Add RHEL7 Server to Active Directory Domain

This tutorial is based on the following configuration:

domain name : mycompany.com

workgroup : MYCOMPANY

kerberos realm : MYCOMPANY.COM

Windows Server DNS Name: winserver.mycompany.com

Windows Server IP Address: 192.168.122.10

Linux Server DNS Name: server3.mycompany.com

Linux Server IP Address: 192.168.122.4

Ensure that DNS Server is properly configured on the Windows Server.

1) Install packages

yum install krb5-workstation pam_krb5

yum install samba samba-client samba-winbind

yum install authconfig

2) Ensure that the clocks on both systems are in sync. Time synchronization is essential for Kerberos to work.

3) Configure the DNS Service to use AD as its name server. DNS is critical for proper resolution of host names and domains for kerberos.

Edit the file '/etc/resolv.conf' and add the following entries:

search mycompany.com

nameserver 192.168.122.10

4) Configure Kerberos to use AD Kerberos realm. Edit the file '/etc/krb5.conf'.

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

dns_lookup_realm = true

dns_lookup_kdc = true

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

rdns = false

default_realm = MYCOMPANY.COM

5) Verify Kerberos operation.

[root@server3 ~]# kinit Administrator

Password for Administrator@MYCOMPANY.COM:

[root@server3 ~]# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: Administrator@MYCOMPANY.COM

Valid starting Expires Service principal

04/27/2015 00:42:19 04/27/2015 10:42:19 krbtgt/MYCOMPANY.COM@MYCOMPANY.COM

renew until 05/04/2015 00:42:10

[root@server3 ~]# kdestroy

6) Configure Samba to connect to AD server. Edit the file '/etc/samba/smb.conf' and make the

following changes:

workgroup = MYCOMPANY

server string = Samba Server Version %v

netbios name = SERVER3

interfaces = lo eth0 192.168.122.4/24

hosts allow = 127. 192.168.122.

security = ads

passdb backend = tdbsam

realm = MYCOMPANY.COM

kerberos method = secrets and keytab

template shell = /bin/sh

winbind offline logon = true

winbind separator = +

winbind use default domain = yes

idmap uid = 10000-19999

idmap gid = 10000-19999

idmap config MYCOMPANY:backend = rid

idmap config MYCOMPANY:range = 10000000-19999999

7) Check for configuration errors

testparm

8) Configure NSS and PAM to use winbind

authconfig –enablewinbind –enablewins –enablewinbindauth --update

9) Start services

systemctl start smb

systemctl start winbind

10) Add the linux machine to the AD Domain

[root@server3 ~]# kinit Administrator

[root@server3 ~]# net ads join -U Administrator

Enter Administrator's password:

Using short domain name -- MYCOMPANY

Joined 'SERVER3' to dns domain 'mycompany.com'

10) Verify AD Server status

[root@server3 ~]# klist -k

Keytab name: FILE:/etc/krb5.keytab

KVNO Principal

---- --------------------------------------------------------------------------

3 SERVER3$@MYCOMPANY.COM

[root@server3 ~]# net ads info

LDAP server: 192.168.122.10

LDAP server name: WINSERVER.mycompany.com

Realm: MYCOMPANY.COM

Bind Path: dc=MYCOMPANY,dc=COM

LDAP port: 389

Server time: Mon, 27 Apr 2015 21:51:54 IST

KDC server: 192.168.122.10

Server time offset: 19835