adcli – Easy way to join RHEL/CentOS systems to active directory domain

Every where we use single sign-on (SSO) which allow users to use same login credentials to access multiple applications.

What is adcli?

adcli is a command line tool that can be used to integrate or join Linux systems such as RHEL & CentOS to Microsoft Windows Active Directory (AD) domain. Once integrated the same AD login credentials used to access Linux system.

This tool allow us to perform many actions in an Active Directory domain from Linux box.

What is SSSD?

The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides Name Service Switch (NSS) and Pluggable Authentication Modules(PAM) interfaces toward the system and a pluggable back end system to connect to multiple different account sources.

Note: Make Sure Linux machine is able to resolve Active Directory servers in order to join it.

Install the required packages

Use the yum command to install following required packages on system.

# yum install adcli sssd authconfig

Join Linux system to Windows domain

Everything in place before join the domain, run the following command and discover the AD domain. It will show some details about the AD domain.

# adcli info ad.2daygeek.com
[domain]
domain-name = ad.2daygeek.com
domain-short = 2DAYGEEK
domain-forest = ad.2daygeek.com
domain-controller = vps-centos.2daygeek.com
domain-controller-site = Chennai
domain-controller-flags = pdc gc ldap ds kdc timeserv closest
domain-controller-usable = yes
domain-controllers = vps-centos.2daygeek.com
[computer]
computer-site = Chennai

Now, run the following command to join the Linux system to AD domain. By default, it prompts for the Administrator password and you can specify another user by adding -U option. Make sure, the mentioned user should have admin privilege.

# adcli join ad.2daygeek.com
Password for [email protected]: ******

When you perform the above action, it configure /etc/sssd/sssd.conf, /etc/krb5.conf and /etc/krb5.keytab files automatically which used for authentication.

To verify list of keys held in a keytab file, run the following command. It lists the Kerberos principal and Kerberos tickets held in a credentials cache.

# klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- -----------------------------------------
   6 10/05/17 11:29:44 host/[email protected]
   6 10/05/17 11:29:44 host/[email protected]
   6 10/05/17 11:29:44 host/[email protected]
   6 10/05/17 11:29:44 host/[email protected]
   6 10/05/17 11:29:45 host/[email protected]
   6 10/05/17 11:29:45 host/[email protected]
   7 11/04/17 19:34:49 [email protected]

Configure /etc/krb5.conf file to use AD domain.

# vi /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = AD.2DAYGEEK.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
AD.2DAYGEEK.COM = {
  kdc = vps-centos.2daygeek.com
  admin_server = vps-centos.2daygeek.com
}

[domain_realm]
.ad.2daygeek.com = AD.2DAYGEEK.COM
ad.2daygeek.com = AD.2DAYGEEK.COM

Run the following command to set up the Name Service Switch (/etc/nsswitch.conf) and PAM stacks (/etc/pam.d/password-auth and /etc/pam.d/system-auth). This will enable “sss” authentication on required entries.

# authconfig --enablesssd --enablesssdauth --enablemkhomedir --update

The same has been validated using following command.

# grep sss /etc/nsswitch.conf
passwd:     files sss
shadow:     files sss
group:      files sss
services:   files sss
netgroup:   files sss
automount:  files sss

Finally configure the SSSD as follows.

# vi /etc/sssd/sssd.conf

[sssd]
services = nss, pam, ssh, autofs
config_file_version = 2
domains = ad.2daygeek.com
#debug_level = 9

[domain/AD.2DAYGEEK.COM]
id_provider = ad
#auth_provider = ad
#chpass_provider = ad
#access_provider = ad
ad_server = vps-centos.2daygeek.com
override_homedir = /home/%u
default_shell = /bin/bash
#ad_gpo_access_control = enforcing
#debug_level = 9

[nss]
#debug_level = 9

[pam]
#debug_level = 9

Make sure sssd.conf is owned by root and file permissions should be 600.

# chown root:root /etc/sssd/sssd.conf
# chmod 600 /etc/sssd/sssd.conf

Start the SSSD service and enable in boot.

# service sssd start
# chkconfig sssd on

Use id command to verify the user’s uid and gid and their group information from Linux system.

# id Administrator
uid=6819600500(administrator) gid=6819600513(domain admins) groups=6819600513(domain users),6819600512(domain admins),6819600520(group policy creator owners),6819600519(enterprise admins),6819600518(schema admins)

Just rename the smb.conf file and add below contents. Samba is an important component to integrate Linux Servers and Desktops into Active Directory environments.

# mv /etc/samba/smb.conf /etc/samba/smb.conf.bk
# vi /etc/samba/smb.conf

[global]
   workgroup = 2DAYGEEK
   password server = vps-centos.2daygeek.com
   realm = AD.2DAYGEEK.COM
   security = ads
   client signing = yes
   client use spnego = yes
   kerberos method = secrets and keytab
   log file = /var/log/samba/%m.log

If you modify anything on sssd.conf file, post modification run the following command once to take effect.

# service sssd stop ; rm -rf /var/log/sssd/* /var/lib/sss/db/* ; service sssd start

We have successfully joined our Linux system to AD domain but now every one can login to Linux machine using their AD login details. So, in next article will discuss how to allow only certain groups from AD.

About Magesh Maruthamuthu

Love to play with all Linux distribution

View all posts by Magesh Maruthamuthu

6 Comments on “adcli – Easy way to join RHEL/CentOS systems to active directory domain”

    1. Hi @Shan,

      Winbind is a legacy method for enabling AD bridging. However, I have tested ADCLI & sssd on RHEL 6 and need to test it again with RHEL 8 & RHEL 9 using REALMD & sssd.

  1. At the end you mentioned “So, in next article will discuss how to allow only certain groups from AD.” but I can’t find that follow up.

    Is it posted somewhere?

Leave a Reply

Your email address will not be published. Required fields are marked *