Integrating CentOS 7 with Active Directory

This guide builds largery on the Ubuntu Active Directory tutorial, so if something’s not clear, please make sure to check that one, too.

Here’s the script which you can run on your CentOS hosts. Make sure to replace and AD.FOOBAR.COM occurences with your actual domain. Also, this script uses AD\Administrator, if that doesn’t suit your environment, please change that, too.


set -e

echo 'Installing required packages'
yum -y install samba-client samba-common-tools sssd-ad krb5-workstation oddjob-mkhomedir

echo 'Preparing home dir'
mkdir ${HOME_ROOT}
chown root.root ${HOME_ROOT}
chmod 0755 ${HOME_ROOT}
restorecon -rv ${HOME_ROOT}

echo 'Configuring NSS'
echo 'sudoers: files sss' >> /etc/nsswitch.conf

echo 'Configuring Kerberos'
cat << EOF > /etc/krb5.conf
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

    default_realm = AD.FOOBAR.COM

# The following krb5.conf variables are only for MIT Kerberos.
    krb4_config = /etc/krb.conf
    krb4_realms = /etc/krb.realms
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

# The following libdefaults parameters are only for Heimdal Kerberos.
    v4_instance_resolve = false
    v4_name_convert = {
        host = {
            rcmd = host
            ftp = ftp
        plain = {
            something = something-else
    fcc-mit-ticketflags = true

        kdc = DC1.AD.FOOBAR.COM
        kdc = DC2.AD.FOOBAR.COM
        admin_server = DC1.AD.FOOBAR.COM

    krb4_convert = true
    krb4_get_tickets = false

echo 'Configuring Chrony'
sed -i.orig 's/^server/#server/g' /etc/chrony.conf

cat << EOF >> /etc/chrony.conf

echo 'Configuring Samba'
cp /etc/samba/smb.conf /etc/samba/smb.conf.orig
cat << EOF > /etc/samba/smb.conf
   workgroup = AD
   client signing = yes
   client use spnego = yes
   kerberos method = secrets and keytab
   realm = AD.FOOBAR.COM
   security = ads

   server string = %h server (Samba, Ubuntu)
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   usershare allow guests = yes

echo 'Configuring SSSD'
cat << EOF > /etc/sssd/sssd.conf
services = nss, pam, sudo
config_file_version = 2
domains = AD.FOOBAR.COM

id_provider = ad
access_provider = ad
cache_credentials = True
override_homedir = /home/%d/%u
default_shell = /bin/bash

sudo chown root:root /etc/sssd/sssd.conf
sudo chmod 600 /etc/sssd/sssd.conf

echo 'Configuring PAM'
authconfig --enablesssd --enablesssdauth --enablemkhomedir --updateall

echo 'Restarting Chronyd'
systemctl restart chronyd.service

echo 'Obtaining Kerberos ticket'
sudo kinit Administrator
echo 'Getting info about the obtained ticket'
sudo klist
echo 'Joining to the domain'
sudo net ads join -k

echo 'Restarting SSSD'
systemctl restart sssd.service

That’s pretty much it. You can then specify sudo rights in AD. For details, please refer to the sudo section of the Ubuntu guide.

Tags: , , , , ,