Joining a linux server on a Windows AD

If you want to connect your Linux server to a Windows Active Directory you can use SSSD which is fairly easy to setup.

First make sure to open the following ports on the firewall

ServicePortProtocol
DNS53UDP / TCP
LDAP389UDP / TCP
LDAP636UDP / TCP
Kerberos88UDP / TCP
Kerberos445, 646UDP / TCP
LDAP GC3268TCP
NTP123UDP

Install SSSD and the needed components (For debian/ubuntu use APT, for RHEL use YUM). The example is based on APT.

# apt install sssd sssd-client oddjob oddjob-mkhomedir samba-common-tools

Edit the config /etc/sssd/sssd.conf. In this config I will use SERVER-01.meer-web.nl and AD-01.MEER-WEB.NL (active directory). Note that I only allow users of the ‘wheel’ group to log in. You can adjust this to your group(s).

[sssd]
 services=nss,pam,pac
 domains=meer-web.nl
 default_domain_suffix = meer-web.nl
[pam]
 offline_credentials_expiration=2
 [domain/meer-web.nl]
 id_provider=ad
 auth_provider=ad
 access_provider=simple
 chpass_provider=ad
 cache_credentials=true
 use_fully_qualified_names=false
 ad_hostname=server-01.meer-web.nl
 ad_server=ad-01.meer-web.nl
 override_homedir=/home/%u
 ldap_id_mapping=true
 ldap_schema=ad
 dyndns_update=false
 dyndns_update_ptr=false
 ad_gpo_access_control=disabled
 ldap_sasl_authid=server-01$@meer-web.nl
 simple_allow_groups=wheel
 ignore_group_members=true
 ldap_purge_cache_timeout=43200
 subdomain_inherit=ignore_group_members,ldap_purge_cache_timeout

Now fire up SSSD by starting the service!

# systemctl enable sssd
# systemctl start sssd

Now join your domain using realm

# realm join -v meer-web.nl -U meerwebuser
[Enter the password:]

SSSD should now join your AD and you can check the status using realm

realm list

Now go ahead and SSH in using your domain account!

Leave a Reply

Your email address will not be published.