Join CentOS 6 to Active Directory Domain

9
by on October 1, 2013 at 4:03 pm

Joining CentOS 6 or Red Hat Enterprise Linux 6 to an Active Directory Domain is relatively simple.  While Active Directory is proprietary software developed by Microsoft, it’s fairly ubiquitous in medium and large environments, thus integrating Linux and Windows services is very common in this day and age.  DNS has to be working properly.  You should be able to resolve mydomain.com using DNS.

First, we need to install winbind.  This is the Samba service that integrates users, passwords, and other important functions with Active Directory.

yum install samba-winbind

That command should install any and all dependencies necessary.  Another step is to install software necessary for initializing Kerberos tickets.  While not strictly necessary to join the Domain initially (I believe), it makes troubleshooting a little easier.

yum install krb5-workstation

After those two packages are installed, you can run authconfig-tui to automatically setup pam and other important config files.  See the screen shots below for example settings.

authconfig-tui

The above selections are appropriate.  Use fingerprint reader is not needed unless your workstation has a fingerprint reader.

authconfig-tui

This stage is very important.  Security model should be set to ADS.  Domain should be the name of the domain without the top level domain.  If your domain looks like my.domain.com, then you should put “MY” in this field.  Domain controllers are the FQDN for each domain controller you wish your system to use.  Unlike Windows, these are not automatically discovered by CentOS or RHEL 6.  Separate each domain controller by a space.  ADS REALM should be the full name of your Domain in ALL CAPS.  Template shell can be whichever you choose.  If you want to enable domain users the ability to log in by default, select one of the shells.  If you want to disable ssh/local login by default, select /sbin/nologin.

Next, select Join Domain and enter your Domain Admin username and password in the boxes provided.  You should enter just the username, do not enter any domain information here.

, , , , ,

You can skip to the end and leave a response. Pinging is currently not allowed.

9 Comments

  • Eddie G.

    04/12/2013

    Thank you SO much for this!…this is concise, straightforward, and to-the-point! JUST the way I sometimes NEED directions to be! I’ve looked up instructions for this elsewhere, and it seems there’s a lot confusion on some of the steps…but you’ve described them in a way that was able to replicate flawlessly!…I have now joined three CEntOS boxes to the companies Windows AD! (and in the process look like a “hero”!..LOL) Thanks so much dude!!

    • Mike

      04/12/2013

      Eddie, you’re welcome, I’m glad the article helped you!

  • Chris

    22/03/2014

    I followed these steps and received the following message;
    kerberos_kinit_password CENTOS$@CORUSCANT.LOCAL failed: Clock skew too great
    No DNS domain configured for centos. Unable to perform DNS Update.
    DNS update failed!
    Starting Winbind services:
    You have new mail in /var/mail/root

    Does this indicate a failure to join the domain? How can we correct this?

    • Mike

      28/03/2014

      It does not indicate a failure to join the domain. It means that CentOS could not automatically update DNS on the network with the server’s host name. This is normal in my experience, and creating a DNS entry is faster than me trying to find a fix (if it exists). :)

    • Paul

      14/04/2014

      Hey Chris,
      I hope you figured this out but in case not or for the next person w/ this issue:
      “failed: Clock skew too great”
      You need to ideally use 1 of your domain controllers as an NTP server. So that your centOS machine’s time and the AD servers are in sync. AD is very picky about the clock matching on objects trying to join it.

  • Chaman Rathee

    14/05/2014

    hi mike……

    pl help

    Error is :-
    root@localhost ~]# authconfig-tui
    [/usr/bin/net join -w ESSELSHYAM -S ESSERVER.ESSELSHYAM.NET -U chamanr.sw]
    Enter chamanr.sw’s password:
    Using short domain name — ESSELSHYAM
    Joined ‘LOCALHOST’ to dns domain ‘esselshyam.net’
    No DNS domain configured for localhost. Unable to perform DNS Update.
    DNS update failed!
    Starting Winbind services: [ OK ]

    • Mike

      14/05/2014

      Everything looks good. The “Unable to perform DNS Update” is typical. Just add your DNS entry to AD manually.

  • Praveen Upadhyay

    24/05/2014

    I have samba4 configured in centos in centos 6.4. Now I want to install centos desktop version 6.4 in my client pc. How to add my client pc(centos 6.4) add in samba4 domain environment.

    • Mike

      27/05/2014

      I’m sorry, I have not used samba4 as a PDC yet.

Leave a Reply

Your email address will not be published. Required fields are marked *

* Copy This Password *

* Type Or Paste Password Here *