Chapter 35. Integrating RHEL systems into AD directly with Ansible using RHEL System Roles

With the ad_integration System Role, you can automate a direct integration of a RHEL system with Active Directory (AD) using Red Hat Ansible Automation Platform.

Important

The ad_integration System Role is not included in the ansible-freeipa package. It is part of the rhel-system-roles package. You can install rhel-system-roles on systems with a Red Hat Enterprise Linux Server subscription attached.

This chapter covers the following topics:

35.1. The ad_integration System Role

Using the ad_integration System Role, you can directly connect a RHEL system to Active Directory (AD).

The role uses the following components:

  • SSSD to interact with the central identity and authentication source
  • realmd to detect available AD domains and configure the underlying RHEL system services, in this case SSSD, to connect to the selected AD domain
Note

The ad_integration role is for deployments using direct AD integration without an Identity Management (IdM) environment. For IdM environments, use the ansible-freeipa roles.

35.2. Variables for the ad_integration RHEL System Role

The ad_integration RHEL System Role uses the following parameters:

Role VariableDescription

ad_integration_realm

Active Directory realm, or domain name to join.

ad_integration_password

The password of the user used to authenticate with when joining the machine to the realm. Do not use plain text. Instead, use Ansible Vault to encrypt the value.

ad_integration_manage_crypto_policies

If true, the ad_integration role will use fedora.linux_system_roles.crypto_policies as needed.

Default: false

ad_integration_allow_rc4_crypto

If true, the ad_integration role will set the crypto policy to allow RC4 encryption.

Providing this variable automatically sets ad_integration_manage_crypto_policies to true.

Default: false

ad_integration_timesync_source

Hostname or IP address of time source to synchronize the system clock with. Providing this variable automatically sets ad_integration_manage_timesync to true.

Additional resources

  • The /usr/share/ansible/roles/rhel-system-roles.ad_integration/README.md file.

35.3. Connecting a RHEL system directly to AD using the ad_integration System Role

You can use the ad_integration System Role to configure a direct integration between a RHEL system and an AD domain by running an Ansible playbook.

Note

Starting with RHEL8, RHEL no longer supports RC4 encryption by default. If it is not possible to enable AES in the AD domain, you must enable the AD-SUPPORT crypto policy and allow RC4 encryption in the playbook.

Important

Time between the RHEL server and AD must be synchronized. You can ensure this by using the timesync System Role in the playbook.

In this example, the RHEL system joins the domain.example.com AD domain, using the AD Administrator user and the password for this user stored in the Ansible vault. The playbook also sets the AD-SUPPORT crypto policy and allows RC4 encryption. To ensure time synchronization between the RHEL system and AD, the playbook sets the adserver.domain.example.com server as the timesync source.

Prerequisites

  • Access and permissions to one or more managed nodes.
  • Access and permissions to a control node.

    On the control node:

    • The ansible-core and rhel-system-roles packages are installed.
    • An inventory file which lists the managed nodes.
  • The following ports on the AD domain controllers are open and accessible from the RHEL server:

    Table 35.1. Ports Required for Direct Integration of Linux Systems into AD Using the ad_integration System Role

    Source PortDestination PortProtocolService

    1024:65535

    53

    UDP and TCP

    DNS

    1024:65535

    389

    UDP and TCP

    LDAP

    1024:65535

    636

    TCP

    LDAPS

    1024:65535

    88

    UDP and TCP

    Kerberos

    1024:65535

    464

    UDP and TCP

    Kerberos change/set password (kadmin)

    1024:65535

    3268

    TCP

    LDAP Global Catalog

    1024:65535

    3269

    TCP

    LDAP Global Catalog SSL/TLS

    1024:65535

    123

    UDP

    NTP/Chrony (Optional)

    1024:65535

    323

    UDP

    NTP/Chrony (Optional)

Procedure

  1. Create a new ad_integration.yml file with the following content:

    ---
    - hosts: all
      vars:
        ad_integration_realm: "domain.example.com"
        ad_integration_password: !vault | vault encrypted password
        ad_integration_manage_crypto_policies: true
        ad_integration_allow_rc4_crypto: true
        ad_integration_timesync_source: "adserver.domain.example.com"
      roles:
        - linux-system-roles.ad_integration
    ---
  2. Optional: Verify playbook syntax.

    # ansible-playbook --syntax-check ad_integration.yml -i inventory_file
  3. Run the playbook on your inventory file:

    # ansible-playbook -i inventory_file /path/to/file/ad_integration.yml

Verification

  • Display an AD user details, such as the administrator user:

    getent passwd administrator@ad.example.com
    administrator@ad.example.com:*:1450400500:1450400513:Administrator:/home/administrator@ad.example.com:/bin/bash

35.4. Additional resources

  • The /usr/share/ansible/roles/rhel-system-roles.ad_integration/README.md file.
  • man ansible-playbook(1)