Joining a Linux server to a Windows domain

2016-09-13 | Martin Hoppenheit | 3 min read

This is a concise instruction for joining a Linux (RHEL/CentOS 7) server to a Windows domain (let’s call it example.org). Doing so has some nice advantages: The server is listed in the Active Directory Users and Computers hierarchy, giving you a better overview of your environment. You can logon to the server with a domain account instead of a local one or restrict logon to members of a certain Active Directory group. And, most importantly, domain integration is the prerequisite for services running on the Linux machine that offer secure authentication via Kerberos to other domain members.

Network configuration

A working DNS is absolutely vital for a Windows domain! So be careful to enter the following information correctly during the installation:

  • server IP address
  • netmask
  • gateway IP address
  • DNS server IP address
  • search domain

Network settings can be changed later with the tools hostnamectl, nmcli and nmtui, where the latter is the easiest to use.

Proxy configuration

If internet access in your environment is governed by a proxy server add the following lines to /etc/profile.d/proxy.sh (create the file if it does not exist):

export http_proxy=http://proxy.example.org
export https_proxy=http://proxy.example.org
export ftp_proxy=http://proxy.example.org
export HTTP_PROXY=http://proxy.example.org
export HTTPS_PROXY=http://proxy.example.org
export FTP_PROXY=http://proxy.example.org

And the following line goes to /etc/yum.conf:

proxy=http://proxy.example.org

Firewall configuration

In CentOS and RHEL, the firewall is active by default after installation and has to be configured for the services that will be run on the server. This is out of the scope of this article (hint: use the firewall-cmd tool). Alternatively you can switch it off if this is your organization’s policy for servers in the internal network:

# systemctl stop firewalld
# systemctl disable firewalld

NTP configuration

Similar to DNS, a correct NTP configuration is very important in a Windows domain! RHEL/CentOS 7 uses Chrony for NTP. Install it if necessary (package chrony), then replace the default entries by your organization’s NTP servers in /etc/chrony.conf:

server ntp1.example.org iburst
server ntp2.example.org iburst

Start the Chrony service (or just reboot):

# systemctl start chronyd

Settings can be controlled with the following commands:

# systemctl status chronyd
# chronyc sources
# timedatectl

Domain integration

Now comes the interesting part, where the Linux server becomes a member of the Windows domain. Many (older) instructions on domain integration are based on manually configuring Samba and other stuff. This is tedious and error-prone, but nowadays, there is a much better way for joining a Windows domain: realmd. It greatly simplifies the whole process. Install the realmd package:

# yum install realmd

Then join the domain with the realm command (without trailing ‘d’!), using an administrative account that has the required permissions (e.g., admin@example.org):

# realm join --verbose --user admin example.org

That’s all. With one single command your Linux system has become a member of the Windows domain! If this yields errors because of missing packages (probably samba-common, oddjob, oddjob-mkhomedir und sssd) install those manually and then repeat the realm join command.

Now, logon with any domain account like hoppenheit@example.org is possible. If you don’t want this you can restrict logon to members of some Active Directory group (e.g., linux-admins@example.org):

# realm deny --realm example.org --all
# realm permit --realm example.org --groups linux-admins@example.org

To additionally grant sudo permissions to the members of the linux-admins Active Directory group (optional!), configure sudo:

# yum install sudo
# visudo -f /etc/sudoers.d/linux-admins

This will create a new file /etc/sudoers.d/linux-admins. In it, insert the following line:

%linux-admins@example.org ALL=(ALL:ALL) ALL

There are some more options for fine-tuning logon permissions and other domain related things that are described on the realmd website.

Next steps

A domain integrated server is a great foundation for things like Apache or Squid services offering Kerberos authentication. But that’s another story.