How to Join a Linux Server to an Active Directory Domain

How to Join a Linux Server to an Active Directory Domain. In this guide, we introduce Active Directory, its working principle, and its advantages, then show you how to join a Linux server to the Active Directory domain.

The demand for better network resource management grows due to the development of enterprises globally. In this case, Active Directory Domain is the ultimate solution. Microsoft Windows servers provide a network service named Active Directory Domain that enables administrators centrally manage user accounts, group policies, and network resources. It makes it simpler for organizations to manage user authentication and authorization, which helps secure their resources. 

Let’s start the article How to Join a Linux Server to an Active Directory Domain.

What is Active Directory Domain?

Firstly, Active Directory Domain was launched by Microsoft as the directory service for Windows based networks. It offers database and network shares to user accounts, PCs, and other resources.

  • Following the users’ roles and responsibilities, it enables administrators to monitor and control access to these resources.
  • The client-server architecture of the Active Directory Domain makes the AD server the primary repository for user and resource data.
  • With their AD domain credentials (verified by the AD server), users sign in to their PCs or other devices.
  • Administrators now manage them centrally instead of managing user accounts and access rights on each device.

Benefits of Active Directory Domain

Organizations using Active Directory Domain gain access to several advantages. Let’s look at some of the advantages:

Single Sign On

Active Directory Domain’s support for Single Sign On (SSO). So, users only need to log in once to access all the utilized resources. Moreover, the risk of password fatigue is decreased, and user productivity is increased.

Integration with other Microsoft services

Active Directory Domain makes resource administration easier by giving administrators a centralized area to manage resources like printers and network shares. By doing this, consistency throughout the business is ensured while cutting down on the time and effort needed to manage these resources.

Simplified Management of Resources

Active Directory Domain makes managing resources easier. Due to this, managing these resources takes less time and effort and maintains uniformity throughout the organization.

Multi factor Authentication

By requiring users to give more than one form of authentication, such as a password and a security token, multi factor authentication adds an extra layer of security. Multi factor authentication is supported by Active Directory Domain.

Delegation of Administration

With Active Directory Domain, administrators assign administrative responsibilities to specific users or groups. In turn, other teams can handle their resources more skilfully, which lessens the workload of the central IT team.

How does Active Directory Domain work?

The domain tree serves as the foundation for Active Directory Domain which arranges one or more domains into a domain tree. Organizational units (OUs) allow administrators to group resources and apply rules to particular user or computer groups. However, each domain have several OUs.

  • When a user logs into a device, the device sends a request to the domain controller to verify the user’s credentials.
  • Upon finding that the user’s credentials are valid, the domain controller sends a ticket to the device, allowing them to access network resources.

How to Join a Linux Server to an Active Directory Domain

In this section, we explain how to join a Linux server to Active Directory Domain.

Prerequisites

  • A Windows server with an Active Directory Domain controller is installed and configured.
  • An administrator password is set up on your Windows server.

Setting Up a System Hostname

First, you need to set up a fully qualified hostname on your Linux server that matches your domain name. Set up it with the following command.

				
					hostnamectl set-hostname ubuntu.exampledomain.com
				
			

After setting up a hostname, yverify it with the following command.

				
					hostnamectl
				
			

You should see your new hostname on the following screen.

Once you are done, proceed to the next step.

Install Required Packages on Linux

First, you need packages to join your server to Windows Active Directory Domain. Install all of them by running the following command.

				
					apt -y install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
				
			

After installing all the packages, you need to edit your DNS configuration and define your Windows Active Directory DNS server address.

				
					nano /etc/resolv.conf
				
			

Add your DNS server IP as shown below.

				
					nameserver your-windows-server-ip
				
			

Save and close the file when you are done.

Join a Linux Server to Active Directory Domain

Before joining to Active Directory Domain, see help information of the realm command with the following command.

				
					realm join --help
				
			

You should see the list of all command options on the following screen.

Next, discover your Active Directory Domain with the following command.

				
					realm discover exampledomain.com
				
			

If everything is fine, you should see your domain information on the following screen.

Finally, run the following command to join a Linux server to Active Directory Domain.

				
					realm join -U administrator exampledomain.com
				
			

You are asked to provide your Windows administrator password to authenticate the server. After the successful authentication, you should see the following screen.

To verify your domain, run the following command.

				
					realm list
				
			

You should see the domain information on the following output.

				
					exampledomain.com
type: kerberos
realm-name: EXAMPLEDOMAIN.COM
domain-name: example.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U@exampledomain.com
login-policy: allow-realm-logins
				
			

Login to Active Directory Domain from Linux

On RedHat based Linux system, the user’s home directory is created automatically upon successful login. For Ubuntu and Debian based systems, you need to enable this option first.

Enable this by editing the /usr/share/pam-configs/mkhomedir file.

				
					nano /usr/share/pam-configs/mkhomedir
				
			

Change the following configurations.

				
					Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel

				
			

Save and close the file then update the file with the following command.

				
					pam-auth-update
				
			

See the following screen.

Just press the Enter key to apply the changes. Now, restart the sssd service to implement the changes.

				
					systemctl restart sssd
				
			

Also verify the status of sssd service with the following command.

				
					systemctl status sssd
				
			

Now, log out from your Linux server. Then, log in with the domain administrator user as shown below.

After the successful authentication, verify the UID of the administrator user using the following command.

				
					id administrator
				
			

See the administrator UID in the following output.

				
					uid=1023418957(administrator@exampledomain.com) gid=1024561257(domain users@exampledomain.com) groups=1024561257(domain users@exampledomain.com)
				
			

Control Domain User Access

You also control and limit the domain users’ access using the realm command line tool. If you want to allow only hitesh users for SSH and console access, run the following command.

				
					realm permit hitesh@exampledomain.com
				
			

To grant access to the sysadmin group, run the following command.

				
					ream permit -g sysadmins
				
			

If you want to permit all users, run the following command.

				
					realm permit --all
				
			

To deny all users, run the following command.

				
					realm deny --all
				
			

Also grant a super user permission to domain users. So that they perform system administration tasks. Do it by creating the following file.

				
					nano /etc/sudoers.d/domain_admins
				
			

Add the following lines to grant sudo privileges to the hitesh user and group1 group.

				
					hitesh@exampledomain.com ALL=(ALL) ALL
%group1@exampledomain.com ALL=(ALL) ALL
				
			

Save and close the file when you are finished.

Thank you for reading How to Join a Linux Server to an Active Directory Domain. We shall conclude it now. 

How to Join a Linux Server to an Active Directory Domain Conclusion

In this post, we learned how to join a Linux server to Active Directory Domain Controller. Now log in to your Linux server using any Active Directory user and manage them from the central location.

Finally, Active Directory Domain enables efficient management and security of an organization’s IT infrastructure. It provides a central location for user accounts, computers, and other resources and allows administrators to control who has access to what based on the users’ roles and responsibilities. Lastly, Active Directory Domain is an essential component of every company’s IT architecture because of its centralized management, access control, security features, scalability, and group policy.

Avatar for Hitesh Jethva
Hitesh Jethva

I am a fan of open source technology and have more than 10 years of experience working with Linux and Open Source technologies. I am one of the Linux technical writers for Cloud Infrastructure Services.

0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x