How to join RHEL system to Active Directory domain using adcli

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux 6 and later
  • Active Directory

Issue

  • How to join the RHEL machine with Active Directory using adcli
  • How do I join RHEL system to Active Directory domain using adcli?

Resolution

Before starting: If you are configuring a RHEL 8 or above version, it is necessary to execute the command below. This command will require a reboot of the system. For more encryption types information click here.

# update-crypto-policies --set DEFAULT:AD-SUPPORT

1. Make Sure RHEL machine is able to resolve Active Directory servers.

# dig -t SRV _ldap._tcp.adexample.net

Note: For additional prechecks click here.

2. Install adcli package along with sssd:

# yum install adcli sssd authconfig
  • For minimal install servers, you need to install krb5-workstation package, which provides Kerberos klist command that are useful for verifying Kerberos-related configuraitons.

3. Discover the AD domain:

# adcli info ad.example.com
  • adcli will show few details about the AD domain.

4. Join RHEL system to AD domain using adcli:

# adcli join ad.example.com
Password for Administrator@AD.EXAMPLE.COM:  <---- Enter Admin password
  • By default, it prompts for the Administrator password, but it's possible to specify another user with the -U option:
# adcli join ad.example.com -U ad_user        <------ This user should have administrative rights in AD
  • To use port 636
 # LDAPTLS_CACERT=<cert path> adcli join --use-ldaps <domain_name> -U <username> --verbose

5. The join operation creates an /etc/krb5.keytab keytab that the machine will authenticate with. We can inspect the keytab with klist -kt, which should show several entries that contain the client's hostname in some form:

# klist -kte

6. Configure /etc/krb5.conf to use AD domain:

[libdefaults]
default_realm = AD.EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
udp_preference_limit  = 1

[realms]
AD.EXAMPLE.COM = {
kdc = server.ad.example.com
admin_server = server.ad.example.com
}

[domain_realm]
.ad.example.com = AD.EXAMPLE.COM
ad.example.com = AD.EXAMPLE.COM

7. Use authconfig to set up the Name Service Switch (/etc/nsswitch.conf) and PAM stacks(/etc/pam.d/password-authand /etc/pam.d/system-auth):

# authconfig --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir --update

  • The above command will modify and add necessary entries in /etc/nsswitch.conf , /etc/pam.d/password-auth and /etc/pam.d/system-auth files .

  • In RHEL 8 & 9, use authselect command instead of authconfig:

 authselect select sssd with-mkhomedir

8. The final step is to configure the SSSD. Edit /etc/sssd/sssd.conf and define a single domain (you may have to create the file manually if the file does not exist):

[sssd]
services = nss, pam
config_file_version = 2
domains = AD.EXAMPLE.COM

[domain/AD.EXAMPLE.COM]
id_provider = ad
override_homedir = /home/%d/%u
debug_level = 0
# Uncomment and configure below , if service discovery is not working 
# ad_server = server.win.example.com

[nss]
override_shell=/bin/bash

[pam]

9. Make sure /etc/sssd/sssd.conf is owned by root:root and permissions are 600:

# chown root:root /etc/sssd/sssd.conf
# chmod 600 /etc/sssd/sssd.conf

10. Start SSSD and make sure the service starts after reboots:

# service sssd start
# chkconfig sssd on

11. Try to retrieve user information for an AD user, and then try to login as an AD user:

# id ad_user
# ssh ad_user@localhost

NOTE: With the upcoming Content from techcommunity.microsoft.com is not included.Microsoft Advisory ADV190023 , Customers using SSSD on Red Hat Enterprise Linux 6 (RHEL6) systems are advised to switch to the ldap id_provider and use ldaps to talk to their Active Directory domain controller.
The above solution will not work on Red Hat Enterprise Linux 6 systems enrolled into Active Directory domains with enforced SASL signing.

Refer Impact of Microsoft Security Advisory ADV190023 for more details.

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.