Join CentOS 7 to Active Directory

Overview:

     In today’s modern computer environments it is not uncommon to find a mixture of Windows and Linux systems coexisting together. I am huge believer in that there is not one tool or one company that can solve all of my problems. And being honest, I don’t want there to be one product to rule them all. Companies like Microsoft do somethings great but then there are services like OCSng and GLPI,  that only run from a Linux operating system. This is fine as both Windows and Linux have realize this need and built tools to help each party talk and work together.

Goal of this Article:

     In this article, my goal is to go over how to join CentOS 7 to Active Directory. I will also talk about configuring and making some small changes to both active directory and CentOS’s internal authentication methods. In the end you will be able to seamlessly transition from any windows machines to any Linux machines using the same login credentials and steps.

     This will just be a proof of concept, to help you jump start your process allowing future options for tweaking permissions and various other items.

Environment Overview:

     Before I start showing you how to join CentOS 7 to Active Directory there are a few things I would like you to know. I will be using CentOS 7 minimal 1804 as my Linux system and my active directory domain is already setup and running at a 2016 level. Please note that your domain does not need to be at 2016 level to complete this guide. You will also need some form of administrative permissions on both your Linux and windows systems. For active directory you will again need some form of administrative permissions such as domain admin.

Initial Setup:

     To start you will need to open an ssh session to your CentOS 7 machine, if you are on windows you can use putty to achieve this. Once you are logged into your system run the following commands:

yum -y install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python

Command Explanation
This is installing a lot of extra packages that will help in the joining and authentication of Linux to a Windows domain.

     Once the following packages have been installed, you will need to double check your “resolv.conf” file to ensure your settings are correct. If your “resolv.conf” file is incorrect you will not be able to join your Linux system to your active directory domain.

vim /etc/resolv.conf 

Command Explanation

  • VIM
    • Common Linux text editor
      • resolv.conf is the name of a computer file used in various operating systems to configure the system’s Domain Name System (DNS) resolver

resolv.conf

  • search             “YourDomain.local”
  • nameserver    “IP of DNS Server 1”
  • nameserver    “IP of DNS Server 2”

Join CentOS 7 to Active Directory:

     Now that you have made sure that your “resolv.conf” is correct, run the following commands to join CentOS 7 to active directory.

realm discover example.com

Command Explanation

  • realm discover
    • Returns complete domain configuration and a list of packages that must be installed for the system to be enrolled in the domain.
realm join --user="Example Admin User" example.com

Command Explanation

  • realm join
    • Sets up the local machine for use with a specified domain by configuring both the local system services and the entries in the identity domain.

     Confirm that you are now apart of active directory by running the following command and verifying that the line “configured” shows as “kerberos-member”

realm list

Command Explanation

  • realm list
    • The realm list command lists every configured domain for the system, as well as the full details and default configuration for that domain. This is the same information as is returned by the realm discovery command, only for a domain that is already in the system configuration.

Tweaking Login Methods:

     Great now that our CentOS box is joined to the domain, lets pull in some information from our domain user. 

id DomainUser

     Notice that your terminal returned an error of “no such user”. This is because by default you have to define the entire domain to view\login your active directory user.

id user@domain.com

     Lets change that by editing our “SSSD.conf” file. 

vim /etc/sssd/sssd.conf

sssd.conf

  • use_fully_qualified_names = True     //Change to “False”
  • fallback_homedir = /home/%u@%d  //Change to  “/home/%u”

     Restart your “sssd” & “daemon” services to apply the changes

systemctl restart sssd
systemctl daemon-reload

     Run the “id” command again to view you user and their respective memberships

id DomainUser

Give sudo rights from Active Directory:

     Ok now that we can login into our CentOS box with our domain user, how do we allow the user to elevate themselves so that they can manage the system properly? We do this by giving the domain user whats called “Sudo” rights on the Linux box. However setting sudo rights on a singular level would be a nightmare for reporting and off boarding.  This is where we will again leverage our windows domain to assist us in assigning sudo rights.

     In your windows domain create a group called “sudoers” (case sensitive) and assign what users you would like to have administrative rights over your Linux systems to this group. Please note, that in this example it will only be applying to the machine we are currently working on.

     Back on the Linux system you will need to create a file called “sudoers” and make the following changes. 

vim /etc/sudoers.d/sudoers

sudoers

  • %sudoers ALL=(ALL) ALL

Command Explanation

  • sudoers
    • This line means: That users apart of “%sudoers” can execute from ALL terminals, acting as ALL (any) users, and run ALL (any) command.

     Go ahead now and login into the Linux system as the domain user and run the following commands

id username
pwd

     Notice that you can pull your active directory permissions and that your home folder is /home/username not /home/username@domain.com. 

sudo su

Command Explanation

  • Sudo
    • Your telling the system to elevate the su command
  • su
    • Switch user, though when you run “sudo su” you are elevating to root and not running as root.

Thoughts?:

     Thank you for taking the time to read this article, I hope that it was helpful in some way to you. If you noticed anything wrong or have a better way of doing this please don’t hesitate to comment below or send me a email. Thank you!


Celerium.Org Logo


 

Leave a Reply