Joining a Linux Client to an Active Directory Domain

I've managed Linux user accounts more ways than I can remember, and the best technique I've found is to use a little Windows. Active Directory can easily manage a handful of computers, users and groups just as easily as it can manage thousands. And it's easy to set up:

Before you begin

You'll need to have already set up an Active Directory service <<Link to whitepaper>>, as well as launched the Oracle Linux instance you'd like to join to the domain.

On the instance you want to join to Active Directory, collect the following information. I'll use the bold name for the variable later, and my example values are in monospace.

• Instance IP address: ip-address (10.0.0.14)
• Instance short hostname: hostname (unicorn-painter-998)
• Instance domain name (and Active Directory realm): domain (lilwoods.us)
• Instance Fully Qualified Domain Name (for the IP address above): fqdn (unicorn-painter-998.lilwoods.us)
• Active Directory IP address: dns-ip-address (10.0.0.13)
• Active Directory user with permission to join the domain: join-user (mia427)
• Active Directory group to be granted grant sudo access: admin-group (Unicorn-Admins)

Process

1. All the following commands require superuser, so escalate privileges to root:

   sudo -i

2. Edit /etc/resolv.conf to use the Active Directory IP address as its nameserver, removing any other nameserver records. Change the line from its default:

   nameserver 169.254.169.254

   To:

   nameserver {dns-ip-address}

   Example:

   nameserver 10.0.0.14

3. Ensure the /etc/hosts file has a record with the instance’s ip-address, fqdn and hostname by editing the top line of the file to:

   {ip-address} {fqdn} {hostname}
   

   Note: OCI instances default to an FQDN and hostname generated from the instance name provided when launching the instance. Make sure that there are no other records for the instance’s ip-address in the file.

   Example:

   10.0.0.14 unicorn-painter-998.lilwoods.us unicorn-painter-998

4. Install the following packages:

   yum -y install realmd sssd krb5-workstation krb5-lids samba-common-tools
   

5. Discover the active directory realm (which is also our DNS domain):

   realm discover ${DOMAIN}

   Example:

   realm discover lilwoods.us
   

6. Join the active directory realm:

   realm join --verbose ${REALM} -U ${JOIN_USER}
   

   Enter your admin password when prompted.

   You should get a message that reads:

   Successfully enrolled machine in realm
   

   Example:

   realm join --verbose lilwoods.us -U mia427@lilwoods.us
   

   when the Linux server is successfully joined to the managed domain.

7. Allow members of the Admins group to have sudo permission by editing the sudoers file:

   visudo
   

   Navigate half way down the file to the wheel group and under this group append the AD group name to the sudoers config file. Please add a description for future reference. Please add the below group so that anyone from CSS team will have SUDO permissions.

   # Allow users in the admin group to run all commands
   {REALM}\\{AD-Group-Name} ALL=(ALL) ALL
   

   Example:

   # Allow users in the Unicorn-Admins group to run all commands     
   %LILWOODS.US\\Unicorn-Admins ALL=(ALL) ALL
   

8. Allow password authentication in the SSH service to accept credentials from Active Directory by editing /etc/ssh/sshd_config:

   • From PasswordAuthentication no to PasswordAuthentication yes

9. Restart sshd to apply config changes:

   systemctl restart sshd
   

    

And you're done! Your instance has now:

• registered into active directory
• enabled SSH login access for users within active directory
• will generate home directory skeletons on new login
• enabled sudo access for users belonging to a group in active directory
• enabled Kerberos authentication from this instance