At its heart, a directory service is just an organized way of itemizing all the resources in an organization while facilitating easy access to those resources. Basically, AD is a kind of distributed database, which is accessed remotely via the Lightweight Directory Access Protocol (LDAP). LDAP is an open protocol for remotely accessing directory services over a connection-oriented medium such as TCP/IP.
AD is not the only directory service based on the x.500 standard, or that can be accessed using LDAP. Other directory services include OpenLDAP and FreeIPA. However, AD is a mature Windows-based service that comes incorporated with Windows Server systems. In other words, it’s going to be the automatic winner when your organization has many Windows systems. This is one of the reasons for its ubiquity. Directory services such as FreeIPA are Linux-based and provide an excellent service for a Linux stable. When the rubber hits the road, the choice boils down to which of the two you can set up quickly, given your current environment and your team’s skill set.
[ Learn how to manage your Linux environment for success by downloading this free eBook. ]
But what happens when you choose AD, and you have a few CentOS servers, and you do not want to maintain a separate set of credentials for your Linux users? That overhead is entirely avoidable. What you need to do is join the Linux servers to the AD domain, like you would a Windows server.
If that is what you need to do, then read on to find out just how to do it. It is possible to join a Windows system to a FreeIPA domain, but that is outside the scope of this article.
Prerequisites
This article presupposes that you have at least some introductory-level experience with Active Directory, especially around user and computer account management. Aside from that, the following obvious requirements need to be met:
- An account in AD that has the privileges necessary to join a system to the domain.
- A Linux server (a CentOS 7 server was used for this demonstration).
- A Domain Controller.
- Ensure your Linux server knows how to find the domain controller via DNS.
To make this article easier on everyone, here’s a list of key details. This is how the lab I used for this write up is set up, so you should modify accordingly.
- AD Domain Name: Hope.net
- User account for joining the domain: fkorea (Fullname – Fiifi Korea)
- Linux server hostname: centy2
Packages to install
For this configuration, the essential package to install is realmd
. Aside from realmd
, there are a host of packages that need to be installed to make this work.
<span class="hljs-meta">#</span><span class="bash"> yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python</span>
Realmd
provides a simplified way to discover and interact with Active Directory domains. It employs sssd
to do the actual lookups required for remote authentication and other heavy work of interacting with the domain. In the interest of brevity, I won’t dwell on the other packages in the list.
However, for those interested in the details, a quick Google search should be of great help.
Realmd (interacting with the domain)
Now that all packages have been installed, the first thing to do is to join the CentOS system to the Active Directory domain. We use the realm
application for that. The realm
client is installed at the same time as realmd
. It is used to join, remove, control access, and accomplish many other tasks. Here is the expected syntax for a simple domain join:
realm join --user=[domain user account] [domain name]
The space between the user account and the domain account is not a typo. By inserting the corresponding details, we get the following command:
<span class="hljs-meta">#</span><span class="bash"> realm join --user=fkorea hope.net</span>
Supply the password when the prompt appears and wait for the process to end.
Don’t let the short absence of output deceive you. There are a number of operations that go on as part of the process. You can tack on the -v
switch for more verbose output. However, the best way to check if the computer is now a member of the domain is by running the realm list
command. The command attempts to display the current state of the server with regard to the domain. It is a quick and dirty way to know which groups or users can access the server.
Have a look at its output:
It is also quite trivial to place the newly-created AD computer object in a specific Organizational Unit (OU) from the onset. I’ll leave that for further reading, but, as a tip, you can consult the man page. Using the realm
client, you can grant or revoke access to domain users and groups. A deep dive on using realmd
in a more fine-grained way is enough to make another article. However, I will not be out of order to pick out a few parameters for your attention, namely client-software and the server-software. By now, you should understand why we had to install so many packages.
To leave the domain altogether, you need two words: realm leave
Further configuration
So now that the Linux server is part of the AD domain, domain users can access the server with their usual credentials. We are done, right? Wrong. “What’s the problem?” I hear you say.
[ Free cheat sheet: Get a list of Linux utilities and commands for managing servers and networks. ]
Well, for starters, this is the barebones configuration to get you up and running. But the experience is clunky, to say the least. We need to configure the service further to give it a true AD feel. It should be just like logging on to a domain-joined Windows 10 workstation.
