How to Integrate RHEL 7 or CentOS 7 with Windows Active Directory

In Most of the Organizations users and groups are created and managed on Windows Active Directory.  We can integrate our RHEL 7 and CentOS 7 servers with AD(Active Directory) for authenticate purpose. In other words we can join our CentOS 7 and RHEL 7 Server on Windows Domain so that system admins can login to these Linux servers with AD credentials. While creating UNIX users on AD we can map these users to a specific group so that level of access is controlled centrally from AD.

In this article we discuss how to integrate CentOS 7.x & RHEL 7.x with AD(Windows Server 2008 R2 & Windows Server 2012 R2). Following steps are applicable for both CentOS 7 and RHEL 7.

Step:1 Install the required packages using yum command

Use the yum command to install following packages from the command line.

[root@servera ~]# yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python

Update the /etc/hosts file and /etc/resolv.conf so that dns name or hostname of AD server gets resolved correctly. In my case AD server hostname is “adserver.example.com“, so place the below line in /etc/hosts file

192.168.0.151    adserver.example.com  adserver

Contents of resolv.conf should be something like below. Just replace the domain name and ip address of dns server as per your setup

[root@servera ~]# cat /etc/resolv.conf
search example.com
nameserver 192.168.0.151
[root@servera ~]#

Step:2 Now Join Windows Domain or Integrate with AD using realm command

When we install above required packages then realm command will be available. We will use beneath realm command to integrate CentOS 7 or RHEL 7 with AD via the user “tech”. tech is a bind user which have required privileges on AD or  we can also administrator user of AD Server for integration purpose.

[root@servera ~]# realm join --user=tech adserver.example.com
Password for tech:
[root@servera ~]#

Now verify whether our server has joined the Windows domain or not. Simply run the command ‘realm list

 [root@servera ~]# realm list
example.com
  type: kerberos
  realm-name: EXAMPLE.COM
  domain-name: example.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %[email protected]
  login-policy: allow-realm-logins
[root@servera ~]#

Whenever we run ‘realm join’ command it will automatically configure ‘/etc/sssd/sssd.conf‘ file.

Step:3 Check and Verify  AD users on REHL 7 or CentOS 7 Servers

With ‘id‘ command on Linux we can verify the user’s uid and gid and their group information. At this point of time our server is now the part of windows domain. Use below command to verify AD users details.

[root@servera ~]# id [email protected]
uid=1997801106([email protected]) gid=1997800513(domain [email protected]) groups=1997800513(domain [email protected])
[root@servera ~]#

You might have noticed in above command that i have mentioned domain name as well along with user name because this is controlled by ‘/etc/sssd/sssd.conf’ file. If we execute id command without domain name then we will not get any details for user.

[root@servera ~]# id linuxtechi
id: linuxtechi: no such user
[root@servera ~]#

We can change this behavior by editing the file /etc/sssd/sssd.conf.

Change the following parameters from

use_fully_qualified_names = True
fallback_homedir = /home/%u@%d

to

use_fully_qualified_names = False
fallback_homedir = /home/%u

Restart the sssd service using following systemctl command

[root@servera ~]# systemctl restart sssd
[root@servera ~]# systemctl daemon-reload

Now run the id command and see whether you are able get AD user details without mentioning domain name

[root@servera ~]# id linuxtechi
uid=1997801106(linuxtechi) gid=1997800513(domain users) groups=1997800513(domain users)
[root@servera ~]#

Let’s try ssh CentOS 7 or RHEL 7 Server with AD credentials

[root@lnxdesktop ~]# ssh [email protected]
[email protected]'s password:
Last login: Fri Mar  3 10:18:41 2017 from serverb.example.com
[linuxtechi@servera ~]$ id
uid=1997801106(linuxtechi) gid=1997800513(domain users) groups=1997800513(domain users)
[linuxtechi@servera ~]$ pwd
/home/linuxtechi
[linuxtechi@servera ~]$

Step:4 Sudo rights for AD users on CentOS 7 or RHEL 7

In case you want to configure sudo rights for AD users then the best way is to create a group on AD with name sudoers and add Linux/UNIX users in that group and on Linux Server create a file with name “sudoers” under the folder /etc/sudoers.d/

Put the following content in the file.

[root@servera ~]# cat /etc/sudoers.d/sudoers
%sudoers    ALL=(ALL)       ALL
[root@servera ~]#

In my case I have given all the rights to the users which are part of sudoers group. Once your done with these changes re-login to your server with AD credentials and see whether user is part of sudoers group.

