7.9 C
Wednesday, January 20, 2021

Join CentOS7 system into Windows Domain

Must read

Please Donate

That’s a good question. Why? That’s because then it allows us to authenticate users centrally whom already has Windows Active Directory user accounts. This really comes handy as we then don’t need to provision CentOS local user account as new users are in demand for server access. Think about a scenario, for example, a company whose having thousands of users who wish to have server access for  system administration. That would be a pain in the neck if our plan to setup each individual accounts locally. Problem even get started to worse if the server count increase over the time. Thus, having your LInux systems’s authentication over Windows Active Directory should be one of the obvious solutions.

Getting Started

This tutorial is based on the following configuration:

  • domain name : osradar.com
  • workgroup : OSRADAR
  • kerberos realm : OSRADAR.COM
  • Winsdows AD IP address:
  • Windows AS DNS name: windows-ad.osradar.com
  • a valid user called “winaduser01” already existed at Windows AD.

01. Install packages

# yum install krb5-workstation pam_krb5 samba samba-client samba-winbind authconfig


02. Ensure that the clocks on both systems are in sync. Time synchronization is essential for Kerberos to work.

03. To have working DNS resolution, point all Linux client systems to Windows AD – Essential for Kerberos to work. Optionally, you can also work with /etc/hosts if required.

# vim /etc/hosts windows-ad.osradar.com

04. Configure Kerberos to use AD Kerberos realm.

# vi /etc/krb5.conf

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

dns_lookup_realm = true
dns_lookup_kdc = true

ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = OSRADAR.COM
default_ccache_name = KEYRING:persistent:%{uid}

kdc =
admin_server =


05. Verify Kerberos operation – (Assume following winaduser01 exist on the Windows AD)

# kinit winaduser01
Password for winaduser01@OSRADAR.COM:

(This of course is to get a Kerberos Ticket for our Linux client system)

# klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: winaduser01@OSRADAR.COM
Valid starting Expires Service principal
04/27/2019 00:42:19 04/27/2019 10:42:19 krbtgt/OSRADAR.COM@OSRADAR.COM
renew until 05/04/2019 00:42:10

(To list whether do we have valid Kerberos Tickets now..)

# kdestroy

(Optionally, if you want to remove the existing Kerberos Ticket)


06. Configure Samba to connect to AD server.

# vi /etc/samba/smb.conf

workgroup = OSRADAR
security = ads
idmap config * : range = 16777216-33554431
winbind separator = +
template homedir = /home/%U
template shell = /bin/bash
kerberos method = secrets only
winbind use default domain = true
winbind offline logon = true

server string = Samba Server Version %v
netbios name = MYLINUXPC1
interfaces = lo ens9
hosts allow = 127. 172.17.0.
passdb backend = tdbsam
winbind enum users = yes
winbind enum groups = yes
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
idmap config MYCOMPANY:backend = rid
idmap config MYCOMPANY:range = 10000000-1999999


07. Check for configuration errors if present.

# testparm


08. Configure NSS and PAM to use winbind for system authentication

# authconfig --enablewinbind --enablewins --enablewinbindauth --update


09. Service Restarts

# systemctl restart smb
# systemctl restart winbind


10. Lets add our linux client machine to the Winsows AD Domain

# kinit winaduser01
# net ads join -U winaduser01
Enter winaduser's password:
Joined 'MYLINUXPC1' to dns domain 'OSRADAR.COM'


Congratulations. If you see the above message, it confirms that your Linux system is correctly joined with WIndows. Now, you can perform any user authentication against any user who has a valid account on windows Active Directory.

Optionally, if you want to leave the joined domains

# net ads leave -U winaduser01


“I hope this has been informative for you..”

More articles


Please enter your comment!
Please enter your name here


Latest article