Secondly, there is the big elephant in the room for sysadmins called Dynamic DNS Updates (DynDNS). If it is not set up correctly, we create extra overhead by having to maintain DNS records manually. For an environment that relies heavily on DNS, that could be a problem. For Windows systems, joining a system to the domain means two entries are automatically managed and maintained on the DNS server. When IP addresses change, the change is automatically reflected in DNS. This means you can change the IPs of systems without incurring the cost of manual maintenance. This will only make sense to people who already take advantage of DNS in their environments. Aside from the noticeable productivity gains of automation, it helps to have both Windows and Linux environments working the same way.
The third issue is DNS Scavenging. In an Active Directory domain, DNS is usually provided by the Domain Controllers. Every system joined to the domain has an automatic DNS entry with a corresponding IP address. This is super convenient. Automatically, at a specified interval, stale DNS records are deleted to prevent misdirected packets and also take care of deleted computer objects. This is known as scavenging, and it is not turned on by default in AD. However, if it is turned on, we need to configure it. Typically, the scavenging interval is seven days. If, after that period, there has been no update to the record, it is deleted, unless it is a static record. For Windows systems, the Dynamic Updates feature is automatically set up. However, with Linux servers, a few modifications need to be made. Without doing that, we will have services going down after a while because their records are deleted from DNS, and no one knows how to reach their component parts.
Now that we know some of the potential issues we need to address, let’s take a look at some of the things we can tweak to deliver a more seamless experience to the end-user and the sysadmin.
SSSD (easier logins and dynamic updates)
sssd
on a Linux system is responsible for enabling the system to access authentication services from a remote source such as Active Directory. In other words, it is the primary interface between the directory service and the module requesting authentication services, realmd
. Its main configuration file is located at /etc/sssd/sssd.conf
. As a matter of fact, this is the main configuration file we will modify.
Let’s have a look at its contents before configuration. Once you join the domain, it is immediately modified to contain the minimum information required for a successful logon. My file looked like this:
In order to solve all three of the problems I mentioned earlier, edit your file to look like the one below:
Most of the options are self-explanatory, and you can modify yours accordingly while we step through what some of the key options represent. More information on all the options can be obtained by checking the man page. I think it is well written. Just type man 5 sssd.conf
at the command line. You can also view the man page for sssd_ad
for further information.
First and foremost, the configuration file is separated into two sections. The global section, under [sssd] and the domain-specific options section, [domain/[domain name]].
The global section contains options that affect the general behavior of sssd
, such as the version information and related services. One key parameter under this section is shown below:
- default_domain_suffix – Set this to the domain name if you do not want to have to type the full user account name when logging in. Instead of having to type
fkorea@hope.net
always, you can just type fkorea
and the password. This helps a lot when you have a long domain name.
The domain-specific section contains parameters that are specific to the domain you have joined. Key parameters are:
Once the configuration is complete, restart sssd
to apply settings immediately.
<span class="hljs-meta">#</span><span class="bash"> systemctl restart sssd</span>
At this point, we are set. We can now login like we would at a Windows workstation or server.
Visudo (granting admin privileges)
Users that are granted access have unprivileged access to the Linux server. For all intents and purposes, all Active Directory accounts are now accessible to the Linux system, in the same way natively-created local accounts are accessible to the system. You can now do the regular sysadmin tasks of adding them to groups, making them owners of resources, and configure other needed settings. If the user tries any activity that requires sudo
access, the familiar error is presented. As can be seen in the inset, our user is not in the sudoers
file.
In that light, we can edit the sudoers
file directly to grant them superuser privileges. This is not an article on granting superuser privileges, but we can use the visudo
tool to interact safely with the sudoers
file.
Alternatively, we could have just added the user to the wheel
group. The point is the user account is now available to be used by the system.
[ Network getting out of control? Check out Network automation for everyone, a free book from Red Hat. ]
Wrap up
Try this out in your organization or lab environment. It is obvious I just scratched the surface on this topic but this will get you pretty far into the process. Check out the respective documentation if you want to explore options not covered in this article.
Joining a Linux system to an Active Directory domain allows you to get the best of both worlds. The process is very simple and can be scripted using Bash or automated using Ansible, especially during the system’s initial setup. If you are still managing a group of more than five systems without a directory service and a good reason, please do yourself a favor and get one set up. You can thank me later.