<\/p>\n\n\n\n
Step:1 Install the required packages using yum command<\/h4>\n\n\n\n
Use the yum command to install following packages from the command line.<\/ins><\/p>\n\n\n\n Update the \/etc\/hosts file and \/etc\/resolv.conf so that dns name or hostname of AD server gets resolved correctly. In my case AD server hostname is \u201cadserver.example.com<\/strong>\u201c, so place the below line in \/etc\/hosts file<\/p>\n\n\n\n Contents of resolv.conf should be something like below. Just replace the domain name and ip address of dns server as per your setup<\/p>\n\n\n\n <\/p>\n\n\n\n <\/ins><\/p>\n\n\n\n When we install above required packages then realm command will be available. We will use beneath realm command to integrate CentOS 7 or RHEL 7 with AD via the user \u201ctech\u201d. tech is a bind user which have required privileges on AD or we can also administrator user of AD Server for integration purpose.<\/p>\n\n\n\n <\/p>\n\n\n\n Now verify whether our server has joined the Windows domain or not. Simply run the command \u2018realm list<\/strong>\u2018<\/p>\n\n\n\n <\/p>\n\n\n\n Whenever we run \u2018realm join\u2019 command it will automatically configure \u2018\/etc\/sssd\/sssd.conf<\/strong>\u2018 file.<\/p>\n\n\n\n <\/p>\n\n\n\n With \u2018id<\/strong>\u2018 command on Linux we can verify the user\u2019s uid and gid and their group information. At this point of time our server is now the part of windows domain. Use below command to verify AD users details.<\/p>\n\n\n\n <\/p>\n\n\n\n You might have noticed in above command that i have mentioned domain name as well along with user name because this is controlled by \u2018\/etc\/sssd\/sssd.conf\u2019 file. If we execute id command without domain name then we will not get any details for user.<\/ins><\/p>\n\n\n\n <\/p>\n\n\n\n We can change this behavior by editing the file \/etc\/sssd\/sssd.conf.<\/p>\n\n\n\n Change the following parameters from<\/p>\n\n\n\n to<\/p>\n\n\n\n Restart the sssd service using following systemctl command<\/p>\n\n\n\n <\/p>\n\n\n\n Now run the id command and see whether you are able get AD user details without mentioning domain name<\/p>\n\n\n\n <\/p>\n\n\n\n Let\u2019s try ssh CentOS 7 or RHEL 7 Server with AD credentials<\/p>\n\n\n\n <\/p>\n\n\n\n In case you want to configure sudo rights for AD users then the best way is to create a group on AD with name sudoers and add Linux\/UNIX users in that group and on Linux Server create a file with name \u201csudoers<\/strong>\u201d under the folder \/etc\/sudoers.d\/<\/p>\n\n\n\n Put the following content in the file.<\/p>\n\n\n\n <\/p>\n\n\n\n In my case I have given all the rights to the users which are part of sudoers group. Once your done with these changes re-login to your server with AD credentials and see whether user is part of sudoers group.<\/p>\n\n\n\n That\u2019s all from this article, Hope you guys got an idea how to join RHEL or CentOS server with Windows Domain.<\/p>\n","protected":false},"excerpt":{"rendered":" In Most of the Organizations users and groups are created and managed on Windows Active Directory. We can integrate our RHEL 7 and CentOS 7 servers with AD(Active Directory) for authenticate purpose. In other words we can join our CentOS 7 and RHEL 7 Server on Windows Domain so that system admins can login to […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[42,13],"tags":[],"class_list":["post-2992","post","type-post","status-publish","format-standard","hentry","category-ad","category-linux"],"_links":{"self":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/2992","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2992"}],"version-history":[{"count":1,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/2992\/revisions"}],"predecessor-version":[{"id":2993,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/2992\/revisions\/2993"}],"wp:attachment":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2992"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2992"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2992"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}[root@servera ~]# yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python<\/pre>\n\n\n\n
192.168.0.151 adserver.example.com adserver<\/pre>\n\n\n\n
[root@servera ~]# cat \/etc\/resolv.conf search example.com nameserver 192.168.0.151 \n<\/pre>\n\n\n\n
Step:2 Now Join Windows Domain or Integrate with AD using realm command<\/h4>\n\n\n\n
[root@servera ~]# realm join --user=tech adserver.example.com\nPassword for tech:\n<\/pre>\n\n\n\n
[root@servera ~]# realm list\nexample.com\n type: kerberos\n realm-name: EXAMPLE.COM\n domain-name: example.com\n configured: kerberos-member\n server-software: active-directory<\/strong>\n client-software: sssd\n required-package: oddjob\n required-package: oddjob-mkhomedir\n required-package: sssd\n required-package: adcli\n required-package: samba-common-tools\n login-formats: %U@example.com\n login-policy: allow-realm-logins\n<\/pre>\n\n\n\n
Step:3 Check and Verify\u00a0 AD users on REHL 7 or CentOS 7 Servers<\/h4>\n\n\n\n
[root@servera ~]# id linuxtechi@example.com\nuid=1997801106(linuxtechi@example.com) gid=1997800513(domain users@example.com) groups=1997800513(domain users@example.com)\n<\/pre>\n\n\n\n
[root@servera ~]# id linuxtechi\nid: linuxtechi: no such user\n<\/pre>\n\n\n\n
use_fully_qualified_names = True\nfallback_homedir = \/home\/%u@%d<\/pre>\n\n\n\n
use_fully_qualified_names = False\nfallback_homedir = \/home\/%u<\/pre>\n\n\n\n
[root@servera ~]# systemctl restart sssd\n[root@servera ~]# systemctl daemon-reload\n<\/pre>\n\n\n\n
[root@servera ~]# id linuxtechi\nuid=1997801106(linuxtechi) gid=1997800513(domain users) groups=1997800513(domain users)\n<\/pre>\n\n\n\n
[root@lnxdesktop ~]# ssh linuxtechi@192.168.0.20\nlinuxtechi@192.168.0.20's password:\nLast login: Fri Mar\u00a0 3 10:18:41 2017 from serverb.example.com\n[linuxtechi@servera ~]$ id uid=1997801106(linuxtechi) gid=1997800513(domain users) groups=1997800513(domain users) [linuxtechi@servera ~]$ pwd \/home\/linuxtechi [linuxtechi@servera ~]$ \n<\/pre>\n\n\n\n
Step:4 Sudo rights for AD users on CentOS 7 or RHEL 7<\/h4>\n\n\n\n
[root@servera ~]# cat \/etc\/sudoers.d\/sudoers\n%sudoers ALL=(ALL) ALL\n<\/pre>\n\n\n\n
![\"AD-User-Sudoers-Group-Linux\"](\"https:\/\/www.linuxtechi.com\/wp-content\/uploads\/2017\/05\/AD-User-Sudoers-Group-Linux.jpg\")
<\/figure><\/li><\/ul><\/figure>\n\n\n\n