Joining a Linux server to a Windows domain
This is a concise instruction for joining a Linux (RHEL/CentOS 7) server to a Windows domain (let’s call it example.org). Doing so has some nice advantages: The server is listed in the Active Directory Users and Computers hierarchy, giving you a better overview of your environment. You can logon to the server with a domain account instead of a local one or restrict logon to members of a certain Active Directory group. And, most importantly, domain integration is the prerequisite for services running on the Linux machine that offer secure authentication via Kerberos to other domain members.
Network configuration
A working DNS is absolutely vital for a Windows domain! So be careful to enter the following information correctly during the installation:
- server IP address
- netmask
- gateway IP address
- DNS server IP address
- search domain
Network settings can be changed later with the tools
hostnamectl
, nmcli
and nmtui
,
where the latter is the easiest to use.
Proxy configuration
If internet access in your environment is governed by a proxy server
add the following lines to /etc/profile.d/proxy.sh
(create
the file if it does not exist):
export http_proxy=http://proxy.example.org
export https_proxy=http://proxy.example.org
export ftp_proxy=http://proxy.example.org
export HTTP_PROXY=http://proxy.example.org
export HTTPS_PROXY=http://proxy.example.org
export FTP_PROXY=http://proxy.example.org
And the following line goes to /etc/yum.conf
:
proxy=http://proxy.example.org
Firewall configuration
In CentOS and RHEL, the firewall is active by default after
installation and has to be configured for the services that will be run
on the server. This is out of the scope of this article (hint: use the
firewall-cmd
tool). Alternatively you can switch it off if
this is your organization’s policy for servers in the internal
network:
# systemctl stop firewalld
# systemctl disable firewalld
NTP configuration
Similar to DNS, a correct NTP configuration is very important in a
Windows domain! RHEL/CentOS 7 uses Chrony for NTP. Install it if
necessary (package chrony), then replace the default entries by your
organization’s NTP servers in /etc/chrony.conf
:
server ntp1.example.org iburst
server ntp2.example.org iburst
Start the Chrony service (or just reboot):
# systemctl start chronyd
Settings can be controlled with the following commands:
# systemctl status chronyd
# chronyc sources
# timedatectl
Domain integration
Now comes the interesting part, where the Linux server becomes a member of the Windows domain. Many (older) instructions on domain integration are based on manually configuring Samba and other stuff. This is tedious and error-prone, but nowadays, there is a much better way for joining a Windows domain: realmd. It greatly simplifies the whole process. Install the realmd package:
# yum install realmd
Then join the domain with the realm
command (without
trailing ‘d’!), using an administrative account that has the required
permissions (e.g., admin@example.org
):
# realm join --verbose --user admin example.org
That’s all. With one single command your Linux system has become a
member of the Windows domain! If this yields errors because of missing
packages (probably samba-common, oddjob, oddjob-mkhomedir und sssd)
install those manually and then repeat the realm join
command.
Now, logon with any domain account like
hoppenheit@example.org
is possible. If you don’t want this
you can restrict logon to members of some Active Directory group (e.g.,
linux-admins@example.org
):
# realm deny --realm example.org --all
# realm permit --realm example.org --groups linux-admins@example.org
To additionally grant sudo permissions to the members of the
linux-admins
Active Directory group (optional!), configure
sudo
:
# yum install sudo
# visudo -f /etc/sudoers.d/linux-admins
This will create a new file /etc/sudoers.d/linux-admins
.
In it, insert the following line:
%linux-admins@example.org ALL=(ALL:ALL) ALL
There are some more options for fine-tuning logon permissions and other domain related things that are described on the realmd website.
Next steps
A domain integrated server is a great foundation for things like Apache or Squid services offering Kerberos authentication. But that’s another story.