How To Join a CentOS 7 machine to an Active Directory domain

Joining a linux machine to an Active Directory domain is an uncommon task, but I have run across it a few times. The increasing popularity of linux will sooner or later attract more windows administrators and users and more machines will be joined to Active Directory domains.

Back in the day, to join the domain we had to do a lot of configuration file editing, many packages that had to be aligned and a lot of luck was a requirement! Fortunately, this process has been reduced to a handfull of commands! Let's see it in action.

The first step is to install the necessary packages.

yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python -y


Give it some time to download and install the packages and their dependencies and you should end up with something similar to the below:


Another requirement is that the machine has to be able to resolve the domain DNS records. Check your /etc/resolv.conf  file and if necessary, update it with the IP addresses of the domain controllers.


To join the domain use: realm join --user=youdomainuser with a user that has the permission to join computers to the domain. When the process is completed, a computer object will be created on the default computer container in Active Directory, as shown below.


In case you run into issues when joining, you can use the "-v" switch to get more details on the operation.

You should now be able to login to the machine using your domain account and password.


The realm list and id commands provide useful information about the domain and users on it.


When a domain user logs in, the home directory is going to be created according to the format username@domainname. If you wish to change it and remove the domain part, you have to update the /etc/sssd/sssd.conf file and set the fallback_homedir to /home/%u (instead of /home/%u@%d).

You can also omit the domain part when logging in by updating the use_fully_qualified_names setting in the same file to False. 

In case you make any changes to the sssd.conf file, you'll have to restart the service for them to take effect.

It's time to start taking advantage of the Active Directory features. We'll start with controlling sudo access using groups! I usually create a file named ActiveDirectory in the /etc/sudoers.d/ folder to configure the sudo access for all the users and groups from the domain.

I've added the line: %LAB\\LinuxAdministrators ALL=(ALL) ALL to grant the members of the group LinuxAdministrators the permission to use sudo.


The next setting to update is the permission to login to the system using SSH. By default, all users have the ability to login and since the server is joined to the domain, all domain users also have the right.

To restrict it, we have to update the /etc/ssh/sshd_config file. There are four directives regarding the users and groups that allowed to login, AllowUsers, DenyUsers, AllowGroups and DenyGroups.

We are going to configure the AllowGroups setting to allow the members of an Active Directory group to login. For this purpose I have created a group named LinuxSSHUsers. I've also added the group LinuxAdministrators as a member since I want the administrators to be able to login remotely.

Altering the allow and deny settings may prevent you or any other user that already has the ability to login thus make sure you know what you're doing.

There are no changes in my sshd configuration file, so I am just going to add the AllowGroups with the name of the group. The name of the group is the tricky part since sshd is a bit picky on the names. Execute the id command against a user that is a member of the group you would like to allow and get the name of the group from there. Then add the settings on the configuration file and restart the daemon:


Note here that if the name of the group contains any special characters such as spaces, you'll probably have to replace them with question marks.

As you can see below, the first user is authenticated successfully but the second one failed since he is not a member of any groups of the AllowedGroups setting. Use the /var/log/secure and /var/log/messages files to troubleshoot any issues.


While on the sshd topic, I usually disable SSH access for the root user in order to increase the security. To disable it, uncomment the PermitRootLogin setting in the sshd_config file and set it to no.

To interface with external authentication providers such as the Active Directory domain in our example, we are using the sssd service. This service has a cache that is used in order to increase the performance and availability and you may have to flush. Use the sss_cache -E command to clear the entire cache or sss_cache -u followed by the username of the user to clear the entries about that particular account.

At this point, you'll have a CentOS 7 system that is part of an Active Directory domain and you are able to control SSH access and sudo privileges using Active Directory groups.

If for any reason you would like to remove the server from the domain, use the realm leave yourdomain command.

Have fun!

Popular posts from this blog

Domain Controller Machine Password Reset

Image
On my lab environment, I've configured two Active Directory sites since most enterprises have offices in more that one places. My lab however is not running 24/7 and the domain controllers in the second site are rarely turned on in order to save resources. This leads to issues with the Active Directory replication such as the "The target principal name is incorrect" error when I execute:  repadmin /syncall /AdeP. To remedy the issue, we have to reset the machine password of the domain controller that has been offline. First off, we are going to stop and disable the Kerberos Key Distribution Center (kdc) service on the problematic domain controller, in our case DC4. There may be some tickets in the cache so we should also clear them using klist purge Now it's time to change the machine password of the domain controller using the command netdom resetpwd /s:dc3 /ud:lab\administrator /pd:* Replace the "lab\administrator" with an account on your
Keep reading

Configuring a Certificate on Exchange Receive Connector

Today's article is about configuring Exchange receive connectors with specific certificates. Out of the box, Exchange uses self signed certificates to provide TLS secured mail flow. This will definitely be an issue if you expose the SMTP protocol to client computers since they won't trust the certificate. In this article we are going to configure a certificate that was issued by a third part authority to the Client Frontend receive connector. We'll start with getting the thumbprint of the certificate using the Get-ExchangeCertificate cmdlet: [PS] C:\> Get-ExchangeCertificate Thumbprint                               Subject ----------                               ------- 241B864DC82C664FECBA18B8D54987AAFB65B4C2 CN=*.lab.com, ... D4D210886B34E690191A1F008C78FDD0E7325DD4 CN=Exchange2013A 960171662EB261162F9C8CBE12E0B75D6F06ABB0 CN=Microsoft Exchange Server Auth Certificate 2690324B827A9F2B75D59104F81CAAA57CDD627B CN=WMSvc-Exchange2013A [PS]
Keep reading

Running Multiple NGINX Ingress Controllers in AKS

Image
In some of the previous articles of this blog, we went through the process of installing NGINX as the Ingress Controller in AKS clusters. Either for applications that should be available directly from the public internet, or for applications that should only be accessed from networks considered internal. In the majority of the cases, however, and given that an AKS cluster is an environment that is designed to host multiple applications and provide economy at scale, additional ingress controllers may be required. In this post, we're going to go through the process of deploying an additional NGINX ingress controller that is going to be used for internal applications. The below diagram depicts the desired outcome: The Angular application is published via the public NGINX through the Azure Load Balancer that has been assigned a public IP. The .NET app is published by a different set of NGINX pods that are deployed in a different namespace and their ingress controller service is connect
Keep reading