Red Hat Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

  • Comments
    • Tags

    Joining new server to multiple AD domains

    Posted on

    builtt 3 new RHEL 8.9 servers currently on the network but only had root access via console:

    for each server I first executed
    realm discover
    and updated the /etc/sssd/sssd.conf

    [root@arccdb11 ~]# cat /etc/sssd/sssd.conf

    [sssd]
    domains = ad.laker.local, rxoptions.local
    config_file_version = 2
    services = nss, pam

    [domain/ad.laker.local]
    ad_domain = ad.laker.local
    krb5_realm = AD.LAKER.LOCAL
    realmd_tags = manages-system joined-with-adcli
    cache_credentials = True
    id_provider = ad
    krb5_store_password_if_offline = True
    default_shell = /bin/bash
    ldap_id_mapping = True
    use_fully_qualified_names = True

    full_name_format = $u

    fallback_homedir = /home/%u
    access_provider = ad

    [domain/ad.laker.local/rxoptions.local]
    ad_domain = rxoptions.local
    krb5_realm = RXOPTIONS.LOCAL
    realmd_tags = manages-system joined-with-adcli
    cache_credentials = True
    id_provider = ad
    krb5_store_password_if_offline = True
    default_shell = /bin/bash
    ldap_id_mapping = True
    use_fully_qualified_names = True

    full_name_format = %u

    fallback_homedir = /home/%u
    access_provider = ad

    executed join to first domain: ad.laker.local

    [root@arccdb11 ~]# realm join -U bstolp-a -v ad.laker.local
    * Resolving: _ldap._tcp.ad.laker.local
    * Performing LDAP DSE lookup on: 10.2.6.4
    * Performing LDAP DSE lookup on: 10.10.60.6
    * Performing LDAP DSE lookup on: 10.2.6.6
    * Successfully discovered: ad.laker.local
    Password for bstolp-a:
    * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
    * LANG=C /usr/sbin/adcli join --verbose --domain ad.laker.local --domain-realm AD.LAKER.LOCAL --domain-controller 10.10.60.6 --login-type user --login-user bstolp-a --stdin-password
    * Using domain name: ad.laker.local
    * Calculated computer account name from fqdn: ARCCDB11
    * Using domain realm: ad.laker.local
    * Sending NetLogon ping to domain controller: 10.10.60.6
    * Received NetLogon info from: CLEADS02.ad.laker.local
    * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-Vbaxi7/krb5.d/adcli-krb5-conf-RMg4u5
    * Authenticated as user: bstolp-a@AD.LAKER.LOCAL
    * Using GSS-SPNEGO for SASL bind
    * Looked up short domain name: LAKERAD
    * Looked up domain SID: S-1-5-21-4056373416-2870543786-2149594862
    * Received NetLogon info from: CLEADS02.ad.laker.local
    * Using fully qualified name: arccdb11.ad.laker.local
    * Using domain name: ad.laker.local
    * Using computer account name: ARCCDB11
    * Using domain realm: ad.laker.local
    * Calculated computer account name from fqdn: ARCCDB11
    * Generated 120 character computer password
    * Using keytab: FILE:/etc/krb5.keytab
    * Found computer account for ARCCDB11$ at: CN=ARCCDB11,CN=Computers,DC=ad,DC=laker,DC=local
    * Trying to set computer password with Kerberos
    * Set computer password
    * Retrieved kvno '3' for computer account in directory: CN=ARCCDB11,CN=Computers,DC=ad,DC=laker,DC=local
    * Checking RestrictedKrbHost/arccdb11.ad.laker.local
    * Added RestrictedKrbHost/arccdb11.ad.laker.local
    * Checking RestrictedKrbHost/ARCCDB11
    * Added RestrictedKrbHost/ARCCDB11
    * Checking host/arccdb11.ad.laker.local
    * Added host/arccdb11.ad.laker.local
    * Checking host/ARCCDB11
    * Added host/ARCCDB11
    * Discovered which keytab salt to use
    * Added the entries to the keytab: ARCCDB11$@AD.LAKER.LOCAL: FILE:/etc/krb5.keytab
    * Added the entries to the keytab: host/ARCCDB11@AD.LAKER.LOCAL: FILE:/etc/krb5.keytab
    * Added the entries to the keytab: host/arccdb11.ad.laker.local@AD.LAKER.LOCAL: FILE:/etc/krb5.keytab
    * Added the entries to the keytab: RestrictedKrbHost/ARCCDB11@AD.LAKER.LOCAL: FILE:/etc/krb5.keytab
    * Added the entries to the keytab: RestrictedKrbHost/arccdb11.ad.laker.local@AD.LAKER.LOCAL: FILE:/etc/krb5.keytab
    * /usr/bin/systemctl enable sssd.service
    * /usr/bin/systemctl restart sssd.service
    * /usr/bin/sh -c /usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
    Backup stored at /var/lib/authselect/backups/2024-01-18-17-26-45.4eurqd
    Profile "sssd" was selected.
    The following nsswitch maps are overwritten by the profile:
    - passwd
    - group
    - netgroup
    - automount
    - services

    Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

    • with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
      is present and oddjobd service is enabled and active

      • systemctl enable --now oddjobd.service

      • Successfully enrolled machine in realm
        [root@arccdb11 ~]#

    that seems to work flawlessly

    However when attempting to join second realm/domain
    RXOPTIONS.LOCAL/rxoptions.local

    [root@arccdb11 ~]# realm join -U RXOPTIONS\bstolp-a -v rxoptions.local
    * Resolving: _ldap._tcp.rxoptions.local
    * Performing LDAP DSE lookup on: 192.168.128.51
    * Successfully discovered: rxoptions.local
    Password for RXOPTIONS\bstolp-a:
    realm: Couldn't join realm: Already joined to another domain: ad.laker.local
    Please check
    https://red.ht/support_rhel_ad
    to get help for common issues.
    [root@arccdb11 ~]#
    need to know more about two possible parameter
    need to know more about two possible parameter

    by

    points

    Responses

    Red Hat LinkedIn YouTube Facebook X, formerly Twitter

    Quick Links

    Help

    Site Info

    Related Sites

    © 2025 Red Hat