Overview
This post will summarise how to automatically join a Red Hat 8 (RHEL8) server to your domain during kickstart.
Prerequisites
A Red Hat server (server-01) that has been joined to your domain that will be used for keytab creation.
Create AD service account
Create an Active Directory service account. Hit up the Windows Server team for this unless this is also you π
Due to the nature of the way I use these credentials the service account was restricted to only managing computer objects on the selected OU. This is a security choice that you may not wish to follow.
Create an NFS share
You will need to setup an NFS server if you don’t already have one. Then configure an NFS share nfsserver:/nfs_share that will be accessible to servers during kickstart.
I’ll leave the security choices to you regard restrictions on access to this share.
Create a krb5.conf for your domain
The easiest way to do this is manually join a server to your domain (use server-01 for this task) and copy the generated /etc/krb5.conf to:
nfsserver:/nfs_share/krb5.conf
Create a keytab file for the service account
On server-01 mount nfsserver:/nfs_share to /mnt, create the keytab file and copy to: /mnt/adjoin.svc_krb5.keytab
# ktutil
ktutil: add_entry -password -p adjoin.svc@EXAMPLE.LOCAL -k 0 -e aes256-cts-hmac-sha1-96
ktutil: write_kt /mnt/adjoin.svc_krb5.keytab
ktutil: quit
# klist -ekt /mnt/adjoin.svc_krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
0 12/06/19 09:56:57 adjoin.svc@EXAMPLE.LOCAL (aes256-cts-hmac-sha1-96)Test that a valid kerberos ticket can be obtained using the keytab.
# kinit -k -t /mnt/adjoin.svc_krb5.keytab adjoin.svc@EXAMPLE.LOCAL
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: adjoin.svc@EXAMPLE.LOCAL
Valid starting Expires Service principal
12/06/19 10:00:59 12/06/19 20:00:59 krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL
renew until 19/06/19 10:00:59
# kdestroyPackages required
Install the following packages during kickstart:
%packages
krb5-workstation
oddjob
oddjob-mkhomedir
realmd
sssd-dbus
sssd-toolsGet a Kerberos ticket and join the domain
%post
# i put this code towards the end of my %post section after any
# customisation and foreman activation
# get a kerberos ticket
mount.nfs -o soft nfsserver:/nfs_share /mnt
rm -f /etc/krb5.conf
cp -a /mnt/krb5.conf /etc/
kinit -V -k -t /mnt/adjoin.svc_krb5.keytab adjoin.svc@EXAMPLE.LOCAL
# join the domain and place in OU=Linux,OU=Servers,DC=example,DC=local
# '--install=/' required for kickstart otherwise realmd will error with..
# realm: Couldn't join realm: Necessary packages are not installed:
# oddjob oddjob-mkhomedir sssd adcli
realm join --verbose --os-name=RedHat --os-version=8.0 --install=/ --computer-ou="OU=Linux,OU=Servers" example.localPost build configuration
Upon reboot the initial Puppet run deploys our custom /etc/sssd/sssd.conf and restarts sssd.service.
Checks
# sssctl domain-status example.com
# sssctl user-checks user1@example.com
# getent passwd user1@example.com
# id user1@example.com
Hey Paul thanks for the nice write up.. Do you have a write up on how to join a rhel 6.X machine to windows AD domain using adcli?
Thanks,
Hi Michael,
Sorry I donβt have one for you, but Red Hat support could probably help you out.