Enrolling an Active Directory CentOS-7 client machine using adcli

In this example, my AD server domain is 'ejyothi.net' and the server that runs the domain is 'Pamba.ejyothi.net'.

Start the setup by enabling the EPEL repository and installing the 'adcli' package:

# yum install adcli

We can type just 'adcli' to get an overview of what commands adcli supports.

We're interested in joining the client to the AD domain in order to be able to log in as users from Active Directory.

Now you should be able to find your domain already:

# adcli info ejyothi.net

[domain]

domain-name = ejyothi.net

domain-short = EJYOTHI

domain-forest = ejyothi.net

domain-controller = Pamba.ejyothi.net

domain-controller-site = Default-First-Site-Name

domain-controller-flags = pdc gc ldap ds kdc timeserv closest writable good-timeserv full-secret ads-web

domain-controller-usable = yes

domain-controllers = Pamba.ejyothi.net mamba.ejyothi.net krait.ejyothi.net

[computer]

computer-site = Default-First-Site-Name

As we can see, adcli was able to discover quite a few details about our domain, so it's time to join the client:

# adcli join ejyothi.net

Password for Administrator@EJYOTHI.NET:

You'll be prompted for the Administrator password by default, but it's possible to specify another user with the -U option. See the adcli man page for full list of details.

The join operation creates a keytab the machine will authenticate with.

It's recommended to also configure /etc/krb5.conf to use the AD domain:

#vim /etc/krb5.conf

[libdefaults]

dns_lookup_realm = true

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

default_realm = ejyothi.net

dns_lookup_kdc = true

[realms]

EJYOTHI.NET = {

kdc = Pamba.ejyothi.net

admin_server = Pamba.ejyothi.net

}

[domain_realm]

.ejyothi.net = EJYOTHI.NET

ejyothi.net = EJYOTHI.NET

Next step is setting up the SSSD (or Winbind if you like) to actually make use of the keytab to resolve users.

#yum install authconfig sssd

And create /etc/sssd/sssd.conf with your favorite editor (Read, vim).

#vim /etc/sssd/sssd.conf

[sssd]

services = nss, pam, ssh, autofs

config_file_version = 2

domains = EJYOTHI.NET

[domain/EJYOTHI.NET]

id_provider = ad

ad_server = Pamba.ejyothi.net

default_shell = /bin/bash

fallback_homedir = /home/%d/%u

Due to a stupid bug in sssd, you should echo an empty line to the end of the file and set the permission right. You also need to enable it with authconfig.

#chown root:root /etc/sssd/sssd.conf

#echo >> /etc/sssd/sssd.conf 

#chmod 0600 /etc/sssd/sssd.conf

#authconfig --enablesssd --enablesssdauth --enablemkhomedir –update

And finaly start sssd:

#service sssd start

You should now be able to test it with:

Syntax:

getent passwd username@your.ad.domain

id username

Example:

# getent passwd tonym@ejyothi.net

tonym:*:1631204706:1631200513:Tony Mathew:/home/EJYOTHI.NET/tonym:/bin/bash

If it works, you should be able to login with your adusername, with the right uid/gid and shell all set from AD.

if not, you have tons of logs in /var/log/sssd/*