Use realm/adcli to join RHEL7/8/9 to AD


For RHEL 7

# yum install realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation authconfig

adcli info test.com
# adcli join test.com
Password for Administrator@TEST.COM:  <---- Enter Admin password

The join operation creates an /etc/krb5.keytab keytab that the machine will authenticate with. you can run below command to show several entries
# klist -kte

Configure /etc/krb5.conf to use AD domain:

[libdefaults]
default_realm = TEST.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
udp_preference_limit  = 1

[realms]
TEST.COM = {
#kdc = ad1.test.com
#admin_server = ad1.test.com
}

[domain_realm]
.test.com = TEST.COM
test.com = TEST.COM


Use authconfig to set up the Name Service Switch (/etc/nsswitch.conf) and PAM stacks(/etc/pam.d/password-authand /etc/pam.d/system-auth):

# authconfig --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir --update

#cat /etc/sssd/sssd.conf
[sssd]
domains = test.com

config_file_version = 2
services = nss, pam

[domain/test.com]
access_provider = simple
ad_domain = test.com
ad_gpo_access_control = permissive
ad_server = ad1.test.com, ad2.test.com
auto_private_groups = true   #all ad users have gid same as uid
cache_credentials = true
default_shell = /bin/bash
fallback_homedir = /home/%u    # same as local user home folder location
id_provider = ad
krb5_realm = TEST.COM
krb5_store_password_if_offline = true
ldap_id_mapping = true     # use id mapping from kerberos instead of postix uid/gid defintion in AD
ldap_schema = ad
ldap_user_ssh_public_key = sshPublicKey
realmd_tags = manages-system, joined-with-samba
simple_allow_groups = ssh users
use_fully_qualified_names = false

[nss]

[pam]

# chown root:root /etc/sssd/sssd.conf
# chmod 600 /etc/sssd/sssd.conf

# id username


For RHEL 8/9

# yum install realmd sssd oddjob oddjob-mkhomedir krb5-workstation authselect-compat adcli [samba-common-tools]

#realm discover example.com
#realm list
#realm join example.com
 Password for Administrator:

#authselect select sssd with-mkhomedir with-faillock without-nullok --force
#systemctl enable sssd.service --now
#systemctl enable oddjobd.service --now

A keytab is a file containing pairs of Kerberos principals and encrypted keys

[root@test1 ~]# more /etc/realmd.conf
[users]
default-home = /home/%U
default-shell = /bin/bash

[service]
automatic-install = yes

[providers]
sssd = yes

[active-directory]
default-client = sssd

[test.com]
fully-qualified-names = no
automatic-id-mapping = yes


# other commands

#realm leave
#klist -k /etc/krb5.keytab
#authconfig --test

 Ansible.cfg Best Practice

                            

Ansible.cfg is the important parameters to control how Ansible and ansible-playbook behaves.

The following parameters are best practice, please put it to the same folder as ansible.cfg file.


Reference:  

https://www.ansible.com/blog/using-ansible-to-manage-rhel-5-yesterday-today-and-tomorrow

https://docs.ansible.com/ansible/latest/reference_appendices/config.html 


[ssh_connection]
ssh_args = '-o ControlMaster=auto -o ControlPersist=60s  -o ServerAliveInterval=60 -o ServerAliveCountMax=10 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
retries=5
pipelining = True

[defaults]
command_warnings=False
host_key_checking = false
timeout = 60
remote_tmp = /tmp