AD-User-Sudoers-Group-Linux

That’s all from this article, Hope you guys got an idea how to join RHEL or CentOS server with Windows Domain. Please share your feedback and valuable comments.

Share Now!

45 thoughts on “How to Integrate RHEL 7 or CentOS 7 with Windows Active Directory”

  1. One pedantic complaint… in your last screenshot, you execute “sudo su -” … you should really just be using “sudo -i”.

    Reply
  2. Do you know how to make JUST authentication work with CentOS 7? I’m trying to get some linux servers from one domain, to be able to authenticate to another, so I don’t want to join the domain. I was able to do this with CentOS 5 and 6, but I haven’t been able to get it to work with 7. Any thoughts?

    Reply
  3. Great info, thanks for posting. One thing I’m trying to figure out is how to restrict user logins based on AD group membership. Any ideas here? I saw one article referring to pam_access and nologin and editing the access.conf file but so far no luck. All domain members can still SSH to the host.

    Thanks again,

    Bob

    Reply
    • Hi Bob,

      To restrict user login to CentOS 7 / RHEL 7 Server that are on window domain, use the following steps:

      1) Create the Security Groups on AD ( like linuxadmins”)
      2) Add the domain users (which to want to allow login) to this security group.
      3) MAP the security group to CentOS / RHEL 7 Server by adding the following line in the file (/etc/sssd/sssd.conf)

      [sssd]
      ……..

      realm permit -g AD-Domain-Group@domain

      example

      realm permit -g [email protected]

      4) Restart the sssd service

      5) If you want to control rights as well , then you can place the ad security group in sudoers file, example is shown below

      %[email protected] ALL=(ALL) ALL

      Reply
      • Pradeep,

        just want to send over a correction. your instruction states to add the line “realm permit…” to sssd.conf but that’s actually a command that needs to be run. it’s not a config file entry.

        once that command has been run it adds the following line to sssd.conf:
        simple_allow_groups = [email protected]

        Reply
  4. Hi Pradeep,

    First of all thank you very much for posting this valuable information, it’s really very helpfull.

    I am trying to configure the AD authentication and facing one issue while following your article.
    Let me elaborate more-

    1- I have installed all the required packages as mentioned in the article.
    2- I have all the connectivity in place and my RHEL7 server is able to connect with AD server with IP and FQDN.
    3- Next is when I execute the “realm discover” or “realm discover domainname” I am getting “No such realm found:” error.

    [root@myserver ~]# realm discover server@domainname
    realm: No such realm found: server@domainname

    Please help me to troubleshoot the issue.

    Thanks in Advance.

    Reply
    • Some more output.

      [root@myserver ~]# realm discover -vvv server@domainname
      * Resolving: _ldap._tcp.server@domainname
      ! Discovery timed out after 15 seconds
      realm: No such realm found: server@domainname

      ———————————————————————————————–

      [root@myserver ~]# realm discover -vvv domainname
      * Resolving: _ldap._tcp.domainname
      ! Discovery timed out after 15 seconds
      realm: No such realm found: domainname

      Reply
      • Hi Sandeep,

        Please use the real name of your domain and also make sure you are able to resolve AD server hostname into ip address from your RHEL 7 system

        Reply
  5. Hello Pradeep, realm join with a user was successful but this is not able to identify any users. SSSD service is giving me this error:

    GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)

    Any idea why this is happening? Do I need to configure anything in /etc/krb5.conf?

    Reply
  6. Hello. I’ve installes sssd on a Centos7 server and i’m able to login using may Active Directory credentials, however the id command does not resolve the group names of the AD . Denying me the possiblity of restrict the authentication based on an AD group , because the declared group under sssd.conf cannot be found.

    Any ideas ?

    Reply
  7. Hi ,

    The above one i have tried which is working Fine, we are able to login with the help of AD users on linux Machine , But we have a different Requirement in my company, we configured Apache website which is in php( index.php) on Linux Server For User Authentication on Php Application (Username:- , Password) we are able to authenticate from mysql Database But we need the Authentication from the Active Directory Also, if there a way without configurig ldap server we can do …? Plz help if possible

    Reply
  8. Hi,

    The above steps worked great for me, but there’s a couple problems I’ve run into. My company is migrating from NIS to AD. Our home directories are owned by our NIS accounts, which is mounted using autofs settings from NIS. However, I cannot create new files or modify existing ones in my home directory because my AD account isn’t the owner. How can I change my UID in AD to match my NIS UID?

