Overview
This post will summarise how to automatically join a Red Hat 8 (RHEL8) server to your domain during kickstart.
Prerequisites
A Red Hat server (server-01) that has been joined to your domain that will be used for keytab creation.
Create AD service account
Create an Active Directory service account. Hit up the Windows Server team for this unless this is also you 😉
Due to the nature of the way I use these credentials the service account was restricted to only managing computer objects on the selected OU. This is a security choice that you may not wish to follow.
Create an NFS share
You will need to setup an NFS server if you don’t already have one. Then configure an NFS share nfsserver:/nfs_share that will be accessible to servers during kickstart.
I’ll leave the security choices to you regard restrictions on access to this share.
Create a krb5.conf for your domain
The easiest way to do this is manually join a server to your domain (use server-01 for this task) and copy the generated /etc/krb5.conf to:
nfsserver:/nfs_share/krb5.conf
Create a keytab file for the service account
On server-01 mount nfsserver:/nfs_share to /mnt, create the keytab file and copy to: /mnt/adjoin.svc_krb5.keytab
# ktutil
ktutil: add_entry -password -p [email protected] -k 0 -e aes256-cts-hmac-sha1-96
ktutil: write_kt /mnt/adjoin.svc_krb5.keytab
ktutil: quit
# klist -ekt /mnt/adjoin.svc_krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
0 12/06/19 09:56:57 [email protected] (aes256-cts-hmac-sha1-96)Test that a valid kerberos ticket can be obtained using the keytab.
# kinit -k -t /mnt/adjoin.svc_krb5.keytab [email protected]
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
12/06/19 10:00:59 12/06/19 20:00:59 krbtgt/[email protected]
renew until 19/06/19 10:00:59
# kdestroyPackages required
Install the following packages during kickstart:
%packages
krb5-workstation
oddjob
oddjob-mkhomedir
realmd
sssd-dbus
sssd-toolsGet a Kerberos ticket and join the domain
%post
# i put this code towards the end of my %post section after any
# customisation and foreman activation
# get a kerberos ticket
mount.nfs -o soft nfsserver:/nfs_share /mnt
rm -f /etc/krb5.conf
cp -a /mnt/krb5.conf /etc/
kinit -V -k -t /mnt/adjoin.svc_krb5.keytab [email protected]
# join the domain and place in OU=Linux,OU=Servers,DC=example,DC=local
# '--install=/' required for kickstart otherwise realmd will error with..
# realm: Couldn't join realm: Necessary packages are not installed:
# oddjob oddjob-mkhomedir sssd adcli
realm join --verbose --os-name=RedHat --os-version=8.0 --install=/ --computer-ou="OU=Linux,OU=Servers" example.localPost build configuration
Upon reboot the initial Puppet run deploys our custom /etc/sssd/sssd.conf and restarts sssd.service.
Checks
# sssctl domain-status example.com
# sssctl user-checks [email protected]
# getent passwd [email protected]
# id [email protected]
Hey Paul thanks for the nice write up.. Do you have a write up on how to join a rhel 6.X machine to windows AD domain using adcli?
Thanks,
Hi Michael,
Sorry I don’t have one for you, but Red Hat support could probably help you out.