How to Integrate CentOS/RHEL 8 Server with Microsoft Active Directory Using adcli

This post describes how to use adcli to integrate a CentOS/RHEL 8 server into Microsoft Active Directory.

1. Install necessary packages:

# yum install adcli sssd krb5-workstation

2. Test if adcli can connect to your Active Directory Domain:

# adcli info test.domain.com

If this command does not return anything, check the Active Directory Setup.

3. use adcli to join the domain, please ensure first that there is no host entry for this server in Active Directory:

# adcli join test.domain.com -U [admin user]

A “-v” can be added to get debug information in case it fails. At this stage, /etc/krb5.keytab should contain entries with your hostname, use “klist -kte” to see them.

4. Setup /etc/krb5.conf configuration file.

# vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TEST.DOMAIN.COM
default_domain = TEST.DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
udp_preference_limit = 1
allow_weak_crypto = true

[realms]
TEST.DOMAIN.COM = {
kdc = ADMINSERVER.TEST.DOMAIN.COM
admin_server = ADMINSERVER.TEST.DOMAIN.COM
}

[domain_realm]
.test.domain.com = TEST.DOMAIN.COM
test.domain.com = TEST.DOMAIN.COM

NOTE: “ADMINSERVER.TEST.DOMAIN.COM” should point to your Active Directory admin server.

Configure sssd and pam authentication

1. Use authconfig to configure sssd and pam authentication using the below command:

# authconfig --enablesssd --enablesssdauth --enablemkhomedir --update

2. Here is a sample /etc/sssd/sssd.conf configuration file.

# cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = TEST.DOMAIN.COM
[domain/TEST.DOMAIN.COM]
id_provider = ad
override_homedir = /home/%d/%u

[nss]
override_shell=/bin/bash

[pam]

NOTE: set ‘debug_level = 9’ in each section if there are problems.

3. Restart sssd service for the changes to take effect. Also enable it to start after reboot.

# systemctl restart sssd
# systemctl enable sssd

If sssd fails to start with a message like “Cannot read config file /etc/sssd/sssd.conf. Please check that the file is accessible only by the owner and owned by root.root.”, ensure the following permissions are given:

# chown root:root /etc/sssd/sssd.conf
# chmod 600 /etc/sssd/sssd.conf

Verify and Test Setup

You can test your setup by checking the user information of any user. At this state, running

# id [ad user]

Should return the information stored in the Active Directory for that user.

NOTE: The domain TEST.DOMAIN.COM is a fictional name, same for the server name ADMINSERVER.TEST.DOMAIN.COM, they need to be replaced with values which fit for the target environment.

How to Integrate CentOS/RHEL 8 Server with Microsoft Active Directory Using adcli

Configure sssd and pam authentication

Verify and Test Setup

Latest Posts