Join CentOS 7/8 to a Windows domain using adcli

In this tutorial, you will use adcli to join a Linux client (RHEL/CentOS 7/8) to a Windows Active Directory domain. Adcli will use the system security service daemon (SSSD) to connect CentOS/RHEL 7/8 systems to the Microsoft Active Directory domain. Basically, two components are required to connect CentOS/RHEL 7/8 systems to Active Directory (AD).

SSSD interacts with the central identity and authentication source, adcli detects the available domains, and then the underlying RHEL system service (SSSD in this case) must be manually configured to connect to the domain.

Overview of integrating Linux with Windows domains using SSSD

The system security service daemon (sssd) provides a set of daemons to manage access and authentication mechanisms to remote directories. In this example, Active Directory. The sssd service provides the system with NSS (Name Service Switch) and PAM (Pluggable Authentication Mechanism) interfaces and a modular back-end system to connect to multiple different account sources and D-bus interfaces.

Identify the account on the remote Active Directory through LDAP and authenticate the AD domain through Kerberos. LDAP account search is referenced and /usr/lib64/libnss is called_ sss. so. 2 NSS module and /etc/nsswitch Conf file. Will use /lib64/security/ reference authentication.

We use SSSD to access the user directory for authentication and authorization through a common framework with a user cache to allow offline login. SSSD is the recommended component for connecting RHEL systems to one of the following types of identity servers:

  • Active Directory
  • Identity management in RHEL (IdM)
  • Any generic LDAP or Kerberos server

Overview of laboratory environment

To demonstrate this article's addition of CentOS 8 to a Windows domain controller (Active Directory), we will use a Linux server with CentOS 8 installed.

There is a Microsoft Server 2012 R2 Active Directory domain controller with an IP address of and a CentOS 8 host with an IP address of Therefore, this article needs a pre configured Windows Active Directory.

Prerequisites for adding Linux to a Windows AD domain


Before joining Linux to a Windows domain, we need to ensure that the time service and DNS service have been set up

Update /etc/resolv conf

Ensure that RHEL/CentOS client machines can resolve Active Directory servers. To do this, update /etc/resolv conf.

# cat /etc/resolv.conf

Verify domain name resolution

Verify that the client can resolve the domain name:

# nslookup


Verify the configuration of name resolution. In particular, verify DNS SRV records.

 ~]# host -t SRV has SRV record 0 100 88

 ~]# host -t SRV has SRV record 0 100 389

~]# host -t SRV has SRV record 0 100 389

Ensure support for common encryption types in AD and RHEL

By default, SSSD supports RC4, AES-128, and AES-256 Kerberos encryption types.

RC4 encryption has been deprecated and disabled by default in CentOS/RHEL 8 because it is considered less secure than the newer AES-128 and AES-256 encryption types. If you are using RHEL/CentOS 7, you can ignore this step.

Can focus on how to repair“ KDC does not support encryption type ”? Enable RC4 encryption.

For more information, see ensure support for common encryption types in AD and RHEL

Install package (RHEL/CentOS 8)

The following packages need to be installed on the CentOS/RHEL 8 client node:

# dnf -y install adcli sssd oddjob oddjob-mkhomedir samba-common-tools krb5-workstation authselect-compat

Installation package (RHEL/CentOS 7)

The following packages need to be installed on the CentOS/RHEL 7 client node:

# yum -y install adcli sssd authconfig oddjob oddjob-mkhomedir samba-common-tools krb5-workstation

Some brief overview of these individual packages:

  • Samba common tools: this represents a shared tool between the server and the client
  • oddjob: this is a D-bus service that provides odd jobs for clients
  • Oddjob mkhomedir: it can be used together with the odd job service to create a home directory for the AD account if necessary
  • sssd: the system security service daemon can be used to transfer client authentication as needed
  • adcli: these are tools for joining and managing AD domains
  • Krb5 workstation: provides the Kerberos klist command for verifying Kerberos related configurations.

Using adcli to join Linux to a Windows domain

Discover AD domains

You can use the adcli info command, which displays discovered information about Active Directory domains or Active Directory domain controllers.

# adcli info
domain-name = GOLINUXCLOUD.COM
domain-short = GOLINUXCLOUD
domain-forest = GOLINUXCLOUD.COM
domain-controller = WIN-71HUMTROS3M.GOLINUXCLOUD.COM
domain-controller-site = Default-First-Site-Name
domain-controller-flags = pdc gc ldap ds kdc timeserv closest writable good-timeserv full-secret ads-web
domain-controller-usable = yes
domain-controllers = WIN-71HUMTROS3M.GOLINUXCLOUD.COM
computer-site = Default-First-Site-Name

Join RHEL/CentOS 7/8 system to Windows AD domain

adcli join creates a computer account in the domain for the local machine and sets a keytab for the machine. It does not configure authentication services (such as sssd).

