How to Integrate RHEL 7 or CentOS 7 with Windows Active Directory

33 Responses

  1. mossholderm says:

    One pedantic complaint… in your last screenshot, you execute “sudo su -” … you should really just be using “sudo -i”.

  2. Tyler says:

    Do you know how to make JUST authentication work with CentOS 7? I’m trying to get some linux servers from one domain, to be able to authenticate to another, so I don’t want to join the domain. I was able to do this with CentOS 5 and 6, but I haven’t been able to get it to work with 7. Any thoughts?

  3. Bob says:

    Great info, thanks for posting. One thing I’m trying to figure out is how to restrict user logins based on AD group membership. Any ideas here? I saw one article referring to pam_access and nologin and editing the access.conf file but so far no luck. All domain members can still SSH to the host.

    Thanks again,


    • Hi Bob,

      To restrict user login to CentOS 7 / RHEL 7 Server that are on window domain, use the following steps:

      1) Create the Security Groups on AD ( like linuxadmins”)
      2) Add the domain users (which to want to allow login) to this security group.
      3) MAP the security group to CentOS / RHEL 7 Server by adding the following line in the file (/etc/sssd/sssd.conf)


      realm permit -g [email protected]


      realm permit -g [email protected]

      4) Restart the sssd service

      5) If you want to control rights as well , then you can place the ad security group in sudoers file, example is shown below

      %[email protected] ALL=(ALL) ALL

  4. Sandeep Kumar says:

    Hi Pradeep,

    First of all thank you very much for posting this valuable information, it’s really very helpfull.

    I am trying to configure the AD authentication and facing one issue while following your article.
    Let me elaborate more-

    1- I have installed all the required packages as mentioned in the article.
    2- I have all the connectivity in place and my RHEL7 server is able to connect with AD server with IP and FQDN.
    3- Next is when I execute the “realm discover” or “realm discover domainname” I am getting “No such realm found:” error.

    [[email protected] ~]# realm discover [email protected]
    realm: No such realm found: [email protected]

    Please help me to troubleshoot the issue.

    Thanks in Advance.

  5. Naga says:

    Hello Pradeep, realm join with a user was successful but this is not able to identify any users. SSSD service is giving me this error:

    GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)

    Any idea why this is happening? Do I need to configure anything in /etc/krb5.conf?

  6. Tom says:

    Thank you for posting this article! These instructions are for RHEL7/CentOS7. Do you know if it would work on RHEL6 or 5?

  7. Hugo Santos says:

    Hello. I’ve installes sssd on a Centos7 server and i’m able to login using may Active Directory credentials, however the id command does not resolve the group names of the AD . Denying me the possiblity of restrict the authentication based on an AD group , because the declared group under sssd.conf cannot be found.

    Any ideas ?

  8. yousuf says:

    Hi ,

    The above one i have tried which is working Fine, we are able to login with the help of AD users on linux Machine , But we have a different Requirement in my company, we configured Apache website which is in php( index.php) on Linux Server For User Authentication on Php Application (Username:- , Password) we are able to authenticate from mysql Database But we need the Authentication from the Active Directory Also, if there a way without configurig ldap server we can do …? Plz help if possible

  9. Chris says:


    The above steps worked great for me, but there’s a couple problems I’ve run into. My company is migrating from NIS to AD. Our home directories are owned by our NIS accounts, which is mounted using autofs settings from NIS. However, I cannot create new files or modify existing ones in my home directory because my AD account isn’t the owner. How can I change my UID in AD to match my NIS UID?

  10. Arul Kumar says:


    We have done almost all SSSD configuration but while coneecting AD user in Linux “” su – ad user” getting error

    “” File size limit exceeded (core dumped “””

    • Wai Htut Paing says:

      Me too !

      My samba (centos server) was jointed to AD via realm list.
      But I couldn’t verify AD user on centos with id command.
      it shown no such user.

  11. Chip says:

    Very helpful – thank you!

    Do you have a similar article for integrating samba and active directory authentication? I’d like to be able to share out the home directories on the centos server of the active directory users who have logged in and I am running into a wall.

  12. Nitiratna says:

    First of all, Big thank you.

    Q.Is there any way to control UID while creating user on AD?

  13. Mat Des says:

    Have you find any solution pour your samba issue with an existing AD? I’m looking for the same thing. Thanks

  14. Artura says:

    getent passwd; getent group; doesn’t work after this tutorial,

    You need to add:
    enumerate = true
    in your sssd.conf file (under: [domain/])

  15. Brice Miram says:

    it’s works very well with windows server 2012 R2.
    Thank you for this beautiful tutorial.

  16. Dave says:

    This is fantastic – thank you! Now, what about integrating Samba authentication with this method of AD integration? I cannot seem to get this to work.

  17. Manoj Malviya says:

    I have installed it on aws but when i try to ssh it it say permission denied i have 3 4 times but still showing same issue..

    Any solution for this error

  18. Zia says:

    I tried the solution and it worked for me now I have a different issue/question.

    I added my linux server to I also want to allow and users to be able to login as well.

    how can i do that

  19. Christopher says:

    Hi i have strange case with Centos 7. I had join the domain, i can log on AD users but there is no DNS entry of my Centos 7 in AD DNS. I had updated /etc/sssd/sssd.conf with dyndns_update = True, but it don’t help. Any suggestions?

  20. Ansuman says:

    I am getting this error while running realm join command:

    * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-WkIz9P/krb5.d/adcli-krb5-conf-ObFF3n
    ! Couldn’t get kerberos ticket for: : Cannot contact any KDC for realm ”

  21. Wai Htut Paing says:

    id: [email protected]: no such user

    my centos joined to AD .
    Some lines of realm list are …..
    configured: kerberos-member
    server-software: active-directory
    client-software: sssd
    required-package: oddjob
    required-package: oddjob-mkhomedir
    required-package: sssd
    required-package: adcli
    required-package: samba-common-tools
    login-formats: %U
    login-policy: allow-realm-logins

    But I couldn’t verify ad user on centos.
    If you don’t mind, please help to me to solve it.

  22. Prince Trivedi says:

    Hello Pradeep,

    After executing realm list command when I am trying to execute the command id [email protected], It is giving me an error, realm : no such user found.

    Kindly help me to resolve this issue

  23. Vincent says:

    Hello Pradeep.
    We recently integrated AD to centos 7.x . Users can login but after login it says /home/user/.bash_profile: permission denied.
    Please advise

Leave a Reply to Christopher Cancel reply

Your email address will not be published. Required fields are marked *