Linux -- Join host to AD domain

I will start this guide with a heads up to remember replacing ’example.com’ instances with your own domain.

Intall Required Packages

RHEL Family

sudo yum install sssd realmd adcli oddjob oddjob-mkhomedir PackageKit

Debian Family

sudo apt install sssd realmd adcli sssd-tools libnss-sss libpam-sss policykit-1 packagekit

Join to the Domain

sudo realm join -v -U ADusername example.com

Copy the following /etc/sssd/sssd.conf template and amend accordingly:

[sssd]
domains = example.com
config_file_version = 2
services = nss, pam

[domain/example.com]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%d/%u
ad_domain = example.com
use_fully_qualified_names = False
ldap_id_mapping = True
access_provider = ad
ad_gpo_ignore_unreadable = True
ad_gpo_access_control = disabled

Set Default Domain Suffix

This will allow logins without having to present the domain part of usernames. Edit /etc/sssd/sssd.conf and add the following line to the [sssd] section:

default_domain_suffix = example.com

Add the below to the [domain/whatever] section of /etc/sssd/sssd.conf:

ad_gpo_ignore_unreadable = True

Disable GPO Access Control

Add the below to the [domain/whatever] section of /etc/sssd/sssd.conf:

ad_gpo_access_control = disabled

Grant sudo Privileges to AD Groups

NOTE: depending on the distro in the below “@example.com” needs removing for the group to actually work

echo '%[email protected] ALL=(ALL:ALL)    ALL' | sudo tee /etc/sudoers.d/linuxadmins

Red Hat/CentOS/Oracle

Edit the /etc/pam.d/system-auth file. Make sure that optional is changed to required.

session     required       pam_oddjob_mkhomedir.so

NOTE: keep indentation as other rules from file.

Debian/Ubuntu

Edit/create the /etc/pam.d/common-session file and make sure that the following line is present:

session optional     pam_mkhomedir.so