How to add RHEL7 server to the AD domain

Active directory, RHEL7, Samba, sysadmin / jeudi, août 28th, 2014

Deployment Prerequisites

Check /etc/hostname is correct and set in FQDN

Check your DNS resolution is OK.

  • Check if you can ping internal ressources
  • Check the file /etc/resolv.conf contains :

search your_domain
nameserver IP_of_your_AD_server

If not OK, add this to the file /etc/sysconfig/network-scripts/ifcfg-XXX

DNS1=IP_of_your_AD_server

Enable the needed repo by editing /etc/yum.repos.d/redhat.repo

[rhel-7-server-optional-rpms]
enabled = 1

Install following packages :

yum clean all
yum -y install authconfig samba samba-winbind samba-winbind-clients pam_krb5 krb5-workstation oddjob-mkhomedir nscd adcli ntp

Add some services at startup time :

systemctl start smb
systemctl enable smb
systemctl start winbind
systemctl enable winbind
systemctl start oddjobd 
systemctl enable oddjobd
systemctl start dbus
systemctl stop firewalld

Configure NTP service by editing  /etc/ntp.conf to modify DCs as time servers :

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server fqdn_of_your_ad_server

Make the first time adjustment and then make the ntpd service start at boot time :

ntpdate fqdn_of_your_ad_server

systemctl start ntpd
systemctl enable ntpd

Backup default config for kerberos client :

cp -p /etc/krb5.conf /etc/krb5.conf.orig
echo  » > /etc/krb5.conf

Edit the file /etc/krb5.conf to configure the kerberos client :

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = YOUR_DOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
YOUR_DOMAIN = {
kdc = YOUR_DOMAIN:88
admin_server = YOUR_DOMAIN:749
default_domain = YOUR_DOMAIN
}

[domain_realm]
.YOUR_DOMAIN = YOUR_DOMAIN
YOUR_DOMAIN = YOUR_DOMAIN
your_domain = YOUR_DOMAIN
.your_domain = YOUR_DOMAIN
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Test the kerberos client :

kinit one_domain_admin_account@YOUR_DOMAIN
klist 

You should have this kind of answer :

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: one_domain_admin_account@YOUR_DOMAIN

Valid starting Expires Service principal
08/26/2014 14:46:25 08/27/2014 00:46:25 krbtgt/YOUR_DOMAIN@YOUR_DOMAIN

renew until 08/27/2014 14:46:18

Delete this test kerberos ticket :

kdestroy

Backup default samba config :

cp -p /etc/samba/smb.conf /etc/samba/smb.conf.orig
echo  » > /etc/samba/smb.conf

Configure Samba by editing /etc/samba/smb.conf :

[global]
#–authconfig–start-line–
workgroup = YOUR_DOMAIN
password server = fqdn_of_your_ad_server
realm = 
security = ads
idmap uid = 10000-19999
idmap gid = 10000-19999
idmap config YOUR_DOMAIN:backend = rid
idmap config YOUR_DOMAIN:range = 10000000-19999999
winbind enum users = no
winbind enum groups = no
winbind separator = +
winbind use default domain = yes
template homedir = /home/adusers/%U
template shell = /bin/bash

#–authconfig–end-line–

Join the your domain :

systemctl restart smb

net join -S YOUR_DOMAIN-U one_domain_admin_account

net ads testjoin
net ads info

Configure server to accept the authentication with AD credentials :

 authconfig-tui

Make it possible each users to have their own home folder at connection time :

mkdir /home/adusers/
chmod 0777 /home/adusers

echo ‘session required pam_mkhomedir.so umask=0022 skel=/etc/skel’ >> /etc/pam.d/system-auth
echo ‘session required pam_mkhomedir.so umask=0022 skel=/etc/skel’ >> /etc/pam.d/password-auth

systemctl restart winbind