How To Join CentOS Linux To An Active Directory Domain

Here we’ll show you how to add your Linux system to a Microsoft Windows Active Directory (AD) domain through the command line. This will allow us to SSH into the Linux server with user accounts in our AD domain, providing a central source of cross-platform authentication.

There are a number of ways to do this, however this is the easiest way that I’ve found to do it entirely through the command line.

In this example I am using CentOS 7 and Windows Server 2012 R2, however the version of Windows should not matter. We are assuming that our domain is already setup and configured, we’re simply joining our CentOS server to an existing domain.

Preparing CentOS

First we want to install all of the below packages in CentOS.

yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python -y

The CentOS server will need to be able to resolve the Active Directory domain in order to successfully join it. In this instance my DNS server in /etc/resolv.conf is set to one of the Active Directory servers hosting the domain that I wish to join.

[root@centos7 ~]# cat /etc/resolv.conf

Join CentOS To Windows Domain

Now that we’ve got that out of the way we can actually join the domain, this can be done with the ‘realm join’ command as shown below. You will need to specify the username of a user in the domain that has privileges to join a computer to the domain.

[root@centos7 ~]# realm join --user=administrator
Password for administrator:

Once you enter the password for your specific account, the /etc/sssd/sssd.conf and /etc/krb.conf files will be automatically configured. This is really great as editing these manually usually leads to all sorts of trivial problems when joining the domain. The /etc/krb5.keytab file is also created during this process.

If this fails, you can add -v to the end of the command for highly verbose output, which should give you more detailed information regarding the problem for further troubleshooting.

We can confirm that we’re in the realm (Linux terminology for the domain) by running the ‘realm list’ command, as shown below.

[root@centos7 ~]# realm list
  type: kerberos
  realm-name: EXAMPLE.COM
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %[email protected]
  login-policy: allow-realm-logins

Once this has completed successfully, a computer object will be created in Active Directory in the default computers container as shown below.

Active Directory Users and Computers - Linux Computer Object

To keep things neat I like to move this into some other organizational unit (OU) for Linux servers rather than leaving things in the default computers container, however this doesn’t really matter for this exercise.

Now that our Linux server is a member of the Active Directory domain we can perform some tests. By default if we want to specify any users in the domain, we need to specify the domain name. For example with the ‘id’ command below, we get nothing back for ‘administrator’, however ‘[email protected]’ shows the UID for the account as well as all the groups the account is a member of in the Active Directory domain.

[root@centos7 ~]# id administrator
id: administrator: no such user

[root@centos7 ~]# id [email protected]
uid=1829600500([email protected]) gid=1829600513(domain [email protected]) groups=1829600513(domain [email protected]),1829600512(domain [email protected]),1829600572(denied rodc password replication [email protected]),1829600519(enterprise [email protected]),1829600518(schema [email protected]),1829600520(group policy creator [email protected])

We can change this behaviour by modifying the /etc/sssd/sssd.conf file, the following lines need to change from:

use_fully_qualified_names = True
fallback_homedir = /home/%u@%d

To the below, which does not require the fully qualified domain name (FQDN) to be specified. This also modifies the user directory in /home from having the FQDN specified after the username.

use_fully_qualified_names = False
fallback_homedir = /home/%u

To apply these changes, restart sssd.

[root@centos7 ~]# systemctl restart sssd

Now we should be able to find user accounts without specifying the domain, as shown below this now works where it did not previously.

[root@centos7 ~]# id administrator
uid=1829600500(administrator) gid=1829600513(domain users) groups=1829600513(domain users),1829600512(domain admins),1829600572(denied rodc password replication group),1829600520(group policy creator owners),1829600519(enterprise admins),1829600518(schema admins)

If this is still not correctly working for you, I suggest that you take a look at flushing your sssd cache.

Configuring SSH and Sudo Access

Now that we have successfully joined our CentOS server to the domain, we can SSH in as any domain user from Active Directory with default settings.

[root@centos7 ~]# ssh user1@localhost
user1@localhost's password:
Creating home directory for user1.

We can further restrict SSH access by modifying the /etc/ssh/sshd_config file and make use of things like AllowUsers or AllowGroups to only allow certain user or groups from AD to have access. See our guide to the sshd_config file for further information. Don’t forget to restart sshd if you make any changes to this file in order to apply them.

We can also modify our sudoers configuration to allow our user account from the domain the desired level of access. I usually create an Active Directory group called something like ‘sudoers’, put my user in it, then allow this group sudo access by creating a file in /etc/sudoers.d/ which allows root access to be centrally controlled by AD.

