I’ve managed Linux user accounts more ways than I can remember, and the best technique I’ve found is to use a little Windows. Active Directory can manage a handful of computers, users, and groups just as easily as it can manage thousands. And it’s easy to set up.
Before You Begin
You need to have already set up an Active Directory service and launched the instance running Oracle Linux that you want to join to the domain. If you have yet to build your Active Directory service, the Creating Your Windows Active Directory Domain Servers in Oracle Cloud Infrastructure white paper has details to build it quickly and resiliently on Oracle Cloud Infrastructure.
On this instance, collect the following information:
| Variable | What is it? | Example |
|---|---|---|
| ip-address | Instance IP address | 10.0.0.14 |
| hostname | Instance short hostname | unicorn-painter-998 |
| domain | Instance domain name (and Active Directory realm) | lilwoods.us |
| fqdn | Instance fully qualified domain name (for the preceding IP address) | unicorn-painter-998.lilwoods.us |
| dns-ip-address | Active Directory IP address | 10.0.0.13 |
| join-user | Active Directory user with permission to join the domain | mia427 |
| admin-group | Active Directory group to be granted sudo access | Unicorn-Admins |
Process
-
All the following commands require superuser, so escalate privileges to root:
sudo -i -
Edit the /etc/resolv.conf file to use the Active Directory IP address as its nameserver, removing any other nameserver records. Change the line from its default (nameserver 169.254.169.254) to:
nameserver {dns-ip-address}Example:
nameserver 10.0.0.14 -
Ensure that the /etc/hosts file has a record with the instance’s ip-address, fqdn, and hostname by editing the top line of the file as follows:
{ip-address} {fqdn} {hostname}Note: Oracle Cloud Infrastructure instances default to an FQDN and hostname that are generated from the instance name that is provided when the instance is created. Ensure that no other records exist for the instance’s ip-address in the file.
Example:
10.0.0.14 unicorn-painter-998.lilwoods.us unicorn-painter-998 -
Install the following packages to install realmd the tool we’ll be using to connect to Active Directory and its optional dependencies we will use with it:
yum -y install realmd sssd krb5-workstation krb5-lids samba-common-tools -
Discover the Active Directory realm (which is also the DNS domain):
realm discover ${DOMAIN}Example:
realm discover lilwoods.us -
Join the Active Directory realm:
realm join --verbose ${REALM} -U ${JOIN_USER}Example:
realm join --verbose lilwoods.us -U mia427@lilwoods.usEnter your admin password when prompted.
When the Linux server is successfully joined to the managed domain, the following message is displayed:
Successfully enrolled machine in realm -
Allow members of the Admins group to have sudo permission by editing the sudoers file:
visudoNavigate halfway down the file to the wheel group, and under this group append the Active Directory group name to the sudoers configuration file. Add a description for future reference.
# Allow users in the admin group to run all commands {REALM}\\{AD-Group-Name} ALL=(ALL) ALLExample:
# Allow users in the Unicorn-Admins group to run all commands %LILWOODS.US\\Unicorn-Admins ALL=(ALL) ALL -
Allow password authentication in the SSH service to accept credentials from Active Directory by editing the /etc/ssh/sshd_config file. Change PasswordAuthentication no to PasswordAuthentication yes.
-
Restart sshd to apply configuration changes:
systemctl restart sshd
And you’re done! Your instance now has the following attributes:
- Registered in Active Directory
- Enabled SSH login access for users within Active Directory
- Will generate home directory skeletons on new login
- Enabled sudo access for users belonging to a group in active directory
- Enabled Kerberos authentication from this instance