How to connect to an Active Directory Domain using Realmd (Configure CentOS/RHEL 7 as active directory client)?

Realmd provides a simple way to discover and join identity domains. It configures Linux system services such as sssd or winbind to do the actual network authentication and user account lookups. With the release of CentOS/RHEL 7, realmd is fully supported and can be used to join IdM, AD, or Kerberos realms. The main advantage of using realmd is the ability to provide a simple one-line command to enroll into a domain as well as configure network authentication. For example, realmd can easily configure:

  • PAM Stack
  • NSS Layer
  • Kerberos
  • SSSD
  • Winbind


Configure CentOS/RHEL 7 as an Active Directory client using realmd

Follow the steps outlined below to configure Linux client using Realmd to connect to an Active Directory (AD) domain.


1. Install the required packages to configure the AD client.

# yum install realmd oddjob oddjob-mkhomedir sssd adcli openldap-clients policycoreutils-python samba-common samba-common-tools krb5-workstation


We can use the list subcommand to ensure that we are not currently part of a domain:

# realm list


The output should be blank. Now, we are ready to proceed with the next step- discovering and joining the domain.


2. Discover the active directory domain and join with the below commands.

# realm discover
type: kerberos
realm-name: AD.EXAMPLE.COM
configured: no
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
# realm join
Password for Administrator:
realm: Joined domain


3. Verify the kerberos configuration file /etc/krb5.conf to include:

# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 dns_lookup_realm = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}
default_realm = DOMAIN.EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}

   kdc = [hostname_of_server]
   admin_server =



4. Verify /etc/sssd/sssd.conf to have below entries.

# cat /etc/sssd/sssd.conf
domains =
config_file_version = 2
services = nss, pam

ad_server =
ad_domain =
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
enumeration = True


5. Assign appropriate permission to sssd.conf.

# chown root:root /etc/sssd/sssd.conf
# chmod 0600 /etc/sssd/sssd.conf
# restorecon /etc/sssd/sssd.conf
# authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
# systemctl start sssd




Verify connection with following command:

# id
# ssh


Example of these command are shown below.

# id
uid=1348601103( gid=1348600513(domain groups=1348600513(domain


# ssh's password:
Creating home directory for

$ pwd


Was this answer helpful? 0 Users Found This Useful (0 Votes)