    Reply
  9. Hello,

    We have done almost all SSSD configuration but while coneecting AD user in Linux “” su – ad user” getting error

    “” File size limit exceeded (core dumped “””

    Reply
  10. Very helpful – thank you!

    Do you have a similar article for integrating samba and active directory authentication? I’d like to be able to share out the home directories on the centos server of the active directory users who have logged in and I am running into a wall.

    Reply
  11. getent passwd; getent group; doesn’t work after this tutorial,

    You need to add:
    enumerate = true
    in your sssd.conf file (under: [domain/])

    Reply
  12. This is fantastic – thank you! Now, what about integrating Samba authentication with this method of AD integration? I cannot seem to get this to work.

    Reply
  13. I have installed it on aws but when i try to ssh it it say permission denied i have 3 4 times but still showing same issue..

    Any solution for this error

    Reply
  14. I tried the solution and it worked for me now I have a different issue/question.

    I added my linux server to subA.domain.com. I also want to allow domain.com and subB.domain.com users to be able to login as well.

    how can i do that

    Reply
  15. Hi i have strange case with Centos 7. I had join the domain, i can log on AD users but there is no DNS entry of my Centos 7 in AD DNS. I had updated /etc/sssd/sssd.conf with dyndns_update = True, but it don’t help. Any suggestions?

    Reply
  16. I am getting this error while running realm join command:

    * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-WkIz9P/krb5.d/adcli-krb5-conf-ObFF3n
    ! Couldn’t get kerberos ticket for: : Cannot contact any KDC for realm ”

    Reply
  17. id: user@mydomain: no such user

    my centos joined to AD .
    Some lines of realm list are …..
    configured: kerberos-member
    server-software: active-directory
    client-software: sssd
    required-package: oddjob
    required-package: oddjob-mkhomedir
    required-package: sssd
    required-package: adcli
    required-package: samba-common-tools
    login-formats: %U
    login-policy: allow-realm-logins

    But I couldn’t verify ad user on centos.
    If you don’t mind, please help to me to solve it.

    Reply
    • Hi Wai Htut Paing, looking at your output i can see that the login format is listed as %U which means it isn’t looking for the %D (Domain name)
      so it seems you have already specified the login format or the system did this for you.

      Reply
  18. Hello Pradeep,

    After executing realm list command when I am trying to execute the command id username@domain, It is giving me an error, realm : no such user found.

    Kindly help me to resolve this issue

    Reply
  19. Hello Pradeep.
    We recently integrated AD to centos 7.x . Users can login but after login it says /home/user/.bash_profile: permission denied.
    Please advise

    Reply
  20. If the Active Directory is OFFLINE, will the users still be able to connect to the Linux servers using the account that is provided by AD?

    Reply
  21. I ran your above commands to join to the domain and I can query ID and realm list. But, I cannot log into the RHEL 7 server via SSH. Did I miss something?

    Reply
  22. A great post, thank you very much. To add, it would be nice to configure the NTP client. The idea is that the NTP client synchronizes time with the domain controller (DC). Here is an interesting guide to check: ‘https://www.sysadmit.com/2019/11/linux-anadir-equipo-al-dominio-windows.html’

    Reply
  23. Thanks Linuxtechi,

    I followed the provided steps and it worked for me.

    Now I have a different requirement or question.

    1) I want to allow Only IT_TEAM OU. (Another OU should not log in)
    2) Only Few users can have access from the allowed OU.

    Reply
  24. Hi,
    We recently configured our system using the tutorial. However whenever a user logins, we get a message that .bash_profile cannot be created due to permission restriction. Our home directory is located on a lustre file system. Could that be a reason why permission is not given to users? Please advice

    Reply
  25. can someone tell me, is there a way to provide the password as an argument in the realm join command ? Just like

    realm join -U -P example.com

    I am trying to automate few areas where this password is actually occurring during the execution time so unable to supply this password as an argument

    Reply
  26. I joined the ad using the realm join –user=Administrator mydomain.com
    however when i query id Administrator, the output is id: ‘administrator@mydomain’: no such user

    Please let me know how to troubleshoot/debug the issue.

    realm list contents are below:
    type: kerberos
    realm-name: MYDOMAIN.COM
    domain-name: mydomain.com
    configured: kerberos-member
    server-software: active-directory
    client-software: sssd
    required-package: oddjob
    required-package: oddjob-mkhomedir
    required-package: sssd
    required-package: adcli
    required-package: samba-common-tools
    login-formats: %[email protected]
    login-policy: allow-realm-logins

    Reply

Leave a Comment