Joining a Red Hat Enterprise Linux 9 (RHEL 9) Server to a Windows Domain
Image by Freepik
Last Updated: March 20, 2024
Introduction –
The ability to join a Linux server, like Red Hat Enterprise Linux (RHEL) 9, to a Windows domain can provide numerous benefits. This includes centralized user authentication and easier resource management across your server environment. This guide will show you how to perform this task entirely through the command-line interface (CLI).
Prerequisites
Before starting, ensure that you have the following:
- A RHEL 9 server with root access.
- A Windows domain that you have access to.
- Your Windows domain controller’s IP address.
- An Active Directory (AD) user with sufficient privileges to join the domain.
Ensure you’re well-prepared by consulting essential resources, such as the RHCSA/RHCE Study Guide.
Step-by-step instructions
Step 1: Update RHEL 9
Update RHEL 9 by running the following command:
1
sudo dnf update -y
Step 2: Install required packages
You’ll need to install the following packages:
- realmd: A system service that manages discovery and enrollment in realms (typically Kerberos realms, like Active Directory domains).
- sssd: The System Security Services Daemon (SSSD) provides access to remote and local identity and authentication resources through a common framework that can provide caching and offline support.
- oddjob: A D-Bus service that performs privileged operations for unprivileged applications; it’s used to delegate specific tasks that require higher permissions.
- oddjob-mkhomedir: An Oddjob helper that creates and sets up home directories; it is part of the Oddjob suite and is used to manage user home directories.
- adcli: A command-line tool that simplifies the task of joining a machine to an Active Directory domain by automating necessary steps.
- samba-common: This package contains files that are common between the Samba server and client packages. Samba provides file and print services for various Microsoft Windows clients and can integrate with a Windows Server domain.
- samba-common-tools: This package includes files that are used by both the Samba server and client packages; these tools allow Linux to communicate with Windows systems and vice versa.
- krb5-workstation: This package contains Kerberos 5 programs that are necessary for workstations (i.e., client machines) to authenticate to Kerberos 5 realms; it provides the utilities for Kerberos authentication.
- openldap-clients: This package includes LDAP (Lightweight Directory Access Protocol) utilities. LDAP is a software protocol for enabling the location of organizations, individuals, and resources such as files and devices in a network. These utilities can interact with LDAP servers and perform operations like search, add, delete, and modify.
You can install these using dnf package manager as follows:
1
sudo dnf install -y realmd sssd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients
Step 3: Set the hostname of the RHEL server
Now we need to set the hostname of the server. This should be the server’s fully qualified domain name (FQDM). In the example below, replace webserver.rctech.internal with the FQDM of your server.
1
sudo hostnamectl set-hostname webserver.rctech.internal
Step 4: Update the IPv4 Configuration
Now we need to ensure that our RHEL server can communicate properly with the domain controller. To do this, we will update the IPv4 configuration of our network connection using nmcli. We will specifically set the DNS server IP to that of our domain controller. This ensures that our RHEL server can correctly resolve the domain controller and any other necessary domain resources.
Here are the commands to execute:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# List all network connections
nmcli con show
# Replace <connection> with your connection name or UUID and <dns-server-ip> with the IP of your DNS server
sudo nmcli con mod <connection> ipv4.dns <dns-server-ip>
sudo nmcli con mod <connection> ipv4.method auto
sudo nmcli con mod <connection> ipv4.ignore-auto-dns no
# Bring the connection down and up to apply changes
sudo nmcli con down <connection>
sudo nmcli con up <connection>
# Verify the changes
nmcli con show <connection>
After running these commands, your RHEL server should be properly configured to communicate with the domain controller. Be sure to replace <connection> with the name or UUID of your connection, and replace <dns-server-ip> with the IP address of your DNS server or domain controller.
Step 5: Discover your domain
Next, discover the domain you want to join using the realm command. Replace rctech.internal with your domain.
1
sudo realm discover rctech.internal
You should receive output that looks similar to this:
1
2
3
4
5
6
7
8
9
10
11
12
13
rctech.internal
type: kerberos
realm-name: rctech.internal
domain-name: rctech.internal
configured: no
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
Step 6: Join the domain
Now, join your RHEL 9 server to the domain with realm join. Replace rctech.internal with your domain, and adminuser with your AD user.
1
sudo realm join -v -U <domain-administrator-username> rctech.internal
Step 7: Enable login for domain users
Initially, domain users are not permitted to log into the server. To amend this, you must execute the following command, substituting <[email protected]> with the respective Active Directory username and domain you wish to authorize for login access.
1
sudo realm permit <[email protected]>
Ensure you include the domain after the username, and remember to replace the placeholder with your actual Active Directory username.
Step 8: Login with a domain user
If your RHEL server is joined to a domain (like an Active Directory domain) and you want to log in using a domain user, you typically do so in the following format:
1
ssh <[email protected]@hostname.internal>
After running this command, you’ll be prompted for the user’s password.
Remember, the ability to use domain credentials on a RHEL server depends on correct configuration of services like sssd or realmd, as well as the server being properly joined to the domain. This also assumes that the domain user has been granted the necessary permissions to log in to the RHEL server.
Removing a Linux / RHEL machine from a Windows domain
If you ever need to remove your Linux machine from a Windows domain, you can utilize the realm utility with the leave and --remove commands. This not only disconnects your machine from the domain but also eradicates the machine’s account from that domain. Always remember that this action changes the interaction between your machine and the network resources. Here’s the command in bash:
1
sudo realm leave --remove
Customizing the Command Line Prompt
You might notice that your username includes the domain, for example: @[email protected]. This is determined by the PS1 (Prompt String 1) environment variable in bash shell. You can change this prompt to just display your username by modifying the PS1 variable.
To make this change only for your current session, you can run:
1
export PS1="\u@\h$ "
This will change the prompt to display your username followed by a “> “. For example, if your username is user1, your prompt will look like: user1>
If you want to make this change permanent for your user, you need to add the export line to your ~/.bashrc or ~/.bash_profile file:
1
echo 'export PS1="\u@\h$ "' >> ~/.bashrc
This will append the export command to your ~/.bashrc file, so it gets executed every time you start a new bash session.
After adding the line to your ~/.bashrc or ~/.bash_profile, you’ll need to source the file to apply the changes immediately to your current session:
1
source ~/.bashrc
This command will take effect immediately but will not affect currently open terminals. For those, you’ll need to close and reopen them, or source the ~/.bashrc or ~/.bash_profile file in each terminal.
Please note: be careful when modifying these files, as errors can cause problems with your shell. Always make a backup before changing them.
Conclusion
You’ve successfully joined a RHEL 9 server to a Windows domain through CLI. This should streamline user management and enhance the security and efficiency of your server environment.
CLI command summary
Below is a summary of all commands used in this guide. To further enhance your command-line skills, check out The Linux Command Line.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# Update RHEL 9
sudo dnf update -y
# Install required packages
sudo dnf install -y realmd sssd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients
# Set hostname
sudo hostnamectl set-hostname webserver.rctech.internal
# Update IPv4 configuration
# Remember to replace <connection> with your connection name or UUID and <dns-server-ip> with the IP of your DNS server
nmcli con show
sudo nmcli con mod <connection> ipv4.dns <dns-server-ip>
sudo nmcli con mod <connection> ipv4.method auto
sudo nmcli con mod <connection> ipv4.ignore-auto-dns no
sudo nmcli con down <connection>
sudo nmcli con up <connection>
nmcli con show <connection>
# Discover domain
sudo realm discover rctech.internal
# Join domain
# Replace <domain-administrator-username> with your domain administrator username
sudo realm join -v -U <domain-administrator-username> rctech.internal
# Permit domain users
# Replace <[email protected]> with the Active Directory username you wish to permit
sudo realm permit <[email protected]>
## Use SSH to connect to the domain joined RHEL host
# Replace <[email protected]> with the Active Directory username you wish to permit
ssh <[email protected]@hostname.internal>
# Customize the bash prompt to show only the username, save this customization to .bashrc, and apply changes to the current session
export PS1="\u@\h$ "
echo 'export PS1="\u@\h$ "' >> ~/.bashrc
source ~/.bashrc