Technology, Linux

Linux and Active Directory

My old Domain Controller had really only been a shadow of a DC.  None of the computers in the house were actually joined to the domain, it’s only real use was providing DHCP, DNS, and File & Printer sharing.  It was setup with everyone permissions, no security at all.  With the standing up of this actual infrastructure, I had decided to join everything to the domain, setup proper security groups, group policy, LDAP integration for SSO/Logins wherever possible, etc.  I would truly have one login for all devices.  So that meant joining the Linux machines as well.  These days, that’s pretty straight forward.  I’m going to cover how to do it for CentOS/Fedora, but it should be very similar for other distributions as well.

First things first, install the packages that will be needed:

You need to be able to resolve the domain in order to actually join it, in my case, both of my DCs are also acting as DNS servers.

With that out of the way, you simply need to issue the realm join command as follows:

This will prompt for the domain administrator account password, and then /etc/sssd/sssd.conf and /etc/krb.conf files will be automatically created for you.  There should now be a computer object created in the default computer container in AD.  You can verify the join was successful by issuing the “realm list” command.  Example output:

That’s really all there is to it, move your computer object to whatever OU you desire (I myself created one specifically for Linux servers) and you can now login to that machine with AD credentials.

I took it one step further by creating an AD security group called Sudoers, and then editing /etc/sudoers to include that group so that any members would have sudo privileges.  To do so, use the visudo command (as it’s never a good idea to edit the sudoers file directly) and enter the following:

Of course replacing the group and domain names with your own, since these are personal servers, I elect to allow sudo without a password for the members of this group.  Just leave off the “NOPASSWD: ALL” directive to require users to enter a password.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.