Linux AD Integration (SYS 255) - Chromosom3/TechNotes GitHub Wiki

Joining a Linux System to Active Directory

In an Active Directory environment, you can log on to windows systems with both local and domain accounts. This is helpful for user management, permissions, and security. However, you can also log on to Linux systems and reap the same benefits. To do this you will need to use REALMD.

Installing REALMD

Installing REALMD is the same as installing any other package. You simply use your package manager to install it. For CentOS, you would run sudo yum install realmd -y and on Debian, you would run sudo apt install realmd-y. This would install the package and all its dependencies. However, if you want to manually install the package and all its dependencies you can do sudo yum install realmd samba samba-common oddjob oddjob-mkhomedir sssd or sudo apt install realmd samba samba-common oddjob oddjob-mkhomedir sssd

REALMD Commands

The central utility in realmd is called realm. "Most realm commands require the user to specify the action that the utility should perform, and the entity, such as a domain or user account, for which to perform the action" Source. There are four realm commands and two login commands: discover, join, leave, list and permit, deny. The command names detail what the command does. See the mentioned source above for more information on each command. An example of the join command would be realm join [email protected] domain.local. This command would join you to the domain.local domain with the user account dylan-adm. The command will then prompt you for the user's password. Once you join a domain you can use the 'realm list' command to see information on the domain.

REALMD Configuration

To edit the configuration for realmd you can open /etc/realmd.conf and change the values in the file. You can change things like the default home directory and the default user shell. In the /etc/realmd.conf file you can specify custom settings for each individual domain. The section for the specific domain must begin with [domain.example] where domain.example is your domain. If you want to have specific domain settings you need to edit this before you run the realm join command. If you already joined the domain you must leave and rejoin. Below you can see an example of a domain-specific configuration.

[ad.example.com]
computer-ou = ou=Linux Computers,DC=domain,DC=example,DC=com
user-principal = host/[email protected]
automatic-id-mapping = no

realmd

Other Entry on this topic

Login Permissions

By default, domain-side access control will be applied. This means that if this was a Windows system and the user is able to log on they are able to log on to this Linux system. If you want to do client-side access control you can do so with the login commands. This will allow you to specify on this local Linux system what AD accounts can and can not connect. For example, you could do realm deny --all and then realm permit [email protected]. You could also do a group instead of a user account.