Join Linux to Active Directory Domain
In this tutorial, we will walk you through the steps to join Linux to Active Directory (AD) domain and configure authentication against the AD server. We will cover installation of necessary packages, discovery of the AD domain, joining the domain, and configuring authentication.
What is an Active Directory Domain?
Active Directory (AD) Domain is a centralized database used for Windows-based computer networks. It serves as a repository for information about users, computers, groups, and other resources in a network.
The purposes of Active Directory Domain are:
- User authentication and authorization: AD verifies the credentials of users when they log into the network, and grants access to the resources they are authorized to use.
- Centralized management: AD provides a single point of control for managing users, computers, and resources in a network.
- Group Policy management: AD allows administrators to create and enforce policies that apply to groups of users or computers.
The benefits of using Active Directory Domain are:
- Scalability: AD can manage large and complex networks with tens of thousands of users and resources.
- Integration with other Microsoft products: AD integrates with other Microsoft products, such as Exchange and SharePoint, providing a seamless and integrated management experience.
- Improved security: AD provides a centralized location for managing access to resources and enforcing security policies.
Active Directory was first introduced with Windows 2000 Server, and has evolved over the years to support new features and capabilities. It has become a staple of many large organizations, providing a robust and scalable solution for managing their IT resources.
Table of Contents
- Step 1: Install Necessary Packages
- Step 2: Discover the AD Domain
- Step 3: Join the AD Domain
- Step 4: Configure Authentication
- Step 5: Test Authentication
Step 1: Install Necessary Packages
On a Debian-based Linux machine (such as Ubuntu), you can install the necessary packages by running the following command:
sudo apt-get install realmd sssd libnss-sss libpam-sssOn a Red Hat-based Linux machine (such as CentOS or Fedora), you can install the necessary packages by running the following command:
sudo yum install realmd sssd oddjob oddjob-mkhomedir samba-common-toolsStep 2: Discover the AD Domain
Before you can join the Linux machine to the AD domain, you need to know the name of the domain. You can use the realm discover command to discover the domain.
realm discover example.comThis will return a list of available domains and their associated configuration details.
Step 3: Join the AD Domain
Once you have discovered the AD domain, you can use the realm join command to join the Linux machine to the domain.
sudo realm join example.com -U AdministratorThis will prompt you for the password of the AD user (in this case, the user Administrator). Once you provide the password, the Linux machine will be joined to the AD domain.
Step 4: Configure Authentication
After joining the Linux machine to the AD domain, you need to configure the machine to authenticate users against the AD server.
To do this, you will need to edit the /etc/sssd/sssd.conf file. You can use the authconfig tool to generate a basic configuration file:
sudo authconfig --enablemkhomedir --enablelocauthorize --enableldap --enableldapauth --ldapserver='ad_server_ip' --ldapbasedn='dc=example,dc=com' --enablekrb5 --krb5realm='EXAMPLE.COM' --updateallThis will configure the Linux machine to use LDAP and Kerberos to authenticate users against the AD server.
Step 5: Test Authentication
To test that the Linux machine is correctly authenticating users against the AD server, you can try logging in with an AD user account.
su - ADuserIf everything is configured correctly, you should be able to log in with your AD user account.
That’s it! You should now have a Linux machine that is joined to an Active Directory domain and can authenticate users against the AD server.
Example Ansible Playbook to Join Linux to Active Directory
Here’s an example of an Ansible playbook that can join Linux to Active Directory domain using realmd and SSSD:
---
- name: Join Red Hat Linux server to AD domain
hosts: redhat_servers
become: yes
vars:
ad_domain: example.com
ad_user: administrator
ad_password: password
tasks:
- name: Install required packages
package:
name:
- realmd
- sssd
state: present
- name: Join the AD domain
command: realm join --user={{ ad_user }} {{ ad_domain }} --install=/ -U {{ ad_user }}%{{ ad_password }}
register: join_result
ignore_errors: yes
- name: Check the AD join result
fail:
msg: "Unable to join the AD domain, {{ join_result.stderr }}"
when: join_result.rc != 0
- name: Restart SSSD service
service:
name: sssd
state: restarted
enabled: yes
- name: Validate the AD join
command: getent passwd {{ ad_user }}
register: validate_result
ignore_errors: yes
- name: Check the validation result
fail:
msg: "AD join validation failed, {{ validate_result.stderr }}"
when: validate_result.rc != 0
In this playbook, the realmd and sssd packages are installed to provide the necessary tools for joining the Linux server to the AD domain. The realm join command is used to join the Linux server to the AD domain, and the sssd service is restarted to pick up the changes. The final task validates the AD join by checking if the administrator user can be retrieved from the password database.
To use this playbook, you would need to have Ansible installed on your management host and have access to a Red Hat Linux server that you want to join to the Active Directory (AD) domain. Here are the steps to run the playbook:
- Copy the playbook code to a file with a
.ymlextension, for example,join_ad_domain.yml. - Update the
ad_domain,ad_user, andad_passwordvariables with the relevant information for your AD environment. - Run the playbook with the following command:
ansible-playbook join_ad_domain.yml
Here’s an example output of running the playbook:
$ ansible-playbook join_ad_domain.yml
PLAY [Join Red Hat Linux server to AD domain]
*********************************************
TASK [Gathering Facts]
**********************
ok: [redhat_server1]
TASK [Install required packages]
********************************
ok: [redhat_server1]
TASK [Join the AD domain]
**************************
changed: [redhat_server1]
TASK [Check the AD join result]
*******************************
skipping: [redhat_server1]
TASK [Restart SSSD service]
****************************
ok: [redhat_server1]
TASK [Validate the AD join]
***************************
ok: [redhat_server1]
TASK [Check the validation result]
**********************************
skipping: [redhat_server1]
PLAY RECAP
***********
redhat_server1: ok=6 changed=1 unreachable=0 failed=0 skipped=2 rescued=0 ignored=0
For more information on configuring authentication and managing a Linux machine in an AD environment, see the links below.
Thanks for reading with us on how to join linux to active directory!
Red Hat documentation on Integrating Red Hat Enterprise Linux with an Active Directory Domain.
See more like this in our DevOps and SRE section!
4 responses to “5 Easy Steps to Join Linux to Active Directory using Ansible”
It’s amazing designed for me tto have a web site, which is helpful for my experience.
thanks admin
Also visit my blog – Janine
Once all the linux servers are configured to do all the login authentication via the Windows AD, how does ansible still authenticate via ssh when a playbook is being run against these hosts, please?
It’s a pity you don’t have a donate button! I’d definitely donate to this superb blog!
I guess for now i’ll settle for bookmarking and adding your RSS feed to
my Google account. I look forward to fresh updates and
will talk about this site with my Facebook group. Chat soon!Good post. I am going through many of these issues as well..
Leave a Reply
You must be logged in to post a comment.