Join Linux server to Windows Active Directory Domain and Allow

group of users

1) Packages to be installed

sssd, realmd, oddjob, oddjob-mkhomedir, adcli, samba-common, samba-common-

tools, krb5-workstation, openldap-clients, policycoreutils-python, ntp

2) Add entry of domain server in client host file (/etc/hosts)

<ip add of AD server> <AD server FQDN> <AD node name>

3) check the DNS client config file

cat /etc/resolv.conf
search <domain name>
nameserver <AD ip address>

To check the AD dns server records use the below commands

dig srv _kerberos._udp.ldap.<domain name>

dig srv _ldap._tcp.ldap.<domain name>

Note : Realm does a dns lookup for _ldap & _kerberos SRV records.

4) check/ configure for ntp server sync

systemctl enable ntpd.service

ntpdate <ntp server ip / fqdn>
systemctl start ntpd.service

5) To integrate linux server with windows domain

realm discover <FQDN of AD server> -v

realm join –user=<domain admin name> <FQDN of AD server>
realm list <FQDN of AD server> (OR) adcli info <domain name>

6) Check any user on AD and check the same user exists on local server

id <username@domainname> (SHOWS O/P OF USER from Active Directories)

id <user name> (Displays no user found)

7) To avoid the above issue we need to add entries under [sssd] section in
/etc/sssd/sssd.conf

default_domain_suffix = <domain name>

systemctl restart sssd
systemctl daemon-reload
8) Updating the authconfig

authconfig --enablesssd --enablesssdauth --update

authconfig –updateall
grep sss /etc/nsswitch.conf

9) To deny all users/ groups and allow particular group members to access the
server

realm deny -R <domain name> -a

realm permit -R <domain name> -g <group name>@<domain name>
realm list

10) Login to the server with ad credentials

ssh <server ip> <user@domain>

11) To remove user/ group from permit listening

realm permit --groups --withdraw <groupname>@<domain name>

(OR)
realm permit -x ‘<FQDN of AD server\username>’

12) To unjoin server from domain

realm leave –user=<domainadmin>@<domain name> <domain name>

13) Providing sudo access to AD users

vim /etc/sudoers.d/sudoers
%<ad group name>@<domain name> ALL=(ALL) ALL

14) Clearing ssd cache use below commands

sss_cache -E (To clear cache and update all records)

sss_cache -Ed LDAP1 (To clear cache related to particular domain)
sss_cache -u <user name> (To clear record cache for particular user)

15) Hard way to clear the cache

systemctl stop sssd

rm -rf /var/lib/sss/db/*
systemctl start sssd
authconfig –updateall

16) Log file to monitor the user authentication is /var/log/secure