Differences

This shows you the differences between two versions of the page.

--- redhat:other-redhat:join-domain-redhat [2017/09/05 15:44] – created michael
+++ redhat:other-redhat:join-domain-redhat [2019/03/07 14:49] (current) – [How to join RHEL system to Active Directory] michael
@@ Line 1: / Line 1: @@
-====== How to join RHEL system to Active Directory domain using adcli ======
+====== How to join RHEL system to Active Directory ======
+{{ :redhat:other-redhat:join-computer-domain-redhat.png?nolink&300 |}}
+<WRAP center round important 100%>
 **Voraussetzungen:**
-  * ''Red Hat Enterprise Linux 7'' oder 6
-  * Vorhandenes und funktionierendes - ''Active Directory''
+  * ''**Red Hat Enterprise Linux 7** / **6**''
+  * ''**Vorhandenes und funktionierendes - Active Directory**''
+</WRAP>
+----
 ===== Konfigurationsablauf =====
-  - Make Sure RHEL machine is able to resolve Active Directory servers.
+<wrap em>Before you start: Make Sure RHEL machine is able to resolve Active Directory servers!</wrap>
-  - Install adcli package along with sssd: <code># yum install adcli sssd authconfig</code>
+  - **Install adcli package** along with **sssd**: <code># yum install adcli sssd authconfig</code>
-  - Then discover the AD domain: <code></code>
+  - Then **discover** the **AD domain**: <code>adcli info ad.example.com</code>
-  - <code></code>
+  - **adcli** will show few details about the AD domain. now, **join RHEL system to AD domain using adcli**<WRAP center box 100%>
-  - <code></code>
+<code># adcli join ad.example.com</code> <sxh plain; gutter: false;>Password for Administrator@AD.EXAMPLE.COM:  <---- Enter Admin password</sxh>
-  - <code></code>
+</WRAP>
-  - <code></code>
+  - The join operation creates a keytab the machine will authenticate with. When inspect the with klist -kt, should show several entries that contain client hostname in some form: <code># klist -kte</code>
-  - <code></code>
+  - **Configure /etc/krb5.conf** to use AD domain: <WRAP center box 100%> <code># vim /etc/krb5.conf</code> <sxh bash;>[libdefaults]
+default_realm = AD.EXAMPLE.COM
+dns_lookup_realm = true
+dns_lookup_kdc = true
+ticket_lifetime = 24h
+renew_lifetime = 7d
+forwardable = true
+[realms]
+AD.EXAMPLE.COM = {
+kdc = server.ad.example.com
+admin_server = server.ad.example.com
+}
+[domain_realm]
+.ad.example.com = AD.EXAMPLE.COM
+ad.example.com = AD.EXAMPLE.COM`
+</sxh>
+</WRAP>
+  - Use authconfig to **set up** the **Name Service Switch**(/etc/nsswitch.conf) and **PAM stacks**(password-authand system-auth):<code># authconfig --enablesssd --enablesssdauth --update</code> //Above command will modify and add necessary entries in /etc/nsswitch.conf, /etc/pam.d/password-auth and /etc/pam.d/system-auth files.//
+  - **The final step** is to __configure__ the **SSSD** itself. Open /etc/sssd/sssd.conf and define a single domain: <WRAP center box 100%>
+<code># vim /etc/sssd/sssd.conf</code> <sxh bash;>[sssd]
+services = nss, pam, ssh, autofs
+config_file_version = 2
+domains = AD.EXAMPLE.COM
+[domain/AD.EXAMPLE.COM]
+id_provider = ad
+# Uncomment if service discovery is not working # ad_server = server.win.example.com
+</sxh>
+</WRAP>
+  - Start the SSSD and make sure it's up after reboots: <code># systemctl start sssd
+# systemctl enable sssd</code>
+**After you are done, fetch user information for AD user and try to login:**
+<code># id Administrator
+# ssh Administrator@localhost</code>