Joining Linux Host to Existing AD Domain - cfloquetprojects/homelab GitHub Wiki
Prerequisites:
- Linux host (preferably Centos 7/Ubuntu 20.04) is properly networked and updated.
Install Requisite Packages:
First thing is we need to do some basic setup for our Debian (Ubuntu) systems, namely adding additional repositories to our
sources.listfile:
Debian:
$ sudo tee -a /etc/apt/sources.list <<EOF
deb http://us.archive.ubuntu.com/ubuntu/ bionic universe
deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates universe
EOF
You may need to manually insert your local DNS Server into
/etc/resolv.confupon systemd-resolved stopping, which can be done with the syntax shown below:
Debian/Fedora:
$ vi /etc/resolv.conf
search example.com
nameserver <ipv4.address.of.nameeserver>
Next make sure our host has all the required updates before moving forward:
Fedora:
$ sudo yum -y update
$ sudo yum -y upgrade
Debian:
$ apt -y update
$ apt -y upgrade
We can install all of the important/needed packages with one line shown below:
Fedora:
$ sudo yum -y install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python3
Debian:
$ sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
$ sudo pam-auth-update --enable mkhomedir
Now we can go about joining our previously created domain using realm by using the following:
Fedora:
[cfloquet@centos7 ~]# sudo realm join --user=administrator example.com
Password for administrator:
Debian:
$ sudo realm join -U Administrator example.com
Password for Administrator:
Finally, we can use
realm liston either distro to show details about the joined domain.
Adding Domain Admin to Local Administrators:
If you are looking to manage your Linux host via a domain admin account, add your account to
sudoers:
💣: Ensure to use the >> rather than a single > operator, to append these changes to end of the file, rather than overwriting the `/etc/sudoers file!
$ sudo echo "[email protected] ALL=(ALL) ALL" | sudo tee /etc/sudoers -a
Consider adding the entire "Domain Admins" AD Group to be local admins with the following:
$ sudo echo "%<YOUR_DOMAIN_HERE>\\Domain^Admins ALL=(ALL) ALL" >> /etc/sudoers