Join CentOS 6 to Active Directory Domain

12
by on October 1, 2013 at 4:03 pm

Joining CentOS 6 or Red Hat Enterprise Linux 6 to an Active Directory Domain is relatively simple.  While Active Directory is proprietary software developed by Microsoft, it’s fairly ubiquitous in medium and large environments, thus integrating Linux and Windows services is very common in this day and age.  DNS has to be working properly.  You should be able to resolve mydomain.com using DNS.

First, we need to install winbind.  This is the Samba service that integrates users, passwords, and other important functions with Active Directory.

yum install samba-winbind

That command should install any and all dependencies necessary.  Another step is to install software necessary for initializing Kerberos tickets.  While not strictly necessary to join the Domain initially (I believe), it makes troubleshooting a little easier.

yum install krb5-workstation

After those two packages are installed, you can run authconfig-tui to automatically setup pam and other important config files.  See the screen shots below for example settings.

authconfig-tui

The above selections are appropriate.  Use fingerprint reader is not needed unless your workstation has a fingerprint reader.

authconfig-tui

This stage is very important.  Security model should be set to ADS.  Domain should be the name of the domain without the top level domain.  If your domain looks like my.domain.com, then you should put “MY” in this field.  Domain controllers are the FQDN for each domain controller you wish your system to use.  Unlike Windows, these are not automatically discovered by CentOS or RHEL 6.  Separate each domain controller by a space.  ADS REALM should be the full name of your Domain in ALL CAPS.  Template shell can be whichever you choose.  If you want to enable domain users the ability to log in by default, select one of the shells.  If you want to disable ssh/local login by default, select /sbin/nologin.

Next, select Join Domain and enter your Domain Admin username and password in the boxes provided.  You should enter just the username, do not enter any domain information here.

in CentOS, How-To, Red Hat, Uncategorized

, , , , ,

You can skip to the end and leave a response. Pinging is currently not allowed.

Leave Reply
  • Eddie G.

    Thank you SO much for this!…this is concise, straightforward, and to-the-point! JUST the way I sometimes NEED directions to be! I’ve looked up instructions for this elsewhere, and it seems there’s a lot confusion on some of the steps…but you’ve described them in a way that was able to replicate flawlessly!…I have now joined three CEntOS boxes to the companies Windows AD! (and in the process look like a “hero”!..LOL) Thanks so much dude!!

    • http://www.zipref.com Mike

      Eddie, you’re welcome, I’m glad the article helped you!

  • Chris

    I followed these steps and received the following message;
    kerberos_kinit_password CENTOS$@CORUSCANT.LOCAL failed: Clock skew too great
    No DNS domain configured for centos. Unable to perform DNS Update.
    DNS update failed!
    Starting Winbind services:
    You have new mail in /var/mail/root

    Does this indicate a failure to join the domain? How can we correct this?

    • http://www.zipref.com Mike

      It does not indicate a failure to join the domain. It means that CentOS could not automatically update DNS on the network with the server’s host name. This is normal in my experience, and creating a DNS entry is faster than me trying to find a fix (if it exists). :)

    • Paul

      Hey Chris,
      I hope you figured this out but in case not or for the next person w/ this issue:
      “failed: Clock skew too great”
      You need to ideally use 1 of your domain controllers as an NTP server. So that your centOS machine’s time and the AD servers are in sync. AD is very picky about the clock matching on objects trying to join it.

  • Chaman Rathee

    hi mike……

    pl help

    Error is :-
    root@localhost ~]# authconfig-tui
    [/usr/bin/net join -w ESSELSHYAM -S ESSERVER.ESSELSHYAM.NET -U chamanr.sw]
    Enter chamanr.sw’s password:
    Using short domain name — ESSELSHYAM
    Joined ‘LOCALHOST’ to dns domain ‘esselshyam.net’
    No DNS domain configured for localhost. Unable to perform DNS Update.
    DNS update failed!
    Starting Winbind services: [ OK ]

    • http://www.zipref.com Mike

      Everything looks good. The “Unable to perform DNS Update” is typical. Just add your DNS entry to AD manually.

      • Hashem Shoaib

        You must change your CentOS hostname from locahost.localdomain to pc.example.com, by default centos take localhost.localdomain the host name for the pc.

        i hope this work with you.

  • Praveen Upadhyay

    I have samba4 configured in centos in centos 6.4. Now I want to install centos desktop version 6.4 in my client pc. How to add my client pc(centos 6.4) add in samba4 domain environment.

    • http://www.zipref.com Mike

      I’m sorry, I have not used samba4 as a PDC yet.

  • M Umar

    i have followed these steps , domain is joined but Linux cant authenticate windows domain users what the reason?

  • nakul panwar

    Hi Mike,

    My linux machine joined the domain but when i try to login using the AD credentials it says access deined.
    I got the below message when tried to join the domain:

    [/usr/bin/net join -w TESTLABAD -S WIN-FHN35C72197.TESTLABAD.COM -U Administrator]
    Enter Administrator’s password:

    kinit succeeded but ads_sasl_spnego_krb5_bind failed: Unspecified GSS failure. Minor code may provide more information : Clock skew too great
    Failed to join domain: failed to connect to AD: Unspecified GSS failure. Minor code may provi de more information : Clock skew too great
    ADS join did not work, falling back to RPC…
    Enter Administrator’s password:

    Joined domain TESTLABAD.
    Starting Winbind services: [ OK ]
    [root@ansibleserver ~]# date

    Regards
    Nakul

Categories