Joining a Linux server to a Windows domain
This is a concise instruction for joining a Linux (RHEL/CentOS 7) server to a Windows domain (let’s call it example.org). Doing so has some nice advantages: The server is listed in the Active Directory Users and Computers hierarchy, giving you a better overview of your environment. You can logon to the server with a domain account instead of a local one or restrict logon to members of a certain Active Directory group. And, most importantly, domain integration is the prerequisite for services running on the Linux machine that offer secure authentication via Kerberos to other domain members.
A working DNS is absolutely vital for a Windows domain! So be careful to enter the following information correctly during the installation:
- server IP address
- gateway IP address
- DNS server IP address
- search domain
Network settings can be changed later with the tools
nmtui, where the latter is the easiest to use.
If internet access in your environment is governed by a proxy server add the following lines to
/etc/profile.d/proxy.sh (create the file if it does not exist):
export http_proxy=http://proxy.example.org export https_proxy=http://proxy.example.org export ftp_proxy=http://proxy.example.org export HTTP_PROXY=http://proxy.example.org export HTTPS_PROXY=http://proxy.example.org export FTP_PROXY=http://proxy.example.org
And the following line goes to
In CentOS and RHEL, the firewall is active by default after installation and has to be configured for the services that will be run on the server. This is out of the scope of this article (hint: use the
firewall-cmd tool). Alternatively you can switch it off if this is your organization’s policy for servers in the internal network:
# systemctl stop firewalld # systemctl disable firewalld
Similar to DNS, a correct NTP configuration is very important in a Windows domain! RHEL/CentOS 7 uses Chrony for NTP. Install it if necessary (package chrony), then replace the default entries by your organization’s NTP servers in
server ntp1.example.org iburst server ntp2.example.org iburst
Start the Chrony service (or just reboot):
# systemctl start chronyd
Settings can be controlled with the following commands:
# systemctl status chronyd # chronyc sources # timedatectl
Now comes the interesting part, where the Linux server becomes a member of the Windows domain. Many (older) instructions on domain integration are based on manually configuring Samba and other stuff. This is tedious and error-prone, but nowadays, there is a much better way for joining a Windows domain: realmd. It greatly simplifies the whole process. Install the realmd package:
# yum install realmd
Then join the domain with the
realm command (without trailing ‘d’!), using an administrative account that has the required permissions (e.g.,
# realm join --verbose --user admin example.org
That’s all. With one single command your Linux system has become a member of the Windows domain! If this yields errors because of missing packages (probably samba-common, oddjob, oddjob-mkhomedir und sssd) install those manually and then repeat the
realm join command.
Now, logon with any domain account like
email@example.com is possible. If you don’t want this you can restrict logon to members of some Active Directory group (e.g.,
# realm deny --realm example.org --all # realm permit --realm example.org --groups firstname.lastname@example.org
To additionally grant sudo permissions to the members of the
linux-admins Active Directory group (optional!), configure
# yum install sudo # visudo -f /etc/sudoers.d/linux-admins
This will create a new file
/etc/sudoers.d/linux-admins. In it, insert the following line:
%email@example.com ALL=(ALL:ALL) ALL
There are some more options for fine-tuning logon permissions and other domain related things that are described on the realmd website.
A domain integrated server is a great foundation for things like Apache or Squid services offering Kerberos authentication. But that’s another story.