This article demonstrates how to join/bind a Redhat/CentOS or Ubuntu Linux system to an Active Directory domain, and auto creating user’s home directories as they login for the first time.
Table of Contents
Prepare and Join Linux to a Windows Domain
Check the hostname. This is the name that will be created within AD/Computers.
hostnamectl
If need be, change the hostname to whatever is more suitable:
hostnamectl set-hostname MY-SERVER.example.local
Install “realmd”:
yum install realmd
Or:
apt update; apt install realmd
Install the dependencies:
yum install oddjob oddjob-mkhomedir sssd samba-common-tools
Or: (the following package names are not verified)
apt install oddjob oddjob-mkhomedir sssd samba-common
Discover the domain(s) on the local network:
realm discover
You’ll see output similar to the following:
[root@server ~]# realm discover example.local type: kerberos realm-name: EXAMPLE.LOCAL domain-name: example.local configured: no server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools
TIP: You could run “realm list” to see if the system is already bound to a domain. But if you had to install the “realmd” package, it’s likely that the given system is not already bound to a domain.
Join the Linux system to the domain:
realm join example.local -U my-admin-user@EXAMPLE.COM
IMPORTANT: Consider the upper and lowercase of the “@EXAMPLE.COM” in the above sample. This should work as it’s written, but if you get errors at this point, consider changing the case.
Once bound, you should be able to run “realm list” and see the following:
[root@server ~]# realm list example.local type: kerberos realm-name: EXAMPLE.LOCAL domain-name: example.local configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U@example.local login-policy: allow-realm-logins
Now you can try to log into the Linux system as a Domain User. You will notice the new home directory has been created. Also pay attention to the owner-user and owner-group. And the user’s home directory includes the domain name.
[root@server ~]# ls -l /home/ total 8 drwx------. 2 my-user@example.local domain users@example.local 62 Sep 1 11:04 my-user@example.local ...
The home directory was automatically created on login. And if you’re logging in from a Windows computer that is also on the same domain – and using the same username, you won’t be prompted for credentials.
Restrict Who Can SSH
Bonus: If you want to restrict who can SSH into the server, add the following line to the bottom of the “/etc/sh/sshd” file. The “sysadmin@” specified the AD group that you’re permitting to SSH into the server. Only members of that group will be permitted to SSH into the Linux server.
AllowGroups sysadmin@example.local
And then restart the “sshd” service.
systemctl restart sshd
Restrict Who Can Sudo
Bonus: If you want to restrict who can SUDO when logged into the Linux server, you can add the following line to the bottom of the “/etc/sudoers” file. In this example, anyone in the AD group “sysadmin” will be able to SUDO. Keep in mind that anyone in AD can log into the Linux system, but they won’t have SUDO access unless in the specified group.
%sysadmin@example.local ALL=(ALL) NOPASSWD: ALL