This article demonstrates how to join/bind a Redhat/CentOS or Ubuntu Linux system to an Active Directory domain, and auto creating user’s home directories as they login for the first time.
Prepare and Join Linux to a Windows Domain
Set the Hostname
Check the hostname. This is the name that will be created within AD/Computers.
hostnamectl
If need be, change the hostname to whatever is more suitable:
hostnamectl set-hostname MY-SERVER.example.local
Install Dependencies
yum install realmd
Or:
apt update; apt install realmd
Install More Dependencies
yum install oddjob oddjob-mkhomedir sssd samba-common-tools
Or: (the following package names are not verified)
apt update ; apt install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
Discover the Domain
realm discover
You’ll see output similar to the following:
[root@server ~]# realm discover example.local type: kerberos realm-name: EXAMPLE.LOCAL domain-name: example.local configured: no server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools
TIP: You could run “realm list” to see if the system is already bound to a domain. But if you had to install the “realmd” package, it’s likely that the given system is not already bound to a domain.
Join the Domain
realm join -U [email protected] example.local
IMPORTANT: Consider the upper and lowercase of the “@EXAMPLE.LOCAL” in the above sample. This should work as it’s written, but if you get errors at this point, consider changing the case.
Once bound, you should be able to run “realm list” and see the following:
[root@server ~]# realm list example.local type: kerberos realm-name: EXAMPLE.LOCAL domain-name: example.local configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %[email protected] login-policy: allow-realm-logins
Now you can try to log into the Linux system as a Domain User. You will notice the new home directory has been created. Also pay attention to the owner-user and owner-group. And the user’s home directory includes the domain name.
[root@server ~]# ls -l /home/ total 8 drwx------. 2 [email protected] domain [email protected] 62 Sep 1 11:04 [email protected] ...
The home directory was automatically created on login. And if you’re logging in from a Windows computer that is also on the same domain – and using the same username, you won’t be prompted for credentials.
Set Home Directories to Auto Create on Login
If user home directories don’t auto create at login time, consider this command:
pam-auth-update --enable mkhomedir
Restrict Who Can Authenticate Against AD
Bonus: You can restrict who can authenticate using AD with the following permission setting.
realm permit -g [email protected]
Restrict Who Can Sudo
Bonus: If you want to restrict who can SUDO when logged into the Linux server, you can add the following line to the bottom of the “/etc/sudoers” file. In this example, anyone in the AD group “admin_group” will be able to SUDO. Keep in mind that anyone in AD can log into the Linux system, but they won’t have SUDO access unless in the specified group.
%[email protected] ALL=(ALL) NOPASSWD: ALL
I have updated this to correct a few issues.
Is there a way to have one specific Active Directory user have a home directory not in /home?
According to “https://access.redhat.com/documentation/fr-fr/red_hat_enterprise_linux/9/html/configuring_authentication_and_authorization_in_rhel/proc_overriding-the-ldap-home-directory-attribute_assembly_sssd-client-side-view”, it would be:
sss_override user-add user-name -h new-home-directory
At least, for Redhat systems.