Below is an example of this, the ‘sudoers’ group will have full root access.

[root@centos7 ~]# cat /etc/sudoers.d/sudoers
%sudoers    ALL=(ALL)       ALL

This group only exists in Active Directory, our Linux server can see that user1 is a member of the sudoers group in Active Directory, and respects this group configuration and allows user1 root privileges as per the above configuration.

Active Directory Group Permissions

The username of Test Account is ‘user1’.

With this in place, our user1 account in the Active Directory domain will now be able to use the sudo command to run commands with root privileges.

[user1@centos7 ~]$ sudo su
[sudo] password for user1:
[root@centos7 user1]#
[root@centos7 user1]# whoami

That’s all there is to it, we can now SSH to a Linux server with a user account from our Active Directory domain and even grant specific users or groups from AD specific levels of access.

Leaving The Domain

If you want to reverse the process and remove yourself from the domain, simply run the ‘realm leave’ command followed by the domain name, as shown below.

[root@centos7 ~]# realm leave

This will complete without any further user input. It will delete the computer object that was created in Active Directory, remove the keytab file, and set the sssd.conf and krb5.conf files back to default.


We have demonstrated how you can easily add your CentOS Linux system to a Microsoft Windows Active Directory domain, and then grant SSH or sudo access based on the user or group from the domain.

If you have a large number of Linux servers and an existing Windows domain you can easily use this process to add your Linux servers to the Windows domain, allowing for centralised user authentication which is far easier to manage when compared to having local user accounts spread out on every Linux server.

Leave a comment ?


  1. Thank you Jarrod for the most useful article!

  2. Might want to add this.

    yum install samba-common-tools -y

    – of you wont be able to join the domain. ( error in missing packages.)


  3. Superb ! It worked for me.

  4. Hello, very usefull information.
    On a my active directory the OS information of my Linux box is empty. Does it the same for you ? How can I solve that?
    Thanks in advanced

    • I have the same thing, I haven’t been able to find a way through SSSD to populate that field. I believe with realmd it’s possible by specifying ‘os-name’, however I was not able to get that working in my test.

      • Hello, for info, I find a way to do it using realmd :
        realm join –user=xxxx –computer-ou=OU=LinuxOS –os-name=OracleLinux –os-version=”Red Hat Enterprise Linux 7.3″
        now I am looking on how to update the os-version & os-name fields when a linux box is already into the AD

    • You can do this in AD with the Powershell command SET-ADCOMPUTER. Helpful article!

  5. Super Article, A very convenient way of integration of Linux & Windows Server. Great Job, Jarrod

  6. Does this work for:

    CentOS 6x?

    How about HP-UX?

  7. Great article, Jarrod. It worked perfectly for me, using CentOS 7.

    Just a few comments:

    – /etc/krb.conf will be /etc/krb5.conf since we’re using krb5-workstation. At first I was concerned something went wrong but then I realized is was another filename.

    – I ran into some odd issues like not all users in domain being able to login, and id command not working for all users. So a colleague suggested installing winbind and it worked like a charm. My AD domain has a trust with another domain and I’m able to login with any user from both domains after installing winbind. I recommend you add it in the packages list.

    – You can add Domain Admins group in sudoers so every sysadmin can login in the Linux server and elevate. I used this line/syntax:

    %mydomain\\domain\ admins ALL=(ALL) ALL

    Any other AD groups with spaces in the name can also be added like this, using a single dash after the word preceding the space.

    – When using domains with trust, you may want to use FQDN to specify domain/user. So I can login and put in sudoers users like [email protected] and [email protected]. Winbind is essential for this.

    Thank you very much!

  8. Hello, there is a way for AD windows account to get log in over the file explorer to a specific shared folder on the linux? eg. get log in to her own $HOME on the linux from her Windows Computer?

  9. one of the best and easiest way to join AD.

  10. Thanks for this – much appreciated.

  11. Thank you so much for the instructions. I was able to join the domain, however, Windows domain users are not able to login to Centos, id [email protected] gives error “no such user” What am I missing here?

  12. uid=1829600500([email protected]) gid=1829600513
    UID and GId was not match with Active Directory.

    How to match UID and GID with AD

    i have centos 7 and i am using realm for domain join, after domain join they are showing different UID and GID, that UID and GID was not match with AD.

