Scribd
Upload
121 views2 pages

Linux AD Join

This document provides instructions for joining a Linux server to an Active Directory domain managed by a Windows server. It describes installing required packages, configuring DNS and NTP settings, using realm join to connect to the domain, and testing login authentication. It also covers granting or restricting user/group access and clearing the SSSD cache.

Uploaded by

msvs.suresh8630
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
121 views2 pages

Linux AD Join

This document provides instructions for joining a Linux server to an Active Directory domain managed by a Windows server. It describes installing required packages, configuring DNS and NTP settings, using realm join to connect to the domain, and testing login authentication. It also covers granting or restricting user/group access and clearing the SSSD cache.

Uploaded by

msvs.suresh8630
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Join Linux server to Windows Active Directory Domain and Allow

group of users

1) Packages to be installed

sssd, realmd, oddjob, oddjob-mkhomedir, adcli, samba-common, samba-common-


tools, krb5-workstation, openldap-clients, policycoreutils-python, ntp

2) Add entry of domain server in client host file (/etc/hosts)

<ip add of AD server> <AD server FQDN> <AD node name>

3) check the DNS client config file

cat /etc/resolv.conf
search <domain name>
nameserver <AD ip address>

To check the AD dns server records use the below commands

dig srv _kerberos._udp.ldap.<domain name>


dig srv _ldap._tcp.ldap.<domain name>

Note : Realm does a dns lookup for _ldap & _kerberos SRV records.

4) check/ configure for ntp server sync

systemctl enable ntpd.service


ntpdate <ntp server ip / fqdn>
systemctl start ntpd.service

5) To integrate linux server with windows domain

realm discover <FQDN of AD server> -v


realm join –user=<domain admin name> <FQDN of AD server>
realm list <FQDN of AD server> (OR) adcli info <domain name>

6) Check any user on AD and check the same user exists on local server

id <username@domainname> (SHOWS O/P OF USER from Active Directories)


id <user name> (Displays no user found)

7) To avoid the above issue we need to add entries under [sssd] section in
/etc/sssd/sssd.conf

default_domain_suffix = <domain name>


systemctl restart sssd
systemctl daemon-reload
8) Updating the authconfig

authconfig --enablesssd --enablesssdauth --update


authconfig –updateall
grep sss /etc/nsswitch.conf

9) To deny all users/ groups and allow particular group members to access the
server

realm deny -R <domain name> -a


realm permit -R <domain name> -g <group name>@<domain name>
realm list

10) Login to the server with ad credentials

ssh <server ip> <user@domain>

11) To remove user/ group from permit listening

realm permit --groups --withdraw <groupname>@<domain name>


(OR)
realm permit -x ‘<FQDN of AD server\username>’

12) To unjoin server from domain

realm leave –user=<domainadmin>@<domain name> <domain name>

13) Providing sudo access to AD users

vim /etc/sudoers.d/sudoers
%<ad group name>@<domain name> ALL=(ALL) ALL

14) Clearing ssd cache use below commands

sss_cache -E (To clear cache and update all records)


sss_cache -Ed LDAP1 (To clear cache related to particular domain)
sss_cache -u <user name> (To clear record cache for particular user)

15) Hard way to clear the cache

systemctl stop sssd


rm -rf /var/lib/sss/db/*
systemctl start sssd
authconfig –updateall

16) Log file to monitor the user authentication is /var/log/secure

You might also like