We will need the following packages installed on the CentOS / RHEL server:

  • realmd: This manages enrolment and membership to the Active Directory domains
  • samba: This denotes the Samba services
  • samba-common: This denotes the shared tools for servers and clients
  • oddjob: This is a D-bus service that runs the odd jobs for clients
  • oddjob-mkhomedir: This is used with the odd job services to create home directories for AD accounts if needed
  • sssd: The System Security Services daemon can be used to divert client authentication as required
  • adcli: These are the tools for joining and managing AD domains

Use the following command to install the required packages:

[root@ylclsrv001 ~]# sudo yum install oddjob realmd samba samba-common oddjob-mkhomedir sssd adcli


To discover a Domain Identity we will use the realm discover command, that will return a complete domain configuration and a list of packages that must be installed for the system to be enrolled in the domain.

  [root@ylclsrv001 ~]# realm discover ucartz.local
  ucartz.LOCAL
  type: kerberos
  realm-name: ucartz.LOCAL
  domain-name: ucartz.LOCAL
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  ucartz.local
  type: kerberos
  realm-name: UCARTZ.LOCAL
  domain-name: ucartz.local
  configured: no

 To join the AD domain, add the computer to the default folder in the AD domain using the following command:

sudo realm join --user=administrator@ucartz.local ucartz.local
Password for administrator@ucartz.local:

 If you want to add it to a designated Organizational Unit within the Active Directory, you will first need to create the OU, or at least ensure that it exists. The following command we will join the server to AD Domain and add Computer Account to the Linux OU:

[root@ylclsrv001 ~]# sudo realm join --user=administrator@ucartz.local --computer-ou=OU=Linux,OU=Servers,DC=ucartz,DC=LOCAL ucartz.local
Password for administrator@ucartz.local:


 If you got this error ” realm: Couldn’t join realm: Joining the domain UCARTZ.LOCAL failed“, just restart the realm and retry again

 To test the system was successfully joined the domain use the below command:

  [root@ylclsrv001 ~]# realm list
  UCARTZ.LOCAL
  type: kerberos
  realm-name: UCARTZ.LOCAL
  domain-name: ucartz.local
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U@ucartz.local
  login-policy: allow-realm-logins

 To display information about a user from the domain, run the following command:

# id yl01@ucartz.local 
uid=344601106(yl01@UCARTZ.LOCAL) gid=344600513(domain users@UCARTZ.LOCAL) groups=344600513(domain users@UCARTZ.LOCAL),344601107(linuxadmins@UCARTZ.LOCAL)

 To permit only specific accounts from the domain to log in, use the following command: this command will change the mode to only allow logins by specific accounts, and then add the specified accounts to the list of accounts to permit.

[root@ylclsrv001 ~]# realm permit  User1@ucartz.local User2@ucartz.local

 To permit only one Active Directory group to log in using the following command: in this Example, we will allow the Linux admins AD group to login to the system

[root@ylclsrv001 ~]# realm permit -g LinuxAdmins@ucartz.local

 To give sudo permissions to an Active Directory group, in this example we will add LinuxAdmins AD group to sudoers by running the visudo command and add the following line:

# visudo
%LinuxAdmins@ucartz.local        ALL=(ALL)       ALL

 To leave an Active Directory domain, you can use the below command:

# realm leave --user=--user=administrator@ucartz.local ucartz.local


 If you want to leave the domain and to delete the computer Account you can use the additional option –remove at the end of the command

# realm leave --user=--user=administrator@ucartz.local ucartz.local --remove
Password for administrator@ucartz.local:

 
We hope this tutorial was enough Helpful. If you need more information or have any questions, just comment below and we will be glad to assist you!

Hasznosnak találta ezt a választ? 0 A felhasználók hasznosnak találták ezt (0 Szavazat)