NightyKnight/gist:e747bc37a389d769d515a7625a5d2376

## gistfile1.txt
Join Linux Client to Microsoft Active Directory

Table of Contents
1.0	PROCEDURE FOR JOINING LINUX CLIENT TO ACTIVE DIRECTORY
1.1	Assumptions
2.0	Prerequisites
2.1	Install Realm and Dependencies
3.0	Join Linux Client to Active Directory
3.1	Discover Domains on the Local Network
3.2	Join the Client to the Domain
3.3	Modify the SSSD Configuration
3.3.5	Verify domain connectivity by requesting user information.
3.4	Set Domain User Permissions
3.6	Ubuntu, Automatically Home Directory
4.0	Troubleshooting
4.1	Invalidate SSS Cache
4.2	Failure When Joining the Domain


1.0	PROCEDURE FOR JOINING LINUX CLIENT TO ACTIVE DIRECTORY
1.1	Assumptions
        • Basic Linux command line knowledge
        • Domain Admin rights
        • Local Admin rights

2.0	Prerequisites
2.1	Install Realm and Dependencies
        2.1.1	RedHat or CentOS
                sudo yum update
                sudo yum install realmd oddjob oddjob-mkhomedir sssd adcli samba-common-tools

        2.1.2	Ubuntu
                sudo apt-get update
                sudo apt-get install realmd oddjob oddjob-mkhomedir sssd sssd-tools adcli samba-common

3.0	Join Linux Client to Active Directory
3.1	Discover Domains on the Local Network
        realm discover
        Note: You will want to copy the domain-name value for the join command below.

3.2	Join the Client to the Domain
        realm join ncr.dev -U yourdomainadmin --computer-ou="ou=Linux,ou=Computers" --os-name=CentOS --os-version="7.7.1908" --membership-software=adcli
        Note: Update OS Name and Version to match your client for accurate records.

        3.2.1	When prompted, login with your Domain Admin credentials.

        3.2.2	Then you will be prompted for your local admin user credentials.

        3.2.3	Verify the join was successful
        realm list
        Note: If the join was successful you will see a line “configured: Kerberos-member”.

3.3	Modify the SSSD Configuration
        3.3.1	Open the sssd.conf file for editing using either root or sudo.
        #Use nano if using Ubuntu instead of vi
        sudo vi /etc/sssd/sssd.conf

        3.3.2	Find the following lines under the [domain/ncr.dev] section.
	use_fully_qualified_names = True
	fallback_homedir = /home/%u@%d

        3.3.3	Then change the values to the following.
	use_fully_qualified_names = False
	fallback_homedir = /home/%u

        3.3.4	Restart the sssd service to apply changes.
        sudo systemctl restart sssd

        3.3.5	 Verify domain connectivity by requesting user information.
        id some_domain_user

3.4	Set Domain User Permissions
        3.4.1	Deny all domain users by default.
        realm deny --all

        3.4.2	Allow the NCR-Sudoers domain group to login.
        realm permit -g NCR-Sudoers

        3.4.3	Allow the local user’s domain account to login.
        realm permit some_domain_user

3.5     Set Local Admin Permissions
        3.5.1	Add the NCR-Sudoers group to the sudoers folder.
        sudo vi /etc/sudoers.d/ncr-sudoers

	#Add the following line into the newly created file
	%NCR-Sudoers ALL=(ALL) ALL

        3.5.2	Add the local user to the sudoers folder.
        sudo vi /etc/sudoers.d/some_domain_user

	#Add the following line into the newly created file
	some_domain_user ALL=(ALL) ALL

3.6	Ubuntu, Automatically Home Directory
        sudo pam-auth-update
        3.6.1	Check the option to “Create Home Directory on Login”

4.0	Troubleshooting
4.1	Invalidate SSS Cache
        #Invalidate specific user's SSS cache
	sss_cache -u user1

	#Invalidate all SSS cache
	sss_cache –E

4.2	Failure When Joining the Domain
        4.2.1	Check that the computer doesn’t already exist on the domain.

5.0	Reference
https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/ch-configuring_authentication
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sssd-cache
	Join Linux Client to Microsoft Active Directory

