Joining CentOS 7 into Active Directory domain

How to manage your CentOS 7 based machines with Active Directory account? It is very simple. Here is small tutorial. Are you interested in this thing?

Let’s go to it!

This step is optional: at the begin I recommend update all packages with command:

"yum update"

Don’t forget to add your Active Directory server as primary DNS server in your network configuration on your CentOS machine!

You must open outgoing TCP and UDP ports from your CentOS machine to Active Directory domain controller.

I Accomplished it with simple command:

iptables -A OUTPUT --dst <your-domain-controller-ip-address> -j ACCEPT

Then you must install sssd, realmd, oddjob and other necessary packages with command:

"yum install sssd realmd oddjob oddjob-mkhomedir samba-common-tools -y"

When all necessary packages were successfully installed, you must join your server into your domain with command:

"realm join –user=administrator yourdomain.tld"

Now try execute command:

"id yourdomainname@yourdomain.tld"

If everything is well, you will see anything simillar:

uid=978201108(xxxxxxxxxxxxx@xxxxxxx.xxxxx) gid=978200513(domain users@xxxxxxx.xxxxx) groups=978200513(domain users@xxxxxxx.xxxxx),978201125(linux admins@xxxxxxx.xxxxx)

Now you can use your Active Directory credentials to manage your CentOS 7 machine eg. throught SSH. You will use as username <yourdomainname@yourdomain.tld>.

But I thing, simplier is logging with username in format <yourdomainname> but how to make it happen?

You must edit file /etc/sssd/sssd.conf and replace:

"use_fully_qualified_names = true"


"use_fully_qualified_names = false"

And at the end anything little about sudo

In the Active Directory I have group called „Linux Admins“ which contains domain accounts which have permission to manage CentOS 7 machines. These people are granted to change system settings in systems throught sudo.

On server in /etc/sudoers.d/ I have file called linux-admins, which contains following:

"%linux\ admins ALL=(ALL) NOPASSWD: ALL"

If you have in group names blank spaces, you can type group names with slashes or simply type group ids:

"%#978201125    ALL=(ALL) NOPASSWD: ALL"

Now you can execute eg. command: „sudo nmtui“ without knowledge of root’s password, how simple!

And that is all!

Eine bier bitte!