How to join RHEL to Active Directory using realmd

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 9
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 7
  • Active Directory
  • Realmd

Issue

  • How do I join Active Directory client using realmd?
  • How can I configure AD authentication via sssd and kerberos?
  • Is there an automated tool which will join Active Directory and configure SSSD?
  • Who can add workstation to the domain?
  • Who can join computer to the domain?

Resolution

1. Install following packages through yum:
For RHEL 7:

# yum install adcli realmd oddjob oddjob-mkhomedir sssd krb5-workstation samba-common-tools

For RHEL 8 and RHEL9:

# yum install adcli realmd sssd oddjob oddjob-mkhomedir samba-common-tools krb5-workstation authselect-compat

2. Verify the configuration for name resolution. In particular, verify the DNS SRV records. For example, for a domain named example.com:

# dig -t SRV _ldap._tcp.example.com   
# dig -t SRV _kerberos._tcp.example.com
# dig -t SRV _ldap._tcp.dc._msdcs.example.com

3. Make sure to follow the prechecks Steps: RHEL Join With Active Directory using adcli, realm

4. In order to install on RHEL8 and RHEL9, it is required to modify the crypto policy.
a) RHEL8 run:

# update-crypto-policies --set DEFAULT:AD-SUPPORT

b) RHEL9 run:

# update-crypto-policies --set DEFAULT:AD-SUPPORT-LEGACY

5. Verify that RealmD can discover the Active Directory domain:

# realm discover example.com
  example.com
  type: kerberos
  realm-name: EXAMPLE.COM
  domain-name: example.com
  configured: no
  server-software: active-directory
  client-software: sssd

6. Execute the realm join command, the AD user must have admin access or must have the necessary permission as described here :

# realm join example.com -U AD_Username
    Password for AD_Username:

Note: ms-DS-MachineAccountQuota it is an attribute on Domain Naming Context object. This attribute specifies how many computers can be added by single user to the domain. The default value is 10. This value can be modified using different tools including ADSIEdit.msc
View more

7. For all the above steps alternatively, you can use this customer portal GUI based utility to create a script based on your inputs. Kindly check AD Integration helper.
Regarding automation, one can use Ansible script

References:
RHEL8
RHEL9

Root Cause

RealmD is a tool that will easily configure network authentication and domain membership. With the release of Red Hat Enterprise Linux 7, RealmD is fully supported and can be used to join IdM, AD, or Kerberos realms. The main advantage of using realmd is the ability to provide a simple one-line command to enroll into a domain as well as configure network authentication.

For example, realmd can easily configure:

  • PAM Stack
  • NSS Layer
  • Kerberos
  • SSSD
  • Winbind

Diagnostic Steps

Example of joining an Active Directory domain with a Red Hat Enterprise Linux machine:

[root@el7c01 ~]# realm join win.striker.local -U Administrator@WIN.STRIKER.LOCAL
Password for Administrator: 

[root@el7c01 ~]# id administrator@win.striker.local
uid=268400500(administrator@win.striker.local) gid=268400513(domain users@win.striker.local) groups=268400513(domain users@win.striker.local),268400572(denied rodc password replication group@win.striker.local),268400520(group policy creator owners@win.striker.local),268400519(enterprise admins@win.striker.local),268400518(schema admins@win.striker.local),268400512(domain admins@win.striker.local)

[root@el7c01 ~]# id win\\administrator
uid=268400500(administrator@win.striker.local) gid=268400513(domain users@win.striker.local) groups=268400513(domain users@win.striker.local),268400572(denied rodc password replication group@win.striker.local),268400520(group policy creator owners@win.striker.local),268400519(enterprise admins@win.striker.local),268400518(schema admins@win.striker.local),268400512(domain admins@win.striker.local)

[root@el7c01 ~]# ssh win\\administrator@localhost
win\administrator@localhost's password: 
Last login: Thu Apr  2 10:47:32 2020
[administrator@win.striker.local@el7c01 ~]$ logout
Connection to localhost closed.

[root@el7c01 ~]# ssh administrator@win.striker.local@localhost
administrator@win.striker.loca@localhost's password: 
Last login: Thu Apr  2 17:18:32 2020 from localhost
[administrator@win.striker.local@el7c01 ~]$ logout
Connection to localhost closed.

Note: The realm join command expects the domain part of the -U option in upper-case in compliance to Kerberos RfCs. An alternative option would be to use the canonicalize = true option in the [libdefaults] section of
/etc/krb5.conf.

Support Note:
* If you encounter any problems joining an Active directory domain with realmd, please open a support ticket.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments