Joining a RHEL VM to an Active Directory Domain

By /

Let’s face it folks, Linux rules the datacenter, but Microsoft Windows has a place and purpose in an enterprise environment. As it relates to this, we’re specifically calling out Microsoft Active Directory. Of course, joining a Windows system to an AD domain is standard operating procedure, but I’ve seen people get a little hesitant with the thought of joining a Linux system.

My advise is to join all systems to an AD domain, if possible and when it makes sense. It makes managing system access much less complicated. You won’t need to manage any local accounts other than local root or other admin users, and others could logon with AD credentials which is almost always ideal; particularly as people come and go (vendors, other admins, etc., you’re cleaning up those local accounts, right?

I also want to highlight something that I most enjoy about this, and I smile every single time – NO REBOOT. How about that? Just join and walk away (ok, maybe move your shiny new computer object to a new OU in ADUC and then walk away).

There are many ways to get to the same outcome. This guide outlines one of the simplest methods for configuring a Red Hat Enterprise Linux (RHEL) virtual machine running on VMware and joining it to an Active Directory domain using realmd.

1. Post-Installation Configuration

Before joining the domain, ensure the system is up to date and the necessary packages—including VMware tools and AD CLI tools—are installed.

Bash

# Update system and reboot to apply changes
sudo dnf update
sudo reboot

# Install required packages
sudo dnf install open-vm-tools realmd sssd oddjob oddjob-mkhomedir adcli samba-common-tools krb5-workstation

# Discover the domain
sudo realm discover example.local

2. Domain Join

Once the domain is discovered, use an administrative account to join the system to the realm.

Bash

sudo realm join example.local -U adminusername

3. Confirming Domain Join

Verify that the join was successful by listing the realm details and checking a domain user ID.

  • Check Realm Status: realm list
  • Verify User: id adminusername@example.local

4. Enable Use of Non-FQDN Name (Optional)

If you prefer to log in with just a username instead of user@example.local, follow these steps to disable fully qualified names.

  1. Edit the SSSD config: sudo nano /etc/sssd/sssd.conf
  2. Modify the following line:
    • Change: use_fully_qualified_names = True
    • To: use_fully_qualified_names = False
  3. Verify the change: cat /etc/sssd/sssd.conf
  4. Apply the changes: sudo systemctl restart sssd
  5. Test short name: id adminusername

5. Realm Configuration (Optional)

If you want to block all domain users from logging on to the system and only allow members of specific AD groups, use the following commands:

Bash

realm deny --all
realm permit -g GroupName

6. Configure Sudo Access for Domain User

To grant administrative privileges to a domain user, add them to the local wheel group.

  • Add user to wheel: usermod -aG wheel domainusername (Note: Use the full domain name if you opted out of short names in the previous step)
  • Check members of the wheel group: getent group wheel

Side Note: If you ever need to remove a user from the wheel group, use: gpasswd -d adminusername wheel

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top