|
Join in Active Directory Domain
2015/06/07 |
|
Join in Windows Active Directory Domain.
This tutorial needs Windows Active Directory Domain Service in your LAN.
This example shows to configure on the environment below. Domain Server : Windows Server 2012 R2 Domain Name : FD3S01 Realm : FD3S.SRV.WORLD Hostname : fd3s.srv.world
|
|
| [1] | Install some required packages. |
|
# install from EPEL [root@dlp ~]# yum --enablerepo=epel -y install adcli sssd authconfig pam_krb5 samba4-common
|
| [2] | Join in Active Directory Domain. |
|
[root@dlp ~]#
vi /etc/sysconfig/network-scripts/ifcfg-eth0 # change DNS setting to AD's one DNS1= 10.0.0.100
[root@dlp ~]#
/etc/rc.d/init.d/network restart
# change Authentication Provider [root@dlp ~]# authconfig \
--enablekrb5 \ --krb5kdc=fd3s.srv.world \ --krb5adminserver=fd3s.srv.world \ --krb5realm=FD3S.SRV.WORLD \ --enablesssd \ --enablesssdauth \ --update # make sure Active Directory domain info [root@dlp ~]# adcli info FD3S.SRV.WORLD [domain] domain-name = fd3s.srv.world domain-short = FD3S01 domain-forest = fd3s.srv.world domain-controller = fd3s.fd3s.srv.world domain-controller-site = Default-First-Site-Name domain-controller-flags = pdc gc ldap ds kdc timeserv closest writable good-timeserv full-secret ads-web domain-controller-usable = yes domain-controllers = fd3s.fd3s.srv.world [computer] computer-site = Default-First-Site-Name # join in Active Directory Domain [root@dlp ~]# adcli join FD3S.SRV.WORLD Password for Administrator@FD3S.SRV.WORLD: # AD's Administrator password
[root@dlp ~]#
vi /etc/sssd/sssd.conf # create new (replace the hostname in example to your own one) [sssd] domains = fd3s.srv.world config_file_version = 2 services = nss, pam [domain/fd3s.srv.world] ad_domain = fd3s.srv.world krb5_realm = FD3S.SRV.WORLD realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%d/%u access_provider = ad chmod 600 /etc/sssd/sssd.conf
[root@dlp ~]#
vi /etc/pam.d/system-auth # add follows to the end (generate home directory if not) session optional pam_mkhomedir.so skel=/etc/skel umask=077 # make sure it's possible to get an AD user info or not [root@dlp ~]# id Serverworld uid=797801106(serverworld) gid=797800513(domain users) groups=797800513(domain users) # make sure it's possible to switch to an AD user or not [root@dlp ~]# su - Serverworld Creating directory '/home/fd3s.srv.world/serverworld'. [serverworld@dlp ~]$ # just switched |