	Table of Contents
	1.0 PROCEDURE FOR JOINING LINUX CLIENT TO ACTIVE DIRECTORY
	1.1 Assumptions
	2.0 Prerequisites
	2.1 Install Realm and Dependencies
	3.0 Join Linux Client to Active Directory
	3.1 Discover Domains on the Local Network
	3.2 Join the Client to the Domain
	3.3 Modify the SSSD Configuration
	3.3.5 Verify domain connectivity by requesting user information.
	3.4 Set Domain User Permissions
	3.6 Ubuntu, Automatically Home Directory
	4.0 Troubleshooting
	4.1 Invalidate SSS Cache
	4.2 Failure When Joining the Domain


	1.0 PROCEDURE FOR JOINING LINUX CLIENT TO ACTIVE DIRECTORY
	1.1 Assumptions
	• Basic Linux command line knowledge
	• Domain Admin rights
	• Local Admin rights

	2.0 Prerequisites
	2.1 Install Realm and Dependencies
	2.1.1 RedHat or CentOS
	sudo yum update
	sudo yum install realmd oddjob oddjob-mkhomedir sssd adcli samba-common-tools

	2.1.2 Ubuntu
	sudo apt-get update
	sudo apt-get install realmd oddjob oddjob-mkhomedir sssd sssd-tools adcli samba-common

	3.0 Join Linux Client to Active Directory
	3.1 Discover Domains on the Local Network
	realm discover
	Note: You will want to copy the domain-name value for the join command below.

	3.2 Join the Client to the Domain
	realm join ncr.dev -U yourdomainadmin --computer-ou="ou=Linux,ou=Computers" --os-name=CentOS --os-version="7.7.1908" --membership-software=adcli
	Note: Update OS Name and Version to match your client for accurate records.

	3.2.1 When prompted, login with your Domain Admin credentials.

	3.2.2 Then you will be prompted for your local admin user credentials.

	3.2.3 Verify the join was successful
	realm list
	Note: If the join was successful you will see a line “configured: Kerberos-member”.

	3.3 Modify the SSSD Configuration
	3.3.1 Open the sssd.conf file for editing using either root or sudo.
	#Use nano if using Ubuntu instead of vi
	sudo vi /etc/sssd/sssd.conf

	3.3.2 Find the following lines under the [domain/ncr.dev] section.
	use_fully_qualified_names = True
	fallback_homedir = /home/%u@%d

	3.3.3 Then change the values to the following.
	use_fully_qualified_names = False
	fallback_homedir = /home/%u

	3.3.4 Restart the sssd service to apply changes.
	sudo systemctl restart sssd

	3.3.5 Verify domain connectivity by requesting user information.
	id some_domain_user

	3.4 Set Domain User Permissions
	3.4.1 Deny all domain users by default.
	realm deny --all

	3.4.2 Allow the NCR-Sudoers domain group to login.
	realm permit -g NCR-Sudoers

	3.4.3 Allow the local user’s domain account to login.
	realm permit some_domain_user

	3.5 Set Local Admin Permissions
	3.5.1 Add the NCR-Sudoers group to the sudoers folder.
	sudo vi /etc/sudoers.d/ncr-sudoers

	#Add the following line into the newly created file
	%NCR-Sudoers ALL=(ALL) ALL

	3.5.2 Add the local user to the sudoers folder.
	sudo vi /etc/sudoers.d/some_domain_user

	#Add the following line into the newly created file
	some_domain_user ALL=(ALL) ALL

	3.6 Ubuntu, Automatically Home Directory
	sudo pam-auth-update
	3.6.1 Check the option to “Create Home Directory on Login”

	4.0 Troubleshooting
	4.1 Invalidate SSS Cache
	#Invalidate specific user's SSS cache
	sss_cache -u user1

	#Invalidate all SSS cache
	sss_cache –E

	4.2 Failure When Joining the Domain
	4.2.1 Check that the computer doesn’t already exist on the domain.

	5.0 Reference
	https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/
	https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/ch-configuring_authentication
	https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sssd-cache
No results found