Fedora 34
Sponsored Link

Join in Active Directory Domain
2021/04/30
 
Join in Windows Active Directory Domain with Realmd.
This tutorial needs Windows Active Directory Domain Service in your Local Network.
This example is based on the environment like follows.
Domain Server : Windows Server 2019
Domain Name : srv.world
Hostname : fd3s.srv.world
NetBIOS Name : FD3S01
Realm : SRV.WORLD
[1] Install required packages.
[root@dlp ~]#
dnf -y install realmd sssd oddjob oddjob-mkhomedir adcli samba-common-tools
[2] Join in Windows Active Directory Domain.
# change DNS setting to refer to AD

[root@dlp ~]#
nmcli connection modify enp1s0 ipv4.dns 10.0.0.100

[root@dlp ~]#
nmcli connection down enp1s0; nmcli connection up enp1s0

Connection 'enp1s0' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1)
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)
# discover Active Directory domain

[root@dlp ~]#
realm discover SRV.WORLD

srv.world
  type: kerberos
  realm-name: SRV.WORLD
  domain-name: srv.world
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools

# join in Active Directory domain

[root@dlp ~]#
realm join SRV.WORLD

Password for Administrator:  
# AD Administrator password
# verify possible to get an AD user info

[root@dlp ~]#
id Serverworld@srv.world

uid=691201105(serverworld@srv.world) gid=691200513(domain users@srv.world) groups=691200513(domain users@srv.world),691200572(denied rodc password replication group@srv.world),691200512(domain admins@srv.world)
# verify possible to login as an AD user

[root@dlp ~]#
exit

logout

Fedora 34 (Server Edition)
Kernel 5.11.12-300.fc34.x86_64 on an x86_64 (ttyS0)

Activate the web console with: systemctl enable --now cockpit.socket

dlp login: Serverworld@srv.world 
Password:
Creating home directory for Serverworld@srv.world.
[serverworld@srv.world@dlp ~]$   # logined
[3] If you'd like to omit domain name for AD user, configure like follows.
[root@dlp ~]#
vi /etc/sssd/sssd.conf
# line 16 : change

use_fully_qualified_names =
False
[root@dlp ~]#
systemctl restart sssd

[root@dlp ~]#
id Administrator

uid=691200500(administrator) gid=691200513(domain users) groups=691200513(domain users),691200572(denied rodc password replication group),691200512(domain admins),691200518(schema admins),691200520(group policy creator owners),691200519(enterprise admins)
[4]
AD users UID/GID are asigned randomly, but if you'd like to asign fixed UID/GID, configure like follows.
Add UNIX attributes to AD accounts first, refer to here.
( To add them by PowerShell on CUI, refer to here of [4] )
This example is based on the environment AD accounts have [uidNumber/gidNumber] attributes.
Next, change SSSD settings.
[root@dlp ~]#
vi /etc/sssd/sssd.conf
# line 17 : change

ldap_id_mapping =
False
# add to the end

ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
# clear cache and restart sssd

[root@dlp ~]#
rm -f /var/lib/sss/db/*

[root@dlp ~]#
systemctl restart sssd
[root@dlp ~]#
id serverworld

uid=5000(serverworld) gid=5000(linuxgroup) groups=5000(linuxgroup)
Matched Content