Add Radhat Linux to Active Directory Authentication

Packages to install

For this configuration, the essential package to install is realmd. Aside from realmd, there are a host of packages that need to be installed to make this work.

# yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python

Realmd provides a simplified way to discover and interact with Active Directory domains. It employs sssd to do the actual lookups required for remote authentication and other heavy work of interacting with the domain. In the interest of brevity, I won’t dwell on the other packages in the list.

Realmd (interacting with the domain)

Now that all packages have been installed, the first thing to do is to join the CentOS system to the Active Directory domain. We use the realm application for that. The realm client is installed at the same time as realmd. It is used to join, remove, control access, and accomplish many other tasks. Here is the expected syntax for a simple domain join:

realm join --user=[domain user account] [domain name]

The space between the user account and the domain account is not a typo. By inserting the corresponding details, we get the following command:

# realm join --user=fkorea hope.net

Supply the password when the prompt appears and wait for the process to end.

Don’t let the short absence of output deceive you. There are a number of operations that go on as part of the process. You can tack on the -v switch for more verbose output.

However, the best way to check if the computer is now a member of the domain is by running the realm list command. The command attempts to display the current state of the server with regard to the domain. It is a quick and dirty way to know which groups or users can access the server.

It is also quite trivial to place the newly-created AD computer object in a specific Organizational Unit (OU) from the onset. I’ll leave that for further reading, but, as a tip, you can consult the man page. Using the realm client, you can grant or revoke access to domain users and groups. A deep dive on using realmd in a more fine-grained way is enough to make another article. However, I will not be out of order to pick out a few parameters for your attention, namely client-software and the server-software. By now, you should understand why we had to install so many packages.

To leave the domain altogether, you need two words: realm leave

Visudo (granting admin privileges)

Users that are granted access have unprivileged access to the Linux server. For all intents and purposes, all Active Directory accounts are now accessible to the Linux system, in the same way natively-created local accounts are accessible to the system. You can now do the regular sysadmin tasks of adding them to groups, making them owners of resources, and configure other needed settings. If the user tries any activity that requires sudo access, the familiar error is presented. As can be seen in the inset, our user is not in the sudoers file.

In that light, we can edit the sudoers file directly to grant them superuser privileges. This is not an article on granting superuser privileges, but we can use the visudo tool to interact safely with the sudoers file.

sudo visudo

add below groups to the end of the file:

%frankfu\group1 ALL=(ALL) ALL
%frankfu\group2 ALL=(ALL) ALL

Alternatively, we could have just added the user to the wheel group. The point is the user account is now available to be used by the system.

Allow SSH login:

In the /etc/ssh/sshd_config , add below line

AllowGroups root wheel frankfu\group1 frankfu\group2

Ref:

https://www.redhat.com/sysadmin/linux-active-directory