Scope/Description
- This article will walk through the process of joining an Active Directory in Houston UI.
Prerequisites
- CentOS 7
- Houston UI
- Windows Active Directory
- Credentials for Domain User with permission to authenticate Active Directory Join
Steps
Installing packages
- Install packages needed for domain join
[root@centos7 ~]# yum install -y realmd oddjob-mkhomedir oddjob samba-winbind-clients samba-winbind samba-common-tools samba samba-winbind-krb5-locator krb5-workstation samba-client
Configuring realmd to use winbind
- Set “domain-client” to winbind instead of sssd
[root@centos7-45d ~]# sed -i 's/^\(default-client = \).*$/\1winbind/' /usr/lib64/realmd/realmd-defaults.conf
- Then restart the realmd service.
Configuring Hostname and DNS
- Set hostname to include domain name if not set already, this is done in the Overview tab of the Houston UI.
- Set DNS server to the IP of the Domain Controller if not done already. This is done in the network tab of the Houston UI
Joining the Domain
- Join Domain, refresh the page if the “Join Domain” button is greyed out
Granting SeDiskOperatorPrivilege
- Now we need to grant the SeDiskOperatorPrivilege privilege to any domain groups / users that are going to be configuring share permissions.
[root@centos-45d ~]# net rpc rights grant "45LAB\domain admins" SeDiskOperatorPrivilege -U "45LAB\bk" Enter 45LAB\bk's password: Successfully granted rights.
- You can list all users and groups who have this privilege by running:
[root@centos-45d ~]# net rpc rights list privileges SeDiskOperatorPrivilege -U "45LAB\bk" Enter 45LAB\bk's password: SeDiskOperatorPrivilege: SeDiskOperatorPrivilege: BUILTIN\Administrators 45LAB\domain admins
Verification
- We can now communicate with our Active Directory server, and assign permissions based on the users and groups from our Active Directory.
Troubleshooting
- Ensure you have configured the server hostname and DNS address correctly.
- Ensure you have configured nsswitch.conf correctly.
- If net rpc rights grant is causing issues, try using net sam rights grant instead.
Views: 682