  13. Many thanks Jarod for sharing this.
    Very useful.

  14. Hello Jarrod!
    I have an issue with adding linux to AD. I added machine to AD with domain admin credentials. When I run ‘realm list’ it shows me that my machine is in my domain but I cannot log in to the system by domain credencials. When I run ‘id [email protected]‘ it shows me message “no such user”. I am using winbindd in this machine too and when I run ‘wbinfo -u’ it shows me all users in my domain. I cleared cache for sssd but it wont helps. Could u help with this issue?

  15. Great article !!!
    In order to get Operating System info on Active Directory Users & Computers, on a Centos 7 machine you can create a /etc/realmd.conf file and the following data:

    os-name = Linux
    os-version = CentOS 7

    automatic-install = yes

    The problem that I am facing is that when I run:
    #getent passwd
    I do not get any AD accounts, contrary when running id , I get all the info. More over, when I run wbinfo -u, I get errors (I suppose that’s my mistake cos winbind does not work with sssd).

  16. hello, in my company we have around 100 domain controller all around the world. often when I join a server to the Active Directory Domain, the server never choose the closest DC (same subnet for example).

    Is there a way to fix one or 2 DC to contact?

  17. Hello,

    do you know how to fix sssd to contact only 1 or 2 dc instead of to contact one randomly?


  18. Is Active Directory 2016 (Domain Functional Level 2016) also supported with CentOS 6 / 7?

    Thank you for your reply

  19. Thanks Jarrod, going forward via LDAP and AD I think you have no choice plus IMHO this is a better option as it’s just like joining a Windows and Apple(still MAC is problematic) machine to the Domain.
    The Why not to go forward with LDAP
    Clarification regarding the status of Identity Management for Unix (IDMU) & NIS Server Role in Windows Server 2016 Technical Preview and beyond

  20. We are really looking forward for any such article as mentioned by Gab May 18, 2017 at 8:10 pm

  21. Amazing. Thank you so much for this. Exactly what I was looking for.

    A note for anyone using Hyper-V: Make sure you set up a Virtual Switch to be used by both the CentOS VM and the Windows Server VM. Set the Windows server VM’s adapter to a static IP, and CentOS 7 VM’s adapter to an IP in the same subnet. (In my case it was “Ethernet 2” and “eth1”, respectively for the adapters.) When you’ve done that, simply use the command hostname {name}@{domain controller} to set the hostname of the CentOS7 VM before running the realm join command.

  22. Hi, how can you restrict permission for an AD user in linux (Centos7), for a firebird database? (in order to deny the extraction of the complete database file, I would like to only allow the user to read/write to the database. Can you please help me?

  23. Using CentOS 7, following these instructions to the T but am having problems with giving users sudo rights.

    created computer object linux in AD
    changed hostname of computer to linux
    realm join –user=admin
    realm list shows domain info
    modified sssd.conf for home directory and fqdn
    restarted sssd
    created AD group – sudoers
    created user1 in AD
    added user1 to group sudoers
    modified /etc/sudoers.d/sudoers to contain %sudoers ALL=(ALL) ALL
    ssh user1@localhost
    sudo -i returns user not in sudoers file

    What am I missing?

  24. Hi Jarrod,

    id user1
    uid=xxxxxxxxx(ykroot) gid=xxxxxxxxxx(domain users) groups=xxxxxxxxxx(domain users)

    Doesn’t see the account is a member of the sudoers group. Tried logging off and rebooting. No luck. Any suggestions?

    • I’m not sure if rebooting clears the SSSD cache, I’d try clearing that first then seeing if the group becomes recognized.

      I’ve written about this here:

      • I’ve followed the steps to clear the cache and deleted the files in the db folder but the problem remains. Binding the system with winbind shows all group memberships where realm only lists domain users. Could there be an issue, some config that needs changing on the AD server that’s causing this?

        • Perhaps, I forget the specifics, but on the group in AD you might need to go to the Unix tab and set a GID, or something similar, I’ve done that for users before to set a UID in AD, you need to install something in server manager for those GUI options to show up in AD.

        • Which object, group or container did you grant the “read remote access information” permissions to? I’m digging around in my AD settings and can’t those permissions anywhere.

  25. Another issue while testing.

    I tried leaving with “realm leave” then joining with the same steps and got the following:

    Failed to join domain: User specified does not have administrator privileges
    ! Insufficient permissions to join the domain

    The DCs are identical vms. Just named differently for the purpose of joining, leaving then joining a new domain. I can still join the original

    Things I’ve tried:

    sss_cache -E
    clearing entries for in /var/lib/sss/…/…

    Is there the proper way to leave a domain so the system would be ready to join another?

