In order to join AlmaLinux (or any RHEL clone) to an AD, you need to install Samba and change the default authentication. Please make sure that the network configuration is set up correctly and you are using the AD DNS servers.
Step 1: Install prerequisities
$ apt install samba winbind libnss-winbind libpam-winbind
Step 2: Create samba config
Create a new file /etc/samba/smb.conf or change the given one with your favourite editor. (VI, NeoVIM, VIM, Nano…) and add following content. If you want the explanation for the config parameter, please visit the Samba Documentation.
[global] netbios name = <my host name here> realm = <my domain here, e.g. domain.local> workgroup = <my domain name without .local> security = ADS local master = no domain master = no allow trusted domains = no winbind use default domain = yes winbind enum groups = yes winbind enum users = yes winbind nss info = rfc2307 winbind cache time = 300 winbind offline logon = no idmap config * : range = 2000-9999 idmap config * : backend = tdb template shell = /bin/sh
Step 3: Test config, start samba and join Ubuntu to the domain
Now let us test the samba config and start the SAMBA server only once, starting at boot will come later. If asked for a password, please enter it for the specified user.
$ testparm $ systemctl start nmbd $ systemctl start smbd $ systemctl start winbind $ net ads join -U Administrator $ systemctl restart winbind
if successful, you can check the AD’s users and groups with wbinfo
$ wbinfo -u
$ wbinfo -g
Basically you should see all users and groups. Hurray, your box is now a domain member!
Step 4: Make the system use AD users for authentication
Next up, you need to change the authentication backend. Simply use following command to enable homefolder creation and windows authentication:
$ pam-auth-update
Then open /etc/nsswtich.conf and change the following lines:
passwd: compat systemd winbind
group: compat systemd winbind
Now check if PAM can read users and groups:
$ getent passwd
$ getent group
You should see all users and groups now. If you have domain trusts, users from other domains are going to be listed as well.
IMPORTANT: if using pam_mkhomedir.so samba home directories default to /home/<MY_DOMAIN>/<AD_USER>. The <MY_DOMAIN> folder needs to be created manually first!
Step 5: Configure OpenSSH and Sudo
Ok, all great so far. Now, let’s change OpenSSH to authenticate with AD and limit login only to domain admins in this case.
edit /etc/ssh/sshd_config and change or add the following lines:
PasswordAuthentication yes ChallengeResponseAuthentication no AllowGroups "domain admins" adm root
Next allow domain administrators to “sudo” commands (optional):
edit /etc/sudoers and change or add following lines:
%domain\ admins ALL=(ALL) NOPASSWD: ALL
Please be aware that NOPASSWD is used to suppress password confirmation when executing commands with sudo. It could be that you see that as a security risk. If so, simply remove “PASSWD:” from the line.
Step 6: Start samba and winbind at boot time
Last but not least, we need to start SAMBA at boot time. Simply execute following line:
$ systemctl enable nmbd $ systemctl enable smbd $ systemctl enable winbind
That should be it. Now reboot and use your Ubuntu box as an AD member.