It was recently requested by a customer, that all of his (mostly) RHEL servers to be integrated with their AD Forest, in order to be able to control all users accessing these systems, as a security enhancement.

So, in order to be able to join a Red Hat System to Active Directory, we’ll start assuming that the server is already fully patched and that the user who is going to perform the domain joining has sudo rights.

Next, it is required to install the below packages:

# yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python

This will consult to adding 5 packages (or few more) along with sssd’s dependencies.

On completion, execute the below command, to join the system to the appropriate AD Domain. ref. here

#realm join --user=domainuserwithjoinrights yourdomain.com

There is no confirmation on successful joining so it is advised to check that join has been successful by executing the below command:

#realm list #systemctl status sssd

Then, you can login with a valid AD user account. System will create the account’s parent folder upon successful login.

You can now manage this system from Active Directory console (A relative computer object has been already created during the joining phase).

Extra care should be given on any gpo expected to be applied to this object as you may experience similar warnings to the below:

[Message from syslogd at Jun 11 12:22:01 …
sssd[be[yourdomain.com]:Group Policy Container with DN [cn={CD5BE783-3D11-4FDB-9807-B 904FE79AD44},cn=policies,cn=system,DC=domain,DC=domain] is unreadable or has unreadable or missing attributes. In order to fix this make sure that this AD object has following attributes readable: nTSecurityDescriptor, cn, gPCFileSysPath, gPCMach ineExtensionNames, gPCFunctionalityVersion, flags. Alternatively if you do not h ave access to the server or can not change permissions on this object, you can u se option ad_gpo_ignore_unreadable = True which will skip this GPO.See ‘man ad_g po_ignore_unreadable for details.’

Last modified: June 11, 2021

Author