My old Domain Controller had really only been a shadow of a DC. None of the computers in the house were actually joined to the domain, it’s only real use was providing DHCP, DNS, and File & Printer sharing. It was setup with everyone permissions, no security at all. With the standing up of this actual infrastructure, I had decided to join everything to the domain, setup proper security groups, group policy, LDAP integration for SSO/Logins wherever possible, etc. I would truly have one login for all devices. So that meant joining the Linux machines as well. These days, that’s pretty straight forward. I’m going to cover how to do it for CentOS/Fedora, but it should be very similar for other distributions as well.
First things first, install the packages that will be needed:
|
1 |
yum/dnf install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python cifs-utils -y |
You need to be able to resolve the domain in order to actually join it, in my case, both of my DCs are also acting as DNS servers.
|
1 2 3 4 5 6 |
# cat /etc/resolv.conf # --- BEGIN PVE --- search sky.net nameserver 192.168.0.250 nameserver 192.168.0.249 # --- END PVE --- |
With that out of the way, you simply need to issue the realm join command as follows:
|
1 |
realm join --user=domain_admin_account domain.com |
This will prompt for the domain administrator account password, and then /etc/sssd/sssd.conf and /etc/krb.conf files will be automatically created for you. There should now be a computer object created in the default computer container in AD. You can verify the join was successful by issuing the “realm list” command. Example output:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
[root@ansible ~]$ realm list sky.net type: kerberos realm-name: SKY.NET domain-name: sky.net configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U@sky.net login-policy: allow-realm-logins [root@ansible ~]# |
That’s really all there is to it, move your computer object to whatever OU you desire (I myself created one specifically for Linux servers) and you can now login to that machine with AD credentials.
I took it one step further by creating an AD security group called Sudoers, and then editing /etc/sudoers to include that group so that any members would have sudo privileges. To do so, use the visudo command (as it’s never a good idea to edit the sudoers file directly) and enter the following:
|
1 |
%Sudoers@domain.com ALL=(ALL) NOPASSWD: ALL |
Of course replacing the group and domain names with your own, since these are personal servers, I elect to allow sudo without a password for the members of this group. Just leave off the “NOPASSWD: ALL” directive to require users to enter a password.
Leave a Reply