How to quickly and easily add a Red Hat Enterprise Linux 6 system to Microsoft Active Directory

UPDATE!! .. This article also works perfectly on Windows 2012 Server as well as Windows Server 2008. The process is exactly the same.

 

I’ve had countless numbers of people ask me over the years how to add a Linux system to Active Directory.

Here is a really quick and simple way to do it using Windbind for userlookups, and Kerberos for authentication.

In this example, I will be using the below details

Windows Domain Name:         nt.example.com
Windows Domain NetBIOS Name: NT
Domain Controller:           dc01.nt.example.com
Client Server name:          server01.nt.example.com

Setup

1. Firstly, install the necessary components.

yum install -y samba-winbind samba-winbind-clients oddjob-mkhomedir pam_krb5 krb5-workstation

 

2. Make sure OddJobd is running at Startup. This is only for Red Hat Enterprise Linux 6 and other Red Hat based Operating systems.

Red Hat Enterprise Linux 5 will use pam_mkhomedir. pam_mkhomedir has SELinux issues at present, so oddjobd is the way to go.

chkconfig oddjobd on

 

3. Set authconfig to point to the relevant systems for Authentication.
Note: If you do not wish your users to log into your server via a shell, set –winbindtemplateshell to –winbindtemplateshell=/sbin/nologin

authconfig --update --kickstart --enablewinbind --smbsecurity=ads --smbworkgroup=NT --smbrealm=NT.EXAMPLE.COM --winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --enablelocauthorize --enablekrb5 --krb5realm=NT.EXAMPLE.COM --enablekrb5kdcdns --enablekrb5realmdns --enablepamaccess

 

4. Just like in Windows, Add your system to the domain. Here I have used the Domain Administrator account, but any account with enough rights to add a system to the domain will suffice.

[root@server ~]# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- NT
Joined 'server' to realm 'nt.example.com'

Note: As you are now dealing with Active Directory, it now becomes time sensitive. Make sure your system clock is pointing to one of your Domain Controllers as the NTP server.

Otherwise you will end up with errors like this when you try to add the system to the domain.

[root@server ~]# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- NT
Joined 'SERVER' to realm 'nt.example.com'
[2012/07/06 17:24:04.397769,  0] libads/kerberos.c:333(ads_kinit_password)
  kerberos_kinit_password SERVER$@NT.EXAMPLE.COM failed: Clock skew too great
[root@server ~]#

 

5. Configure Winbind Backend
The default Winbind backend is great for single systems being added to Active Directory, however if you are in a very large Linux estate like I usually am, you will need to change the backend to ensure that all UID’s/GID’s match across all your systems.

To do this, add the below two lines to your global Samba configuration. Replace “NT” with your own Domain name.

idmap config NT:backend = rid
idmap config NT:range = 10000000-19999999
kerberos method = dedicated keytab
dedicated keytab file=/etc/krb5.keytab

Just so we are on the same page, my global configuration now looks like this

workgroup = NT
realm = NT.EXAMPLE.COM
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
idmap config NT:backend = rid
idmap config NT:range = 10000000-19999999
kerberos method = dedicated keytab
dedicated keytab file=/etc/krb5.keytab
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false

 

6. Restart Winbind service
Once you have added your system to the domain, it is important to restart the Winbind service.

[root@server ~]# service winbind restart
Shutting down Winbind services:                            [FAILED]
Starting Winbind services:                                 [  OK  ]
[root@server ~]#

 

7. Create a Kerberos keytab to enable Single Sign On (SSO)

[root@server ~]# net ads keytab create -U Administrator
Enter Administrator's password:
[root@server ~]#

 

8. Test configuration. If you receive no output for a known username, then something is wrong.

[root@server ~]# getent passwd Administrator
administrator:*:16777216:16777216:Administrator:/home/administrator:/bin/bash
[root@server ~]#

or, if you enabled shell logins,

User@workstation:~$ ssh Administrator@server.nt.example.com
Administrator@server.nt.example.com's password: 
Your password will expire in 11 days.

Creating home directory for administrator.
[administrator@server ~]$

 

9. This is optional, your home directory will not exist on the system when a new user logs in, run the below command if you with to have the homedir automatically created on first login.

[root@server ~]# authconfig --enablemkhomedir --update
Starting Winbind services:                                 [  OK  ]
Starting oddjobd:                                          [  OK  ]
[root@server ~]#

36 comments on “How to quickly and easily add a Red Hat Enterprise Linux 6 system to Microsoft Active Directory

  1. Steve Sheetz August 23, 2013 17:21

    Dale, kudos on a simple, straightforward, and well written article. It had been quite a while since I joined a Linux workstation to a Windows domain without using a third party product like PowerBroker Identity Services.

    The process you articulated here worked so smoothly, I had to let you know I appreciated it!

    Cheers!

    • Dale Macartney August 23, 2013 21:16

      Hi Steve

      This is the best type of feedback I like to hear. I’m very pleased it has worked for you as expected. If you’re looking for ways to enhance this method, you can look into using access controls and granting sudo access based on Active Directory based groups.

      Thanks for the comment.

      Dale

      • Mike July 22, 2014 15:47

        Hello Dale,
        This is a great tutorial.
        I have installed successfully samba4 ( 4.1.9) with roaming profiles on a centos 6.5 (64bit).
        Windows 7 Enterprise (64) client joins the new domain and AD users login are authenticated and sign on without issues.
        Linux client centos 6.5 (64 bit) joins the samba’s domain and AD user authentication and login works fine but the user’s profile is created on the linux client and not on the server.
        I would highly appreciate your assistance to resolve this issue
        Thanks

  2. hamood August 26, 2013 08:40

    Thanks for the article.
    i have a question:
    if i implement this does this affect my current domain controller? i have only one DC and i dont want any issues with it.
    is configuring samba , making a domain controller on linux? if so i dont want
    a DC in linux i just need squid to work with active directory.
    Thanks

    • Dale Macartney August 26, 2013 11:29

      Hi Hamood

      Just to clarify for you, Samba “can” be configured as an old style Domain Controller (Similar to an NT style domain), however winbind is a seperate component of the Samba project.

      In short, this article will only join a Linux system to Active Directory. It does not in any way configure itself to be a self managed Domain Controller.

      Regarding your objective, I have covered Squid integration with Active Directory which is covered here
      https://www.dalemacartney.com/2012/07/06/squid-proxy-integration-with-active-directory-the-quick-and-simple-way/

      This article is actually a prerequisite of the above article.

      It won’t take you long to implement at all.

      Dale

  3. Marcos September 12, 2013 17:13

    Thanks for the article, it’s very simple and clear. I have a two questions:

    1 – With PowerBroke (Likewise) it’s possible to map AD groups on sudo and also control SSH logins by user/group. How can you achieve the same with winbindd?

    2 – Say for example you have a virtualized infrastructure and works with templates. What do you think would be the best approach? Join the machines, then create the templates, renaming it every time you deploy a VM, or configure everything and join it after deployment?

    • Dale Macartney September 13, 2013 13:39

      Hi Marcos

      Believe it or not, I had a client ask me this same thing a few weeks ago. Suggestions below.

      1. Have a look at access.conf, you can set up a global configuration to only allow login by specific users/groups. I’ve written a short article here. https://www.dalemacartney.com/2013/01/12/host-based-access-control-with-red-hat-enterprise-linux-6/

      2. Cloning an already AD connected server is very messy. The deployed vm’s from the template will never be able to authentication. As an alternative, when you build your template, you could write a startup script (either init or systemd) and set it to start on boot. Once your virtualization manager has deployed the template, given it a hostname/ip/etc, it will power on. When your startup script runs, I would put in your custom configuration there. This could be joining Active Directory, setting up access to Satellite or Puppet or what ever your requirements are..

      Once you have finished running what you need, have the last task in the script completely remove itself from the startup config. Either chkconfig the script off or even just delete the script. That way it will only ever run on the first power on. This approach is referred to as “firstboot”.

  4. leny October 30, 2013 12:09

    thanks ……

    the config works very well

  5. Sham October 31, 2013 10:45

    Thanks for the article . Can you please inform how to unjoin from MS Active Directory without Likewise Open

    Thanks

    • Dale Macartney October 31, 2013 10:52

      Hi Sham

      If you have used this article, and would like to remove a system from Active Directory which is using Winbind, you can do the following:

      net ads leave -U domain-admin-user

      This will prompt you for the password of your domain admin account. Once this is removed, you can simply uninstall the winbind packages from your local system (yum remove winbind).

      Dale

      • Sham October 31, 2013 10:59

        Thanks a lot Dale . Was facing this issue with a Freeradius Cloned VM and used likewise-open . Next time will follow your suggestion .

        Thanks again

  6. Jamie December 10, 2013 00:06

    Dale,

    Thanks for the great article. Appreciate how you cover the configuration.

    One question:

    In order to get the authentication to work, do we need to modify the schema on the AD server to use “Identity Management for Unix” to supply schema attributes for the home directory, uid, gid, etc?

    Thanks for a great article…

    – Jamie

    • Dale Macartney December 13, 2013 09:52

      Hi Jamie

      No you do not need to modify your Active Directory schema at all for this method to work, nor do you need any services for UNIX installed.

      Winbind uses its own algorithm to generate unique UID’s/GID’s based on the Active Directory objects. (Step 5 shows the algorithm in use and the ID number ranges).

      You would need to use services for UNIX and extend the user attributes in Active Directory if you were to connect your systems using LDAP based methods which is not covered in this article.

      This article is a simpler alternative.

      Dale

  7. Erik December 10, 2013 15:01

    Thank you!!!

    Of all the AD setups I’ve read, yours is the only one that worked & was easy to understand

  8. Lee February 7, 2014 05:40

    This method works great for me. I’ve been using it for all the RHEL6 machines at my office. Thank you for posting it.

    I’m going to check out the HBAC method you posted above. To keep authenticated users in the domain I didn’t want to login I just added an AllowUsers line to my /etc/ssh/sshd_config file. This only permitted specific users to login over ssh.

    Two questions:

    How I could support offline authentication or cached credentials?

    I have child domains within my AD structure. I join my RHEL boxes to the root domain but some times I need to support child domain users authenticating. This tutorial seems to support my root domain users only. Any idea how to get that working?

    Thanks!

  9. David April 2, 2014 16:56

    I have to say it.
    thank you.
    you cannot imagine how much time I’ve spent to look to a final guide to properly configure authentication to AD from Linux.
    I’ve stumble on several solutions; some worked for a short period of time and some others didn’t worked at all.

    I really have appreciated your work

    grazie

  10. Julia April 30, 2014 02:09

    Thanks for the info. I am actually using winbind-tdb. My smb.conf statement “winbind use default domain=yes” does not seem to work. I have defined the domain name using domainname NT, but wbinfo -g still lists it in front of all the group names. Also, if I get that to work, do I need to include the domainname in my chown and chgrp statements? (chown “NT\user” foo or just chown user foo)
    Thanks!

  11. jaany May 2, 2014 14:04

    hi,

    everything worked fine, when windows users are opening the samba servers , user folders are not creating automatically. if login with ssh user folders are created.
    pls help in this regard.

    thanks
    jaany

  12. Mustafa May 5, 2014 08:53

    Dear Dale,
    I have configure samba on RHL 5 acting as pdc (nt style). i can safely join windows client on it,but fail to log in via Linux….although i have installed samba on client machine ,when i run net rpc join it says u have joined the domain…but when i take log in on client it fails..
    i have generated a machine account on samba pdc ..
    I will be thanks full for your help

  13. jaany May 13, 2014 18:14

    thanks for the excellent document for samba wit AD integration. working fine.
    how to configure SSO with windows client systems. when user opening the file server from windows system , folder for the user need to created automatically .

    pls help in this regard.

    thanks in advance
    jaany

  14. Harry May 15, 2014 14:56

    First guide I’ve found that actually gets me somewhere, not quite a result but still great guide.

    I am still facing an issue though, RHEL 6.5 > Windows 2003 AD

    Followed steps and get:
    Joined ‘BFMPC20’ to realm ‘mydomain.local’
    DNS Update for bfmpc20.mydomain.local failed: ERROR_DNS_UPDATE_FAILED
    DNS update failed: NT_STATUS_UNSUCCESSFUL

    All help appreciated…

  15. Josh June 19, 2014 15:55

    Great article, Thanks! One question. Does this method update the machine account password in Active directory periodically on its own? If not do you have a recommendation on how to accomplish this?

  16. Mike July 22, 2014 15:45

    Hello Dale,
    This is a great tutorial.
    I have installed successfully samba4 ( 4.1.9) with roaming profiles on a centos 6.5 (64bit).
    Windows 7 Enterprise (64) client joins the new domain and AD users login are authenticated and sign on without issues.
    Linux client centos 6.5 (64 bit) joins the samba’s domain and AD user authentication and login works fine but the user’s profile is created on the linux client and not on the server.
    I would highly appreciate your assistance to resolve this issue
    Thanks

  17. titi July 29, 2014 13:14

    I followed this tuto and I’m blocked when joining the server to the domain, find below my error :
    Failed to join domain: failed to lookup DC info for domain ‘XXXX.xxxxx.COM’ over rpc: Logon failure

