Introduction
Joining an Active Directory (AD) domain in Fedora 40 involves configuring the system to authenticate and manage resources using Microsoft's Active Directory services. This integration enables centralized management of users, groups, and policies, ensuring a seamless and secure working environment.
Overview
What
Joining an Active Directory (AD) domain in Fedora 40 involves configuring the system to authenticate and manage resources using Microsoft's Active Directory services. This enables centralized management of users, groups, and policies.
Who
This guide is intended for system administrators, IT professionals, and organizations that need to integrate Fedora 40 systems into an existing Active Directory domain environment for centralized management and authentication.
Where
You can join an Active Directory domain on any machine running Fedora 40, whether it's a server, desktop, or virtual machine, to enable domain-based authentication and management.
When
Join an Active Directory domain when you need to integrate Fedora 40 systems into an existing AD environment for centralized management of user accounts, access control, and policies.
Why
Joining an Active Directory domain in Fedora 40 has several pros and cons:
| Pros | Cons |
|---|---|
|
|
How
Follow these steps to join an Active Directory domain in Fedora 40:
| Step 1 | Ensure the system's hostname is set correctly. |
| Step 2 | Install required packages: sudo dnf install realmd samba samba-common oddjob oddjob-mkhomedir sssd |
| Step 3 | Discover the AD domain: sudo realm discover [domain] |
| Step 4 | Join the AD domain: sudo realm join --user=[administrator] [domain] |
| Step 5 | Configure SSSD for domain users: Edit /etc/sssd/sssd.conf if necessary. |
| Step 6 | Start and enable SSSD service: sudo systemctl start sssd && sudo systemctl enable sssd |
| Step 7 | Verify domain membership and domain user login. |
Consequences
Joining an Active Directory domain can have several consequences:
| Positive |
|
| Negative |
|
Conclusion
Joining an Active Directory domain in Fedora 40 is essential for organizations that need centralized management of users and resources. While it offers significant advantages in terms of security, policy enforcement, and ease of management, it also requires careful configuration and maintenance to ensure smooth operation and minimize potential issues.
Join in Windows Active Directory Domain with Realmd. This example is based on the environment like follows. Domain Server : Windows Server 2022 Domain Name : bizantum.lab Hostname : fd3s.bizantum.lab NetBIOS Name : FD3S01 Realm : BIZANTUM.LAB
Step [1]Install required packages.
[root@bizantum ~]# dnf -y install realmd sssd oddjob oddjob-mkhomedir adcli samba-common-tools
Step [2]Join in Windows Active Directory Domain.
# change DNS setting to refer to AD
[root@bizantum ~]# nmcli connection modify enp1s0 ipv4.dns 10.0.0.100
[root@bizantum ~]# nmcli connection up enp1s0
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)
# discover Active Directory domain
[root@bizantum ~]# realm discover BIZANTUM.LAB
bizantum.lab
type: kerberos
realm-name: BIZANTUM.LAB
domain-name: bizantum.lab
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-common
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd-ad
required-package: adcli
required-package: samba-common-tools
# join in Active Directory domain
[root@bizantum ~]# realm join BIZANTUM.LAB
Password for Administrator: # AD Administrator password
# verify possible to get an AD user info
[root@bizantum ~]# id Serverworld@bizantum.lab
uid=214001103(add@bizantum.lab) gid=214000513(domain users@bizantum.lab) groups=214000513(domain users@bizantum.lab),214001104(esx admins@bizantum.lab),214000572(denied rodc password replication group@bizantum.lab),214000512(domain admins@bizantum.lab)
# verify possible to login as an AD user
[root@bizantum ~]# exit
logout
Fedora Linux 40 (Server Edition)
Kernel 6.8.8-300.fc40.x86_64 on an x86_64 (ttyS0)
Web console: https://dlp.bizantum.lab:9090/ or https://10.0.0.30:9090/
dlp login: Serverworld@bizantum.lab
Password:
Creating home directory for Serverworld@bizantum.lab.
[add@bizantum.lab@dlp ~]$ # logined
Step [3]If you'd like to omit domain name for AD user, configure like follows.
[root@bizantum ~]# vi /etc/sssd/sssd.conf
# line 16 : change
use_fully_qualified_names = False
[root@bizantum ~]# systemctl restart sssd
[root@bizantum ~]# id Administrator
uid=214000500(administrator) gid=214000513(domain users) groups=214000513(domain users),214001104(esx admins),214000572(denied rodc password replication group),214000512(domain admins),214000518(schema admins),214000520(group policy creator owners),214000519(enterprise admins)
Step [4] AD users UID/GID are assigned randomly, but if you'd like to assign fixed UID/GID, configure like follows. Add UNIX attributes to AD accounts first, refer to here. ( To add them by PowerShell on CUI, refer to here of [4] ) This example is based on the environment AD accounts have [uidNumber/gidNumber] attributes. Next, change SSSD settings.
[root@bizantum ~]# vi /etc/sssd/sssd.conf
# line 17 : change
ldap_id_mapping = False
# add to last line
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
# clear cache and restart sssd
[root@bizantum ~]# rm -f /var/lib/sss/db/*
[root@bizantum ~]# systemctl restart sssd
[root@bizantum ~]# id Serverworld
uid=2000(add) gid=100(users) groups=100(users)
- Get link
- X
- Other Apps
Bizantum
Fajar Vicky
Posts
Comments
Post a Comment
Thank you for your comment! We appreciate your feedback, feel free to check out more of our articles.
Best regards, Bizantum Blog Team.