How to Integrate CentOS/RHEL 8 Server with Microsoft Active Directory Using adcli

This post describes how to use adcli to integrate a CentOS/RHEL 8 server into Microsoft Active Directory.

1. Install necessary packages:

# yum install adcli sssd krb5-workstation

2. Test if adcli can connect to your Active Directory Domain:

# adcli info

If this command does not return anything, check the Active Directory Setup.

3. use adcli to join the domain, please ensure first that there is no host entry for this server in Active Directory:

# adcli join -U [admin user]

A “-v” can be added to get debug information in case it fails. At this stage, /etc/krb5.keytab should contain entries with your hostname, use “klist -kte” to see them.

4. Setup /etc/krb5.conf configuration file.

# vi /etc/krb5.conf
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
default_realm = TEST.DOMAIN.COM
default_domain = TEST.DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
udp_preference_limit = 1
allow_weak_crypto = true



Configure sssd and pam authentication

1. Use authconfig to configure sssd and pam authentication using the below command:

# authconfig --enablesssd --enablesssdauth --enablemkhomedir --update

2. Here is a sample /etc/sssd/sssd.conf configuration file.

# cat /etc/sssd/sssd.conf
services = nss, pam
config_file_version = 2
id_provider = ad
override_homedir = /home/%d/%u



3. Restart sssd service for the changes to take effect. Also enable it to start after reboot.

# systemctl restart sssd
# systemctl enable sssd

If sssd fails to start with a message like “Cannot read config file /etc/sssd/sssd.conf. Please check that the file is accessible only by the owner and owned by root.root.”, ensure the following permissions are given:

# chown root:root /etc/sssd/sssd.conf
# chmod 600 /etc/sssd/sssd.conf

Verify and Test Setup

You can test your setup by checking the user information of any user. At this state, running

# id [ad user]

Should return the information stored in the Active Directory for that user.