X

Joining an Oracle Linux Client to an Active Directory Domain

Joseph Holsten
Solutions Architect

I've managed Linux user accounts more ways than I can remember, and the best technique I've found is to use a little Windows. Active Directory can manage a handful of computers, users, and groups just as easily as it can manage thousands. And it's easy to set up.

Before You Begin

You need to have already set up an Active Directory service and launched the instance running Oracle Linux that you want to join to the domain. If you have yet to build your Active Directory service, the Creating Your Windows Active Directory Domain Servers in Oracle Cloud Infrastructure white paper has details to build it quickly and resiliently on Oracle Cloud Infrastructure.

On this instance, collect the following information:

Variable What is it? Example
ip-address Instance IP address 10.0.0.14
hostname Instance short hostname unicorn-painter-998
domain Instance domain name (and Active Directory realm) lilwoods.us
fqdn Instance fully qualified domain name (for the preceding IP address) unicorn-painter-998.lilwoods.us
dns-ip-address Active Directory IP address 10.0.0.13
join-user Active Directory user with permission to join the domain mia427
admin-group Active Directory group to be granted sudo access Unicorn-Admins

Process

  1. All the following commands require superuser, so escalate privileges to root:

    sudo -i
    
  2. Edit the /etc/resolv.conf file to use the Active Directory IP address as its nameserver, removing any other nameserver records. Change the line from its default (nameserver 169.254.169.254) to:

    nameserver {dns-ip-address}

    Example:

    nameserver 10.0.0.14
  3. Ensure that the /etc/hosts file has a record with the instance's ip-address, fqdn, and hostname by editing the top line of the file as follows:

    {ip-address} {fqdn} {hostname}
    

    Note: Oracle Cloud Infrastructure instances default to an FQDN and hostname that are generated from the instance name that is provided when the instance is created. Ensure that no other records exist for the instance's ip-address in the file.

    Example:

    10.0.0.14 unicorn-painter-998.lilwoods.us unicorn-painter-998
    
  4. Install the following packages to install realmd the tool we'll be using to connect to Active Directory and its optional dependencies we will use with it:

    yum -y install realmd sssd krb5-workstation krb5-lids samba-common-tools
  5. Discover the Active Directory realm (which is also the DNS domain):

    realm discover ${DOMAIN}
    

    Example:

    realm discover lilwoods.us
    
  6. Join the Active Directory realm:

    realm join --verbose ${REALM} -U ${JOIN_USER}
    

    Example:

    realm join --verbose lilwoods.us -U mia427@lilwoods.us
    

    Enter your admin password when prompted.

    When the Linux server is successfully joined to the managed domain, the following message is displayed:

    Successfully enrolled machine in realm
    
  7. Allow members of the Admins group to have sudo permission by editing the sudoers file:

    visudo
    

    Navigate halfway down the file to the wheel group, and under this group append the Active Directory group name to the sudoers configuration file. Add a description for future reference.

    # Allow users in the admin group to run all commands
    {REALM}\\{AD-Group-Name} ALL=(ALL) ALL
    

    Example:

    # Allow users in the Unicorn-Admins group to run all commands     
    %LILWOODS.US\\Unicorn-Admins ALL=(ALL) ALL
    
  8. Allow password authentication in the SSH service to accept credentials from Active Directory by editing the /etc/ssh/sshd_config file. Change PasswordAuthentication no to PasswordAuthentication yes.

  9. Restart sshd to apply configuration changes:

    systemctl restart sshd
    

And you're done! Your instance now has the following attributes:

  • Registered in Active Directory
  • Enabled SSH login access for users within Active Directory
  • Will generate home directory skeletons on new login
  • Enabled sudo access for users belonging to a group in active directory
  • Enabled Kerberos authentication from this instance

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.