Join in Active Directory Domain2022/01/18 |
Join in Windows Active Directory Domain with Realmd.
This tutorial needs Windows Active Directory Domain Service in your Local Network.
This example is based on the environment like follows.
|
|||||||||||
[1] | Install required packages. |
[root@dlp ~]# dnf -y install realmd sssd oddjob oddjob-mkhomedir adcli samba-common-tools krb5-workstation
|
[2] | Join in Windows Active Directory Domain. |
# change DNS setting to refer to AD [root@dlp ~]# nmcli connection modify enp1s0 ipv4.dns 10.0.0.100 [root@dlp ~]# nmcli connection down enp1s0; nmcli connection up enp1s0 Connection 'enp1s0' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1) Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2) # discover Active Directory domain [root@dlp ~]# realm discover SRV.WORLD srv.world type: kerberos realm-name: SRV.WORLD domain-name: srv.world configured: no server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools # join in Active Directory domain [root@dlp ~]# realm join SRV.WORLD Password for Administrator: # AD Administrator password
# verify possible to get an AD user info or not [root@dlp ~]# id Serverworld@srv.world uid=1259201103(serverworld@srv.world) gid=1259200513(domain users@srv.world) groups=1259200513(domain users@srv.world),1259200512(domain admins@srv.world),1259200572(denied rodc password replication group@srv.world) # verify possible to login as an AD user or not [root@dlp ~]# logout CentOS Stream 9 Kernel 5.14.0-39.el9.x86_64 on an x86_64 Activate the web console with: systemctl enable --now cockpit.socket dlp login: Serverworld@srv.world Password: [serverworld@srv.world@dlp ~]$ # logined |
[3] | If you'd like to omit domain name for AD user, configure like follows. |
[root@dlp ~]#
vi /etc/sssd/sssd.conf # line 16 : change use_fully_qualified_names = False
[root@dlp ~]#
[root@dlp ~]# systemctl restart sssd id Administrator uid=1259200500(administrator) gid=1259200513(domain users) groups=1259200513(domain users),1259200572(denied rodc password replication group),1259200512(domain admins),1259200518(schema admins),1259200520(group policy creator owners),1259200519(enterprise admins) |
[4] |
AD users UID/GID are assigned randomly, however, if you'd like to assign fixed UID/GID, configure like follows.
Add UNIX attributes to AD accounts first, refer to here.
Next, change SSSD settings.
This example is based on the environment AD accounts have [uidNumber/gidNumber] attributes. |
[root@dlp ~]#
vi /etc/sssd/sssd.conf # line 17 : change ldap_id_mapping = False
# add to the end ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber # clear cache and restart sssd [root@dlp ~]# rm -f /var/lib/sss/db/* [root@dlp ~]# systemctl restart sssd
id serverworld uid=2000(serverworld) gid=100(users) groups=100(users) |
Sponsored Link |
|