/
Joining Linux (RHEL) to Active Directory

Joining Linux (RHEL) to Active Directory

All new RHEL machines should use Active Directory for authentication and, potentially, authorization. This document outlines the process by which an RHEL 7 or 8 machine can be added to UConn's Active Directory if the user has the necessary permissions.

  1. Install packages.

    yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python

  2. Set hostname to end with “grove.ad.uconn.edu.”
    hostnamectl set-hostname somethingunique.grove.ad.uconn.edu

  3. If on RHEL 8, re-enable some deprecated crypto versions AD still uses.
    update-crypto-policies --set LEGACY

  4. Join realm.

    1. You can find the distinguished name of the OU by going into Active Directory Users and Computers, finding the destination OU, and viewing its attributes under Properties.

      realm join grove.ad.uconn.edu --user your_admin_account --computer-ou=OU=Distinguished,OU=Name,DC=grove,DC=ad,DC=uconn,DC=edu

  5. Modify the domain section of /etc/sssd/sssd.conf.

    use_fully_qualified_names = False fallback_homedir = /home/%u # This is used to improve group member lookup speed ignore_group_members = true

  6. Add to the domain section of /etc/sssd/sssd.conf.

    # This is used to improve group member lookup speed if a user is a member of a large number of groups. ignore_group_members = true

  7. Deny login for all.

    realm deny --all

  8. Give login access to groups or users.

    realm permit -g your_group realm permit your_user

  9. Give Sudo access to groups by adding to the sudoers file.

    %UCONN\\your_group ALL=(ALL) ALL

Related Articles