    • Not too sure why that doesn’t work properly, I’ve always used realm leave to leave the domain then rejoining worked without any problems. It could be possible that there is some old config somewhere, so you could try reinstall all the packages fresh using yum (I think there is an option to reinstall with fresh config files rather than leaving defaults).

  26. I was able to configure AD on centOS 6 without using realm join, I did,
    1. install nss-pam-ldapd
    2. ensure nsswitch.conf entries point to files and ldap.
    3. Updated /etc/pam.d/system-auth-ac and /etc/pam.d/password-auth-ac
    4. updated /etc/nsclcd.conf and /etc/pam_ldap.conf files with bind user and password..
    5. Ensure certs are at /etc/openldap/cacerts
    6. restarted nscd and nslcd.

    This worked on centOS 6 but not 7.

    Can we do similar approach on 7, if so, what I am I missing ?

    • Can you please let me know the steps all you followed to Join CentOS 6.5 in Windows domain. I am having issue with CentOS 6.5 while joining to domain.

  27. I have successfully gotten centos linux joined to Simple AD in AWS, however i am now experiencing an issue with the truncating of netbios name in AD. Any assitance would be helpful and let me know if any additonal ifo is needed to help solve this.

  28. many thank,
    very useful.

  29. the final step: :)

    [root@CentOS7 ~]# vi /etc/sssd/sssd.conf
    [root@CentOS7 ~]# id test
    id: test: no such user
    [root@CentOS7 ~]# systemctl restart sssd
    [root@CentOS7 ~]# id test
    uid=1469601109(test) gid=1469600513(domain users) groups=1469600513(domain users)

    Thanks again

  30. I used VMware, Bridget network.
    it worked smoothly fine.

  31. Great guide!
    Only thing missing is winbind.
    Install it from the package manager, no need for further configuration and it’ll work.

  32. Is there an Ubuntu tut? This worked great for CentOS. Using the same DC, I tried binding Ubuntu using another tut with no success. I’m able to bind but can’t look up an AD User.

  33. its works well sir , but i created some users without password in windows AD but i couldn’t authenticate that users. Help me to authenticate user account without passwords.

  34. im not able to login with my ad user credentials , realm join is successful

    • What happens if you do ‘id username’, does it show the AD user information? Has AD been configured to support Linux?

      • i was able to join and login with ubuntu vm .
        for centos im not able to login
        id command shows all the groups of ad user
        getent passwd command is also working fine

  35. Thank you. I saw so many articles. describing editing several files, etc. this was simple and to the point.

  36. When binding to AD with sssd, are the AD accounts created with large UIDs? If so, has anyone noticed /var/log/lastlog thinking it’s a huge file when it isn’t. It’s causing backup restore issues.

    If you’ve run into this, have you found a workaround besides dumping to null?

  37. i have joined centos 7 with windows ad. facing access denied issue some time. not allways.

  38. Great artificial, Thanks Jarrod.
    ‘Domain Admins’ can login, and sudo to root. I notice that the login is cached, so no password is required. Does anyone know how to stop cached logins? I’ve read the articular but to no avail.

    • Hi,

      I’m having the same issue, seems like the passwords are cached and admins can get in without password prompts.

      Logs show the below

      Authorized to USER, krb5 principal USER@Domain (ssh_gssapi_krb5_cmdok)
      Accepted gssapi-with-mic for USER from port 60685 ssh2

      Any help would be appreciated.


  39. I’m in trouble, does anyone help me?

    Tracking Error
    Thank you

    # realm join –user=administrador -v
    * Resolving:
    * Performing LDAP DSE lookup on:
    * Successfully discovered:
    Password for administrador:
    * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
    * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.Z4QVOZ -U administrador ads join

    Failed to join domain: failed to find DC for domain NUTRICASH – {Operation Failed} The requested operation was unsuccessful.
    ! Joining the domain failed

  40. I was able to join my centos 7 vm to the child domain, however users in the parent domain are not seen.
    id [email protected] not found
    id [email protected] found
    How can I allow access to the parent domain users?

    • Hmm I assume there is some sort of trust between the domains themselves and that all works fine Windows side? Honestly not too sure, perhaps need to add secondary domain to sssd.conf etc?

  41. Muthukumaran Kannan

    Hello, My linux machine joined with the Windows AD successfully but I am not able to list the AD users in linux machine either way without domain name and with domain name. Please assist me someone on this.

