How To Join a CentOS 7 machine to an Active Directory domain

Joining a linux machine to an Active Directory domain is an uncommon task, but I have run across it a few times. The increasing popularity of linux will sooner or later attract more windows administrators and users and more machines will be joined to Active Directory domains.

Back in the day, to join the domain we had to do a lot of configuration file editing, many packages that had to be aligned and a lot of luck was a requirement! Fortunately, this process has been reduced to a handfull of commands! Let's see it in action.

The first step is to install the necessary packages.

yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python -y

Give it some time to download and install the packages and their dependencies and you should end up with something similar to the below:

Another requirement is that the machine has to be able to resolve the domain DNS records. Check your /etc/resolv.conf  file and if necessary, update it with the IP addresses of the domain controllers.

To join the domain use: realm join --user=youdomainuser with a user that has the permission to join computers to the domain. When the process is completed, a computer object will be created on the default computer container in Active Directory, as shown below.

In case you run into issues when joining, you can use the "-v" switch to get more details on the operation.

You should now be able to login to the machine using your domain account and password.

The realm list and id commands provide useful information about the domain and users on it.

When a domain user logs in, the home directory is going to be created according to the format username@domainname. If you wish to change it and remove the domain part, you have to update the /etc/sssd/sssd.conf file and set the fallback_homedir to /home/%u (instead of /home/%u@%d).

You can also omit the domain part when logging in by updating the use_fully_qualified_names setting in the same file to False. 

In case you make any changes to the sssd.conf file, you'll have to restart the service for them to take effect.

It's time to start taking advantage of the Active Directory features. We'll start with controlling sudo access using groups! I usually create a file named ActiveDirectory in the /etc/sudoers.d/ folder to configure the sudo access for all the users and groups from the domain.

I've added the line: %LAB\\LinuxAdministrators ALL=(ALL) ALL to grant the members of the group LinuxAdministrators the permission to use sudo.

The next setting to update is the permission to login to the system using SSH. By default, all users have the ability to login and since the server is joined to the domain, all domain users also have the right.

To restrict it, we have to update the /etc/ssh/sshd_config file. There are four directives regarding the users and groups that allowed to login, AllowUsers, DenyUsers, AllowGroups and DenyGroups.

We are going to configure the AllowGroups setting to allow the members of an Active Directory group to login. For this purpose I have created a group named LinuxSSHUsers. I've also added the group LinuxAdministrators as a member since I want the administrators to be able to login remotely.

Altering the allow and deny settings may prevent you or any other user that already has the ability to login thus make sure you know what you're doing.

There are no changes in my sshd configuration file, so I am just going to add the AllowGroups with the name of the group. The name of the group is the tricky part since sshd is a bit picky on the names. Execute the id command against a user that is a member of the group you would like to allow and get the name of the group from there. Then add the settings on the configuration file and restart the daemon:

Note here that if the name of the group contains any special characters such as spaces, you'll probably have to replace them with question marks.

As you can see below, the first user is authenticated successfully but the second one failed since he is not a member of any groups of the AllowedGroups setting. Use the /var/log/secure and /var/log/messages files to troubleshoot any issues.

While on the sshd topic, I usually disable SSH access for the root user in order to increase the security. To disable it, uncomment the PermitRootLogin setting in the sshd_config file and set it to no.

To interface with external authentication providers such as the Active Directory domain in our example, we are using the sssd service. This service has a cache that is used in order to increase the performance and availability and you may have to flush. Use the sss_cache -E command to clear the entire cache or sss_cache -u followed by the username of the user to clear the entries about that particular account.

At this point, you'll have a CentOS 7 system that is part of an Active Directory domain and you are able to control SSH access and sudo privileges using Active Directory groups.

If for any reason you would like to remove the server from the domain, use the realm leave yourdomain command.

Have fun!

Popular posts from this blog

Domain Controller Machine Password Reset

Configuring a Certificate on Exchange Receive Connector

Verbose Parameter Passing to cmdlet inside Function