Good afternoon folks.

I'm trying to join a RHEL 7 server to our campus active directory so that users on campus can log-in using their active directory credentials instead of having to use a local account password. (And it will create a home directory for them if one doesn't exist, etc., etc.)

So far I have successfully installed RHEL 7 in a VM, networked it, and have installed realmd, oddjob, oddjob-mkhomedir, sssd, adcli, and samba-common.

# realm discover ad.school.edu
correctly shows AD information for our campus.

I created the Active Directory object correctly that corresponds with the name of my server (using Active Directory Users and Computers).

I joined the active directory by doing:
# realm -join -U myaccount ad.school.edu
(asks for password)
Just returns a prompt -- which means it joined correctly.

# realm list
ad.school.edu
type: kerberos
realm-name: AD.SCHOOL.EDU
domain-name: ad.school.edu
configured: kerberos-member
server-software: active-directory
client-software: sssd
(lists required packages, that I listed above, that have been installed)
login-formats: %U@ad.school.edu
login-policy: allow-realm-logins

All that said, I cannot log into the machine using AD credentials.

Even if I try to login as "myaccount@ad.school.edu" my AD password is rejected.

I've searched through a bunch of Google results and have looked through gobs of man pages with no luck.

My desired end result is to not have to append "@ad.school.edu" to the login information, but first I need to make sure I can log-in one way or another using AD.

And funny that one has to craft their "realm"-related Google searches carefully or most of the results will be related to Game of Thrones.

If anyone has any suggestions, I'd most certainly appreciate them.

Thanks in advance!

Mike

Hi:

Maybe this will help you https://access.redhat.com/documentat...ide/index.html

Did you resolve this issue? I am having the same exact problem.

I did it for RH6 this way:
Authenticate Linux (RedHat 6) within Active Directory (AD) domain using SSSD

I had a similar issue with RHEL 7 and Active Directory integration until I contacted Redhat support. I used realmd to join the domain but then I was unable to id users or login. Here is the output of my working sssd.conf that now allows me to login via my AD credentials. Maybe this will help. I added/changed the following lines with comments.

[sssd]
domains = domain.university.edu
config_file_version = 2
services = nss, pam, pac, ssh <--- Added ssh

[domain/domain.university.edu]
enumerate = false
debug_level = 9
ad_domain = domain.university.edu
krb5_realm = DOMAIN.UNIVERSITY.EDU
realmd_tags = manages-system joined-with-samba
cache_credentials = true
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False <--- This shortened my login from user@domain.university.edu to just user.
fallback_homedir = /home/%u <--- Changed from /home/%d/%u
access_provider = ad
ldap_idmap_range_min = 1000 <--- This will depend on your range
ldap_idmap_range_size = 2000000 <--- This will depend on your range
ldap_idmap_autorid_compat = True <--- This was to shorten our uid's
ldap_idmap_default_domain_sid = S-0-0-00-0000000000-0000000000-0000000000 <--- you can find this in group policy user properties (objectSID)

I have done this on both Solaris, RH6.5 and RH7. There are lots of places that will get you. I use ldap_id_mapping=False and use the Unix attributes in AD because my users were local before adding in AD. One of the gotchas is PAM. The PAM config files for password and system auth have minimum and maximum user ids. So a person with a unix UID of 900 on the AD system won't be able to log in because the default requires the UID be greater than 1000. I turn off Use Fully Qualified Names because I don't want to require people to log in as user@example.com. I want them to just use user. Running realm join also rewrites nsswitch.conf so you may need to make changes there.

One more thing. By default, sssd comes with ldap_id_mapping=True. If you decide you want that to be false, sssd will probably not restart. This may have been fixed by now, but there's a problem with the database file. If you change to False, stop sssd and delete the ldb files in /var/lib/sss/db/ then restart sssd .

Hi,

I was also getting same error again and again and it was like i through i can not do it then i found a solution please you also try this one.

2. # vi /etc/ssh/sshd_config

Kerberos options

KerberosAuthentication yes

KerberosOrLocalPasswd yes

KerberosTicketCleanup yes

KerberosGetAFSToken yes

KerberosUseKuserok yes

# GSSAPI options

GSSAPIAuthentication yes

GSSAPICleanupCredentials yes


To make these changes take place, we now need to restart the SSHD daemon.


3. # systemctl restart sshd

It works for me.