CentOS8でActive Directoryドメインに参加

OS:CentOS8(CentOS Linux release 8.2.2004 (Core))
ディレクトリサービス:Active Directory(samba-4.12.5)


・リゾルバDNSがActive Directoryサーバに設定されているか(/etc/resolv.conf)
・Active Directoryサーバとドメイン参加するサーバでシステム時間に差はないか


# dnf install sssd realmd oddjob krb5-workstation authconfig samba-common-tools

パッケージ アーキテクチャー バージョン リポジトリー サイズ
authselect-compat x86_64 1.1-2.el8 AppStream 37 k
krb5-workstation x86_64 1.17-18.el8 BaseOS 940 k
oddjob x86_64 0.34.4-7.el8 AppStream 83 k
realmd x86_64 0.16.3-18.el8 BaseOS 233 k
samba-common-tools x86_64 4.11.2-13.el8 BaseOS 472 k
sssd x86_64 2.2.3-20.el8 BaseOS 94 k
avahi-libs x86_64 0.7-19.el8 BaseOS 62 k
bind-libs x86_64 32:9.11.13-5.el8_2 AppStream 171 k
bind-libs-lite x86_64 32:9.11.13-5.el8_2 AppStream 1.2 M
bind-license noarch 32:9.11.13-5.el8_2 AppStream 100 k
cups-libs x86_64 1:2.2.6-33.el8 BaseOS 432 k
cyrus-sasl-gssapi x86_64 2.1.27-1.el8 BaseOS 49 k
libipa_hbac x86_64 2.2.3-20.el8 BaseOS 103 k
libkadm5 x86_64 1.17-18.el8 BaseOS 185 k
libsmbclient x86_64 4.11.2-13.el8 BaseOS 146 k
libwbclient x86_64 4.11.2-13.el8 BaseOS 117 k
psmisc x86_64 23.1-4.el8 BaseOS 150 k
python3-bind noarch 32:9.11.13-5.el8_2 AppStream 148 k
python3-sssdconfig noarch 2.2.3-20.el8 BaseOS 120 k
samba-client-libs x86_64 4.11.2-13.el8 BaseOS 5.1 M
samba-common noarch 4.11.2-13.el8 BaseOS 212 k
samba-common-libs x86_64 4.11.2-13.el8 BaseOS 173 k
samba-libs x86_64 4.11.2-13.el8 BaseOS 170 k
sssd-ad x86_64 2.2.3-20.el8 BaseOS 235 k
sssd-common-pac x86_64 2.2.3-20.el8 BaseOS 165 k
sssd-ipa x86_64 2.2.3-20.el8 BaseOS 328 k
sssd-krb5 x86_64 2.2.3-20.el8 BaseOS 129 k
sssd-krb5-common x86_64 2.2.3-20.el8 BaseOS 174 k
sssd-ldap x86_64 2.2.3-20.el8 BaseOS 208 k
adcli x86_64 0.8.2-5.el8 BaseOS 108 k
bind-utils x86_64 32:9.11.13-5.el8_2 AppStream 443 k
oddjob-mkhomedir x86_64 0.34.4-7.el8 AppStream 52 k
sssd-proxy x86_64 2.2.3-20.el8 BaseOS 129 k

インストール 33 パッケージ

ダウンロードサイズの合計: 12 M
インストール済みのサイズ: 35 M


# vi /etc/sssd/sssd.conf
domains = isoppe.jp
config_file_version = 2
services = nss, pam
debug_level = 0

ad_domain = isoppe.jp
krb5_realm = ISOPPE.JP
krb5_store_password_if_offline = True
ldap_id_mapping = True
cache_credentials = True
id_provider = ad
default_shell = /bin/bash
fallback_homedir = /home/%u

# chmod 600 /etc/sssd/sssd.conf


# vi /etc/krb5.conf
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
# default_realm = EXAMPLE.COM
default_realm = ISOPPE.JP
default_ccache_name = KEYRING:persistent:%{uid}

# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }

isoppe.jp = ISOPPE.JP
.isoppe.jp = ISOPPE.JP
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM


# vi /etc/samba/smb.conf
workgroup = ISOPPE
security = ads
password server = isoppe.jp
realm = ISOPPE.JP
template homedir = /home/%U
template shell = /bin/bash
kerberos method = secrets and keytab
log file = /var/log/samba/log.%m


# vi /etc/hosts HOGE.isoppe.jp HOGE localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6


# kinit administrator
Password for administrator@ISOPPE.JP:Administratorユーザのパスワードを入力

# klist
Ticket cache: KCM:0
Default principal: administrator@ISOPPE.JP

Valid starting Expires Service principal
2020-08-11T21:32:47 2020-08-12T07:32:47 krbtgt/ISOPPE.JP@ISOPPE.JP
renew until 2020-08-18T21:32:45


# net ads join -U administrator
Enter administrator’s password:Administratorユーザのパスワードを入力
Using short domain name — ISOPPE
Joined ‘HOGE’ to dns domain ‘isoppe.jp’

その後、idコマンドでActive Directoryユーザを参照できるか確認します。

# authconfig –update –enablesssd –enablesssdauth
Running authconfig compatibility tool.
The purpose of this tool is to enable authentication against chosen services with authselect and minimum configuration. It does not provide all capabilities of authconfig.

IMPORTANT: authconfig is replaced by authselect, please update your scripts.
See man authselect-migration(7) to help you with migration to authselect

Executing: /usr/bin/authselect check
Executing: /usr/bin/authselect select sssd –force
Executing: /usr/bin/systemctl enable sssd.service
Executing: /usr/bin/systemctl stop sssd.service
Executing: /usr/bin/systemctl start sssd.service

# id hoge
uid=1803601103(hoge) gid=1803600512(domain admins) groups=1803600512(domain admins),1803600572(denied rodc password replication group)


# authselect select sssd with-mkhomedir
プロファイル “sssd” が設定されました。
以下の nsswitch マップはプロファイルで上書きされます:
– passwd
– group
– netgroup
– automount
– services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

– with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
is present and oddjobd service is enabled
– systemctl enable oddjobd.service
– systemctl start oddjobd.service

# systemctl start oddjobd.service

# systemctl enable oddjobd.service
Created symlink /etc/systemd/system/multi-user.target.wants/oddjobd.service → /usr/lib/systemd/system/oddjobd.service.


Creating home directory for hoge.
Last login: Tue Aug 11 21:34:12 2020 from
[hoge@HOGE ~]$
[hoge@HOGE ~]$ pwd


# systemctl status sssd.service
● sssd.service – System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2020-08-11 21:18:52 JST; 5s ago
Process: 1391 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4)
Main PID: 1391 (code=exited, status=4)

8月 11 21:18:52 HOGE systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION
8月 11 21:18:52 HOGE systemd[1]: sssd.service: Failed with result ‘exit-code’.
8月 11 21:18:52 HOGE systemd[1]: Failed to start System Security Services Daemon.
8月 11 21:18:52 HOGE systemd[1]: sssd.service: Service RestartSec=100ms expired, scheduling restart.
8月 11 21:18:52 HOGE systemd[1]: sssd.service: Scheduled restart job, restart counter is at 5.
8月 11 21:18:52 HOGE systemd[1]: Stopped System Security Services Daemon.
8月 11 21:18:52 HOGE systemd[1]: sssd.service: Start request repeated too quickly.
8月 11 21:18:52 HOGE systemd[1]: sssd.service: Failed with result ‘exit-code’.
8月 11 21:18:52 HOGE systemd[1]: Failed to start System Security Services Daemon.


# net ads join -U administrator
Host is not configured as a member server.
Invalid configuration. Exiting….
Failed to join domain: This operation is only allowed for the PDC of the domain.