Joining RHEL to Active Directory Domain - cfloquetprojects/homelab GitHub Wiki

Introduction:

In this lab we will be using the System Security Services Daemon (SSSD) as well as as realmd as a means of connecting and authenticating a RHEL 7 box on our LAN to our existing Active Directory (AD) infrastructure.

SSSD is often used as a means of accessing user directories as a means of authentication because of it's highly configurable nature, as well as the fact that it's capable of user caching, which allows for offline logins using domain credentials. It also includes functionality such as Pluggable Authentication Modules (PAM), Name Switch Service (NSS) integration, and thus is the recommended choice by Red Hat as the component to connect any RHEL system with Active Directory servers (or any LDAP or Kerberos server for that matter).

This guide is based off of an existing guide written by RedHat which can be found on their website, along with much more in depth documentation for a host of different functionality.

Pre-Flight Check:

It's critical that we have already configured our RHEL 7 instance to receive package updates using subscription-manager, as this will allow us to use yum to install the requisite packages.

Ensure that your Active Directory Domain Controller is functioning and online, as well as have an A-record on your local DNS server created for the host that you are attempting to join.

Make sure you've set your Domain Controller (DC) as the primary DNS server for the RHEL instance you will be joining to the domain using a tool like nmtui.

Configuring Proper Encryption Types on DC for RHEL (pre Windows 2016):

SSSD is capable of supporting newer AES-128 and AES-256 Kerberos encryption types, while also supporting the older (and deprecated) RC4 encryption, which may not be true of older DCs on some legacy installations.

💡 It's my understanding from this Microsoft docs article that the deprecated RC4 encryption is no longer default for the deployment we will be using in today's lab (Windows Server 2019), and so the next step may not be necessary for you:

We can use ksetup to configure our encryption types on our local DC, and if this is a required step for you, open up a command prompt on your DC to add the modern encryption types:

ksetup /setenctypeattr FQDN>domain.com RC4-HMAC-MD5 AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96
ksetup /setenctypeattr FQDN>yourhost.domain.com RC4-HMAC-MD5 AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96

#1

Adjusting Firewall Rules using firewall-cmd

Joining to Active Directory domains requires a plethora of different ports and protocols to be opened on the host system to be used for authentication, DNS, etc. We will be securing these rules a bit further using rich rules, rather than just opening our RHEL box up to everyone.

Firstly, let's escalate to our root user to complete these rule changes, and ensure that firewalld is both running and also enabled to start on boot with the following commands:

We will need to add a variety of rules, all of which are covered in the Red Hat article that I linked above, so to save ourselves some time I won't be covering each one individually, and rather just providing you with the commands I used to add them.

💡 The granular "rich" rules that I set used 10.0.3.5 as the 'source address' because that is the IP for my local DC in my lab environment, configure this value to match with your own DC, as well as DNS server if you change the primary DNS server after joining the domain.

# firewall-cmd --add-port=464/tcp --permanent
# firewall-cmd --add-port=464/udp --permanent
# firewall-cmd --add-port=3268/tcp --permanent
# firewall-cmd --add-rich-rule='rule family=ipv4 source address="10.0.3.5" port port=53 protocol=udp accept'
# firewall-cmd --add-rich-rule='rule family=ipv4 source address="10.0.3.5" port port=53 protocol=tcp accept'
# firewall-cmd --add-rich-rule='rule family=ipv4 source address="10.0.3.5" port port=389 protocol=udp accept'
# firewall-cmd --add-rich-rule='rule family=ipv4 source address="10.0.3.5" port port=389 protocol=tcp accept'

Installing Requisite Packages and Joining Domain:

Now that we have our firewall rules configured we should install all of the requisite packages for LDAP authentication using SSSD and realmd with the following:

# yum -y install samba-common-tools realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation

Test your connection to the domain you'd like to join by using the realm discover <domain> command:

# realm discover domain.com

Join the existing domain by using realm, in combination with the --user flag so we can set the domain admin we will be using for authentication.

# realm join --user=cfloquet-adm domain.com

⚠️ **GitHub.com Fallback** ⚠️