# adcli join
Password for Administrator@GOLINUXCLOUD.COM:
adcli: couldn't connect to domain: Couldn't authenticate as: Administrator@GOLINUXCLOUD.COM: KDC has no support for encryption type

What we get here is that "the KDC does not support encryption type", because the domain controller is still using RC4 encryption, which needs to be enabled on the client, as in the precondition As notified in section. This error is used to demonstrate the errors that may occur if AES encryption is not used on the domain controller.

Therefore, update the encryption policy on the client and retry the adcli join command. By default, it prompts for an administrator password, but you can specify another user using the -u <user> option:

# adcli join
Password for Administrator@GOLINUXCLOUD.COM:

You can use klist -kt to check the keytab, which should display several entries containing the client hostname in some form:

# klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 03/05/2021 03:38:03 CENTOS8$@GOLINUXCLOUD.COM (DEPRECATED:arcfour-hmac)
   2 03/05/2021 03:38:03 CENTOS8$@GOLINUXCLOUD.COM (aes128-cts-hmac-sha1-96)
   2 03/05/2021 03:38:03 CENTOS8$@GOLINUXCLOUD.COM (aes256-cts-hmac-sha1-96)
   2 03/05/2021 03:38:03 host/CENTOS8@GOLINUXCLOUD.COM (DEPRECATED:arcfour-hmac)
   2 03/05/2021 03:38:03 host/CENTOS8@GOLINUXCLOUD.COM (aes128-cts-hmac-sha1-96)
   2 03/05/2021 03:38:03 host/CENTOS8@GOLINUXCLOUD.COM (aes256-cts-hmac-sha1-96)
   2 03/05/2021 03:38:03 host/ (DEPRECATED:arcfour-hmac)
   2 03/05/2021 03:38:03 host/ (aes128-cts-hmac-sha1-96)
   2 03/05/2021 03:38:03 host/ (aes256-cts-hmac-sha1-96)
   2 03/05/2021 03:38:03 RestrictedKrbHost/CENTOS8@GOLINUXCLOUD.COM (DEPRECATED:arcfour-hmac)
   2 03/05/2021 03:38:03 RestrictedKrbHost/CENTOS8@GOLINUXCLOUD.COM (aes128-cts-hmac-sha1-96)
   2 03/05/2021 03:38:03 RestrictedKrbHost/CENTOS8@GOLINUXCLOUD.COM (aes256-cts-hmac-sha1-96)
   2 03/05/2021 03:38:03 RestrictedKrbHost/ (DEPRECATED:arcfour-hmac)
   2 03/05/2021 03:38:03 RestrictedKrbHost/ (aes128-cts-hmac-sha1-96)
   2 03/05/2021 03:38:03 RestrictedKrbHost/ (aes256-cts-hmac-sha1-96)

Configure Kerberos (/etc/krb5.conf)

Unlike realmd, adcli does not automatically configure SSSD and Kerberos. Therefore, you must manually configure these services to work with AD domains. After finishing the file and deleting the comments of the field, the file looks like the following screenshot:


Do not copy the entire output and paste it into your krb5 In the conf file, simply set the example COM is replaced by its own domain Com to update REALM

Configuring NSS and PAM

Name service switch (NSS) configuration file /etc/nsswitch Conf is used by various NSS libraries; One of the NSS libraries is /usr/lib64/ The NSS configuration file determines the source from which name service information can be obtained and its order from a series of categories. The information of each category is identified by a resource database name; This can be a host for name resolution and a passwd for locating user accounts in the database.

Relevant PAM modules can be configured using PAM services. They should be in /etc/pam D directory. Can be in a single file, such as /etc/pam D/login, or a command file referenced through many services (for example, /etc/pam.d/system-auth-ac).

On RHEL/CentOS 7

Use authconfig to set the name service switch (/etc/nsswitch.conf) and PAM stack (/etc/pam.d/password-auth and /etc/pam.d/system-auth)

# authconfig --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir --update

The above command will be displayed in /etc/nsswitch conf,/etc/pam. D / password auth and /etc/pam Modify and add necessary entries in the d/system-auth file. Next, enable and start / restart oddjobd service

# systemctl enable --now oddjobd.service

On RHEL/CentOS 8

authconfig is replaced by authselect in RHEL/CentOS 8. So we will use authselect to configure the respective PAM and NSS files we discussed in the previous section.