  18. Ileana July 31, 2014 17:58

    Thank you for the posting. Still not working for me 🙁
    OEL6.5 with 2008 AD. Everything is fine until the
    getent passwd command, i can see the information for each user, I can list AD groups, but not ssh to the box , i always receive a permission denied.
    The only error I can see is in samba logs
    lib/util_sock.c:628(open_socket_in) open_socket_in(): setsockopt: SO_REUSEPORT = true on port 445 failed with error = Protocol not available

    Thanks
    Ileana

  19. Munish November 6, 2014 16:00

    Are these still valid configuration –

    workgroup = NT
    realm = NT.EXAMPLE.COM
    security = ads
    idmap uid = 16777216-33554431
    idmap gid = 16777216-33554431
    idmap config NT:backend = rid
    idmap config NT:range = 10000000-19999999
    kerberos method = dedicated keytab
    dedicated keytab file=/etc/krb5.keytab
    template homedir = /home/%U
    template shell = /bin/bash
    winbind use default domain = true
    winbind offline logon = false

    I suppose
    idmap uid = 16777216-33554431
    idmap gid = 16777216-33554431

    have been removed from RHEL 6.5 .
    Please suggest and if possible let me know the alternative.

  20. Mandar November 9, 2014 05:04

    Hi Dale,
    This is a very straight forward article to integrate RHEL system with AD. I have tested it on Red Hat Enterprise Linux 6.5 and works absolutely fine.

    One question I am having over this topic is that, how can I add trusted domains to the configuration, so that users from those trusted domains can also be authorized access to the server?

    Thanks.

  21. Eric November 10, 2014 20:45

    Im able to join the server to AD, even see my username in getent, but I cant log in with the name. It just comes back with access denied. I am able to su – username and it creates my username home dir. Note that I didnt do the krb5 tab stuff. Do you think I need to? How will I know if I need to? Thanks!

  22. Farhad Jamali November 11, 2014 19:23

    Hello Dale
    thanks for shairing such an easy way to join windows domain. i complete all steps as u said. i ve a few questions if you plz answer.

    1) how do i UNJOIN linux machine from windows domain after doing all above config successfully.
    2) i want to block some users in active directory to login or SSH to linux server(which is on domain). i applied ‘LOGON TO’ restriction for a certain user , that user can’t login on all windows machines except ones in the list, but this policy is not working for linux server, that user can still logon to linux.

    awaited for you reply
    Thank you

    Farhad Jamali

  23. Ravi November 23, 2014 05:20

    Hi I am a beginner to Linux. I am trying to integrate AD with Linux server. And after I run the “net ads join -U administrator” I am getting an Operations error. Any tips on how I could resolve this error.

    Installed:
    krb5-workstation.x86_64 0:1.10.3-33.el6 oddjob-mkhomedir.x86_64 0:0.30-5.el6
    pam_krb5.x86_64 0:2.3.11-9.el6

    Complete!
    [root@501server ~]# chkconfig oddjobd on
    [root@501server ~]# authconfig –update –kickstart –enablewinbind –smbsecurity=ads –smbworkgroup=ADNETBIOS –smbrealm=research.name.org –winbindtemplatehomedir=/home/%U –winbindtemplateshell=/bin/bash –enablewinbindusedefaultdomain –enablelocauthorize –enablekrb5 –krb5realm=research.name.org –enablekrb5kdcdns –enablekrb5realmdns –enablepamaccess
    Starting Winbind services: [ OK ]
    [root@501server ~]# net ads join -U administrator
    Enter administrator’s password:
    Failed to join domain: failed to connect to AD: Operations error

  24. shahnawaz December 12, 2014 10:16

    can anybody tell me how to remove AD user in linux?

  25. Nishant February 6, 2015 19:51

    Is active directory group policy will apply to Linux desktop ? i.e. Password policy, system lock policy etc…

  26. vipin.v March 26, 2015 08:46

    hai,
    when i try these , in step 4 i got error message :
    FAILED TO JOIN DOMAIN:FAILED TO FIND DC FOR DOMAIN XXX
    i am stuck with this error .please help me .

  27. Abhishek Kotecha November 6, 2015 05:15

    You made my day!
    Thank you 🙂

  28. Niel Skousen April 26, 2016 15:01

    Dale, thanks for a great jumpstart article. I am a long time linux user, but total noob on SSO and central management. I have 20 CentOS 6.7 (stand-alone) systems to join to AD, would it be better to setup a CentOS central SSO (realm or other) or do each one individually. OBTW, after AD integration comes SmartCard from the Windows AD into the Linux world. Does that change the answer or advice ?? Thanks again for sharing your experience so succinctly. Niel

  29. Sam June 22, 2016 07:13

    Hi, anyone done this on windows server 2003 r2?
    Thanks for the article… 🙂

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>