Administrating Linux Machines Through Active Directory


In a mixed Windows-AD Linux environment, it is beneficial to maintain user accounts for both platforms through Active Directory.  Adding Windows machines to Active Directory is a straightforward process but Linux is more of a challenge.  For this reason, many organizations maintain separate authentication for Linux and Windows users.

Though not straightforward, adding Linux, in this case CentOS 7 machines to an Active Directory domain is not overly complicated.

To join a CentOS 7 machine to a domain the following packages must first be installed using the following command.

yum install realmd sssd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools ntpdate ntp.

If your systems are virtualized and share a common time source the following step is not necessary.  Otherwise, configure ntpd with the following commands.

systemctl enable ntpd.service
ntpdate ntp.domain
sysemctl start ntpd.service

Prior to joining your domain, you should adjust your DNS to use the AD Servers or the DNS Servers they use.

DNS can be configured in /etc/sysconfig/network-scripts/ifcfg-eno*

You will want to discover information about the Active Directory Domain you wish to join with the following command.

$ realm discover domain.local
type: kerberos
realm-name: DOMAIN.LOCAL
domain-name: domain.local
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U@domain.local
login-policy: allow-permitted-logins
permitted-groups: LinuxAdmins@domain.local, LinuxUsers@domain.local domain.local
type: kerberos
realm-name: DOMAIN.LOCAL
domain-name: domain.local
configured: no

If any required-package displays as not installed, install it now.

To join the machine to the domain, use the following command.

realm join --user=domainadmin@domain.local domain.local

Once joined, add the default domain suffix to the /etc/ssd/ssd.conf file.

default_domain_suffix = domain.local

Restart the sssd service

systemctl restart sssd


Permitting Select Active Directory Groups to Logon

You will probably want to limit the domain users capable of logging into your Linux machine.  This can be done by first creating a group in Active Directory such as LinuxUsers and populating it with the users you wish to be able to access the Linux system.  Then from the Linux system use the following command.

realm permit –g LinuxUsers@domain.local

You can add additional groups as needed using the same command.


Giving sudo Access to Active Directory Groups

Typically, users on a linux system are put into the wheel group and then allowed sudo access by uncommenting the appropriate line in the sudoers file.  In this instance, we will create a new group that has sudo access using visudo to edit the sudoers file.

Assuming you have a LinuxAdmins Active Directory group add the following line to the sudoers file.

%LinuxAdmins@domain.local ALL=(ALL) ALL


How to debug SSSD and realmd

The logfile which contains information about successful or failed login attempts is /var/log/secure. It contains information related to authentication and authorization privileges. For example, sshd logs all the messages there, including unsuccessful login.

Be sure to check that logfile if you experience problems logging in with an Active Directory user.


How to clear the SSSD cache

sudo systemctl stop sssd
sudo rm -f /var/lib/sss/db/*
sudo systemctl start sssd


Updating authconfig

Sometimes updating the authconfig cache is useful using the following command.

Authconfig --updateall


Sample Config Files


 domains = Domain.local
 config_file_version = 2
 services = nss, pam
 default_domain_suffix = Domain.local
 ad_domain = Domain.local
 krb5_realm = DOMAIN.LOCAL
 realmd_tags = manages-system joined-with-samba
 cache_credentials = True
 id_provider = ad
 krb5_store_password_if_offline = True
 default_shell = /bin/bash
 ldap_sasl_authid = P2VM-QA-CENTOS-$
 ldap_id_mapping = True
 use_fully_qualified_names = True
 fallback_homedir = /home/%u@%d
 access_provider = simple
 simple_allow_groups = LinuxAdmins@domain.local, LinuxUsers@domain.local


Sudoers File Section

## Allows people in group wheel to run all commands
 %wheel  ALL=(ALL)       ALL
 %LinuxAdmins@domain.local  ALL=(ALL)       ALL