# authselect select sssd with-mkhomedir --force
Backup stored at /var/lib/authselect/backups/2021-03-02-12-08-32.O2GvBy
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
  is present and oddjobd service is enabled
  - systemctl enable oddjobd.service
  - systemctl start oddjobd.service

Next, enable and start / restart oddjobd service

# systemctl enable --now oddjobd.service

If in /etc/nsswitch Check sss in conf to see all databases that depend on a specific library. The grep command can be used to isolate these entries as follows:

# grep sss /etc/nsswitch.conf
passwd:     sss files systemd
group:      sss files systemd
netgroup:   sss files
automount:  sss files
services:   sss files

The database name is explained here:

  • passwd: this specifies the user account
  • shadow: this represents password information
  • **Group:* * this specifies the group account
  • services: this indicates service name resolution
  • netgroup: this specifies the host group that can be used in access control rules
  • automount: this indicates that autofs can automatically mount directories

You can use grep again to display the configuration that sssd is used with PAM, from /etc/pam D / password auth and /etc/pam Filter sss in d/system auth file:

# grep sss /etc/pam.d/*
/etc/pam.d/password-auth:auth        sufficient                          forward_pass
/etc/pam.d/password-auth:account     [default=bad success=ok user_unknown=ignore]
/etc/pam.d/password-auth:password    sufficient                          use_authtok
/etc/pam.d/password-auth:session     optional                           
/etc/pam.d/system-auth:auth        sufficient                          forward_pass
/etc/pam.d/system-auth:account     [default=bad success=ok user_unknown=ignore]
/etc/pam.d/system-auth:password    sufficient                          use_authtok
/etc/pam.d/system-auth:session     optional                           

You can see that the authentication module is used for all possible triggers:

  • auth: this is used during authentication
  • Account: this is used for account restrictions
  • Password: this is used for password change events
  • Session: this is used during the login session

Configure SSSD

Using realmd again automatically creates and populates the SSSD configuration file, /etc/sssd/sssd Conf, but you must manually create and update this file to use adcli. Edit /etc/sssd/sssd Conf and define a domain (if the file does not exist, you may have to create the file manually):

at /etc/sssd/sssd.conf
services = nss, pam
config_file_version = 2

id_provider = ad
override_homedir = /home/%d/%u
debug_level = 0
ldap_sasl_authid = SHORT_HOSTNAME$



Ensure that /etc/sssd/sssd Conf is owned by root:root with permissions of 600:

# chown root:root /etc/sssd/sssd.conf
# chmod 600 /etc/sssd/sssd.conf

# ls -l /etc/sssd/sssd.conf
-rw-------. 1 root root 208 Mar  2 17:39 /etc/sssd/sssd.conf

Enable and start / restart SSSD service

# systemctl enable sssd
# systemctl restart sssd

Check sssd Service status:

Log in as an Active Directory user on a Linux client

Try logging in to the Linux client using a Windows AD user and verify that the home directory is automatically created. But first, check whether the Linux client can obtain the user details of AD users:

# id GOLINUXCLOUD\\Administrator
uid=111800500(administrator) gid=111800513(domain users) groups=111800513(domain users),111800520(group policy creator owners),111800512(domain admins),111800572(denied rodc password replication group),111800518(schema admins),111800519(enterprise admins)

Therefore, the administrator user in AD is detected by the Linux client, so try to switch the user to administrator:

# su - GOLINUXCLOUD\\Administrator
Creating home directory for administrator.
Last login: Tue Mar  2 17:41:26 IST 2021 on pts/0
$ exit

Create / delete Active Directory Users

This command may not be one of the most useful tools because you can create users, but you cannot enable accounts or set passwords for new users. In this way, this command is not as useful as some other tools that use adcli.

Here, we create an AD user "Amit Kumar", whose user name is Amit:

# adcli create-user amit --domain=GOLINUXCLOUD.COM --display-name="Amit Kumar"
Password for Administrator@GOLINUXCLOUD.COM:

Now, if you authenticate on Microsoft AD, this user is disabled:

So you must first assign a password to this user. Right click the user, and then click reset password. Provide the password and click OK

To enable an account now, right-click the user and select enable account

You can now try logging in with this new user on the Linux client:

uid=111801121(amit) gid=111800513(domain users) groups=111800513(domain users)

# su - GOLINUXCLOUD\\amit
Creating home directory for amit.
~]$ logout

To delete the account you just created, use the following command:

# adcli delete-user amit

There are a large number of commands that can be used with adcli. For more information, you can check the man page of adcli commands


In this article, we studied how to use Active Directory as the identity store to utilize users and groups on Linux. The simplicity of this setup makes it a very useful and much needed solution for enterprises around the world.

Before setting the time and DNS, you need to do some basic work. After setting, you can use the command adcli to configure sssd to use Active Directory as the identity source.

Through RHEL system in AD domain, adcli can be used to manage this domain to some extent, and allow users to access Linux command line through console or SSH.

Posted by HiddenS3crets on Sat, 04 Jun 2022 00:19:58 +0530