Use realm/adcli to join RHEL7/8/9 to AD

For RHEL 7

# yum install realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation authconfig

adcli info
# adcli join
Password for Administrator@TEST.COM:  <---- Enter Admin password

The join operation creates an /etc/krb5.keytab keytab that the machine will authenticate with. you can run below command to show several entries
# klist -kte

Configure /etc/krb5.conf to use AD domain:

default_realm = TEST.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
udp_preference_limit  = 1

#kdc =
#admin_server =

[domain_realm] = TEST.COM = TEST.COM

Use authconfig to set up the Name Service Switch (/etc/nsswitch.conf) and PAM stacks(/etc/pam.d/password-authand /etc/pam.d/system-auth):

# authconfig --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir --update

#cat /etc/sssd/sssd.conf
domains =

config_file_version = 2
services = nss, pam

access_provider = simple
ad_domain =
ad_gpo_access_control = permissive
ad_server =,
auto_private_groups = true   #all ad users have gid same as uid
cache_credentials = true
default_shell = /bin/bash
fallback_homedir = /home/%u    # same as local user home folder location
id_provider = ad
krb5_realm = TEST.COM
krb5_store_password_if_offline = true
ldap_id_mapping = true     # use id mapping from kerberos instead of postix uid/gid defintion in AD
ldap_schema = ad
ldap_user_ssh_public_key = sshPublicKey
realmd_tags = manages-system, joined-with-samba
simple_allow_groups = ssh users
use_fully_qualified_names = false



# chown root:root /etc/sssd/sssd.conf
# chmod 600 /etc/sssd/sssd.conf

# id username

For RHEL 8/9

# yum install realmd sssd oddjob oddjob-mkhomedir krb5-workstation authselect-compat adcli [samba-common-tools]

#realm discover
#realm list
#realm join
 Password for Administrator:

#authselect select sssd with-mkhomedir with-faillock without-nullok --force
#systemctl enable sssd.service --now
#systemctl enable oddjobd.service --now

A keytab is a file containing pairs of Kerberos principals and encrypted keys

[root@test1 ~]# more /etc/realmd.conf
default-home = /home/%U
default-shell = /bin/bash

automatic-install = yes

sssd = yes

default-client = sssd

fully-qualified-names = no
automatic-id-mapping = yes

# other commands

#realm leave
#klist -k /etc/krb5.keytab
#authconfig --test

 Ansible.cfg Best Practice


Ansible.cfg is the important parameters to control how Ansible and ansible-playbook behaves.

The following parameters are best practice, please put it to the same folder as ansible.cfg file.


ssh_args = '-o ControlMaster=auto -o ControlPersist=60s  -o ServerAliveInterval=60 -o ServerAliveCountMax=10 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
pipelining = True

host_key_checking = false
timeout = 60
remote_tmp = /tmp