we will join the domain. Make sure the credential you are using in the following command should be from the Windows domain. Make sure to replace [domain admin user] to an actual user.
# realm join --user=[domain admin user] homenet.iriumi.ad
You can alternatively add -v option to show verbose information.
Execute the following command to confirm that the OS is not a part of the Windows domain.
# realm list
Let’s see if I can check a user.
# id hiriumi@homenet.iriumi.ad
It shows the ID of the user and also which AD domain groups the user belongs to.
I would have to use [myusername]@homenet.iriumi.ad as my login name, which I would like to do. I’m going to make some changes in the configuration. Open up the configuration file executing the following command.
# vi /etc/sssd/sssd.conf
Change use_fully_qualified_names to False and I’m going to change fallback_homedir to /home/%u instead of /home/%u@%d
use_fully_qualified_names indicates whether you want to use [your username]@domain.foo.com as your username or not. fallback_homedir indicates how and where you want SSSD to create your home directory. My sssd.conf looks like the following.
[sssd]
domains = homenet.iriumi.ad
config_file_version = 2
services = nss, pam
[domain/homenet.iriumi.ad]
ad_domain = homenet.iriumi.ad
krb5_realm = HOMENET.IRIUMI.AD
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
Save the change and get out (:wq).
Next restart SSSD.
# systemctl restart sssd
At this point, you can logout and ssh back into CentOS 7 as a domain user. Let’s try it.
$ ssh [your username]@dockerhost01.homenet.iriumi.ad
If you enter pwd, it created /home/[your username] directory as your home directory.
Now when you execute a command that requires sudoer permission, you will get message like the following.
[your username] is not in the sudoers file. This incident will be reported.
We are going to logout and ssh back into it as root to fix this issue.
Add a new file at /etc/sudoers.d/sudoers
# vi /etc/sudoers.d/sudoers
Add a line like the following in the file. I’m going add a single user as a sudoer for now.
[your username] ALL=(ALL) ALL
You can also add AD groups as sudoers by adding a line like below.
%domain\ admins@homenet.iriumi.ad ALL=(ALL) ALL
Now that you added yourself as a sudoer, logout as root and login as the domain user. You should be able to execute sudo commands.
Recap
Having a centralized credential manager like Windows domain controller is quite essential to efficiently manage many servers. I have introduced a way to get CentOS 7 to join a Windows domain but this technique can be used for RedHat line of Linux distro. I’m not sure how it can be done for Debian/Ubuntu line of Linux distro and it might be a good topic for another blog article.