Monday, 27 April 2015

Add RHEL7 Server to Active Directory Domain

This tutorial is based on the following configuration:
domain name :
workgroup : MYCOMPANY
kerberos realm : MYCOMPANY.COM

Windows Server DNS Name:
Windows Server IP Address:

Linux Server DNS Name:
Linux Server IP Address:

Ensure that DNS Server is properly configured on the Windows Server.

1) Install packages
yum install krb5-workstation pam_krb5

yum install samba samba-client samba-winbind

yum install authconfig

2) Ensure that the clocks on both systems are in sync. Time synchronization is essential for Kerberos to work.

3) Configure the DNS Service to use AD as its name server. DNS is critical for proper resolution of host names and domains for kerberos.
Edit the file '/etc/resolv.conf' and add the following entries:


4) Configure Kerberos to use AD Kerberos realm. Edit the file '/etc/krb5.conf'.
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

dns_lookup_realm = true
dns_lookup_kdc = true

ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = MYCOMPANY.COM

5) Verify Kerberos operation.

[root@server3 ~]# kinit Administrator
Password for Administrator@MYCOMPANY.COM:
[root@server3 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@MYCOMPANY.COM

Valid starting Expires Service principal
04/27/2015 00:42:19 04/27/2015 10:42:19 krbtgt/MYCOMPANY.COM@MYCOMPANY.COM
renew until 05/04/2015 00:42:10
[root@server3 ~]# kdestroy

6) Configure Samba to connect to AD server. Edit the file '/etc/samba/smb.conf' and make the
following changes:

workgroup = MYCOMPANY

server string = Samba Server Version %v

netbios name = SERVER3

interfaces = lo eth0

hosts allow = 127. 192.168.122.

security = ads

passdb backend = tdbsam


kerberos method = secrets and keytab

template shell = /bin/sh

winbind offline logon = true

winbind separator = +

winbind use default domain = yes

idmap uid = 10000-19999

idmap gid = 10000-19999

idmap config MYCOMPANY:backend = rid

idmap config MYCOMPANY:range = 10000000-19999999

7) Check for configuration errors

8) Configure NSS and PAM to use winbind
authconfig –enablewinbind –enablewins –enablewinbindauth --update

9) Start services
systemctl start smb
systemctl start winbind

10) Add the linux machine to the AD Domain
[root@server3 ~]# kinit Administrator

[root@server3 ~]# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- MYCOMPANY
Joined 'SERVER3' to dns domain ''

10) Verify AD Server status

[root@server3 ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------

[root@server3 ~]# net ads info
LDAP server:
LDAP server name:
Bind Path: dc=MYCOMPANY,dc=COM
LDAP port: 389
Server time: Mon, 27 Apr 2015 21:51:54 IST
KDC server:
Server time offset: 19835

No comments:

Post a Comment