Basic Prechecks Steps: RHEL Join With Active Directory using 'adcli', 'realm' and 'net' commands
Environment
- Red Hat Enterprise Linux 6,7,8,9
- adcli
- realmd
- net
Issue
- Basic prechecks steps before RHEL join with active directory using
adcli,realmandnetcommands. - What checks to perform before joining RHEL server with
Active Directory?
Resolution
Perform below steps before joining to Active Directory.
1. Ensure that the user you use to join with Active Directory has the following user permissions:
- On the object types:
* Computer
- Standard permissions required for joining all systems to an AD:
* Reset password
* Read account restrictions
* Write account restrictions
* Validated write to DNS host name
* Validated write to service principal name
- Additional permissions required for joining Linux systems to an AD:
* Read DNS host name attributes
* Write DNS host name attributes
* Read DNSHostName
* Write DNSHostName
* Read msDS-AddtionalSamAccountName
* Write msDS-AddtionalSamAccountName
* Read msDS-SupportedEncryptionTypes
* Write msDS-SupportedEncryptionTypes
* Read Operating System
* Write Operating System
* Read Operating System Version
* Write Operating System Version
* Read OperatingSystemServicePack
* Write OperatingSystemServicePack
* Read servicePrincipalName
* Write servicePrincipalName
* Read userAccountControl
* Write userAccountControl
* Read userPrincipal Name
* Write userPrincipal Name
2. DNS lookup of AD is resolving.
Example:
# dig +short SRV _ldap._tcp.addomain.test
# dig +short SRV _kerberos._tcp.addomain.test
# dig +short SRV _kerberos._udp.addomain.test
3. Port reach ability from RHEL to Active Directory servers.
Source port - Destination - Protocol - Service
1024:65535 - 53 - TCP and UDP - DNS
1024:65535 - 389 - TCP and UDP - LDAP
1024:65535 - 636 - TCP - LDAPS
1024:65535 - 88 - TCP and UDP - Kerberos
1024:65535 - 464 - TCP and UDP - Kerberos change/set password (kadmin)
1024:65535 - 3268 - TCP - LDAP Global Catalog (If "id_provider = ad" is being used)
1024:65535 - 3269 - TCP - LDAP Global Catalog SSL
1024:65535 - 123 - UDP - NTP (Optional)
When using winbind for Active Directory integration, one need to make sure all required ports are opened on firewall. Which TCP/UDP ports are used for Active Directory authentication when using winbind?
Validate if all ports listed are reachable to Active Directory servers which are part of AD domain.
Example:
* DNS Ports
# nc -zv adserver1.addomain.test 53
# nc -zuv adserver1.addomain.test 53
* LDAP Ports
# nc -zv adserver1.addomain.test 389
# nc -zuv adserver1.addomain.test 389
# nc -zv adserver1.addomain.test 636
* Kerberos
# nc -zv adserver1.addomain.test 88
# nc -zuv adserver1.addomain.test 88
* Kerberos Kadmin
# nc -zv adserver1.addomain.test 464
# nc -zuv adserver1.addomain.test 464
* Active Directory: Global Catalog
# nc -zv adserver1.addomain.test 3268
# nc -zv adserver1.addomain.test 3269
* NTP
# nc -zuv adserver1.addomain.test 123
4. Validate time sync with Active Directory Servers.
Example:
* RHEL version using ntpd (RHEL 6 & 7):
# ntpstat
# systemctl stop ntpd
# ntpdate adserver1.addomain.test
# systemctl start ntpd
# systemctl status ntpd
* RHEL version using chronyd (RHEL 7, 8 & 9):
# chronyc sources
# systemctl stop chronyd
# chronyd -q "server adserver1.addomain.test iburst"
# systemctl start chronyd
# systemctl status chronyd
# chronyc tracking
5. Set hostname as FQDN (Recommended). Short names should not be used.
# hostname
# hostnamectl set-hostname <fqdn>
# hostnamectl set-hostname rhels1.example.com
# hostnamectl
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.