    [root@linux-vm-01 ~]# realm join –user=administrator
    realm: Already joined to this domain
    [root@linux-vm-01 ~]#
    [root@linux-vm-01 ~]# id [email protected]
    id: [email protected]: no such user
    [root@linux-vm-01 ~]#
    [root@linux-vm-01 ~]# id administrator
    id: administrator: no such user
    [root@linux-vm-01 ~]#

    • In Active Directory:

      create security group “group-a”
      add computer object to security group “group-a”
      open user properties
      go to security tab
      under group or usernames
      add “group-a”
      under permissions for domain read, with “group-a” selected,
      check the box for “read remote access”

      Ask any Windows sysadmin and they’ll say it’s a linux prob. Took a long time to figure this one out but these are the changes needed to fix most (maybe all, haven’t run into anything new) issues binding linux to AD.

      Hope this helps.

  42. There is firewall between linux server and windows domain controller. May I know what ports needs to be opened on the firewall?

  43. Thank you for the post

  44. Hi Jarrod! Thanks for the post…it works perfectly!

    Have you had any experience installing samba, and getting it to authenticate with AD? On the same server I just enabled AD authentication on I’m installing Samba, and it seems like samba is not authenticating against AD (or for some reason my shared folder is not working right).

    I used these instructions:

    Samba is started correctly, allowing access from my workstation to the share, but I can’t authenticate. I see all users and groups, and the domain as well as log in via ssh to the server with AD users.

  45. hi Jarrod,

    thanks for the tutorial.
    anybody know why my “realm list” lists two entries for the same domain? it says client-software: winbind and then client-software: sssd
    i only used sssd to join my rhel to active directory and “service windbind status” returns inactive.

  46. After successfully join the domain to AD and Centos is showing in Active directory.
    Error while login with adminstrator getting this
    realm join –user=administrator myfujitsulab
    realm: specify one realm to join

  47. I followed the instructions without issue. The problem I am facing is I can no longer login as root. Is it possible to belong to domain and still be able to login as root?

    • Yeah that should still work fine, what do the logs say when you attempt to log in as root? I can’t remember, but I think in some sssd/pam file there is some configuration which lets you specify local user accounts should be checked prior to searching the domain.

  48. I was able to connect to the Active Directory without any issues. I see my cent box in my computers list on my AD. However, when I try
    id administrator
    id [email protected]
    id administrator@myad
    id administrator@myad_ipaddress

    I get back no such user.
    everything appears good when I check realm list.

    Where to look?

  49. very good site thanks
    science tech health

  50. I can join fine and the user I joined with can id fine. But I cannot login with AD credentials and no /home/ directories are created. Do I need to create these separately?

  51. No everything should be done automaticcally. Did you implement oddjob* package? Then you must check and setup
    /etc/sssd/sssd.conf file.

  52. Hi,
    Nice write up.
    AUser access to Linux server is restricted at linux server through AllowUsers or AllowGroups in the sshd_config file.

    Our requirement is to restrict to linux server through Active Directory roles and groups rather than at linux end. is it possible.

  53. Hi. We have performed the task. But I login it I have this message:

    /home/username/.bash_profile: Permission denied

    Because of that username cannot create files

  54. we have mix setup as like windows 10 & Ubuntu client, we want disable USB pen drive to all both client, when we apply gpo in ad , windows client not access USB pen drive & Ubuntu client still access USB pen drive
    can we apply group policy on Linux base system?

  55. A great post, thank you very much. To add, it would be nice to configure the NTP client. The idea is that the NTP client synchronizes time with the domain controller (DC). Here is an interesting guide to check:

  56. thanks for sharing

  57. My request is as below.

    1) Only my IT Team OU should able to login Linux Servers.
    2) Only ” simple allow users” should login the server remaining all should be blocked.

    Premnath Bangar.

  58. is it possible to join and be member of 2 AD domains at the same time? I can manually configure krb5.conf and be able to connect to both DCs but if I recall correctly in past I could join one or another but could not be a member of both domains. These 2 domains are in 2 different forests and there is bi-directional trust between them.

  59. Clifton Dozier

    hi all. is it possible to have the kickstart file prompt for AD username? I’ve found a way to put the AD admin in the kickstart and it prompts for the password during post of the server build. But I want it to be able to ask for both username/password.

  60. I did this (on Rocky 8):

    dnf -y install realmd sssd oddjob oddjob-mkhomedir adcli samba-common-tools krb5-workstation
    realm join mydomain.local -U Administrator
    systemctl restart sssd

    ‘realm list’, and ‘id [email protected]‘ both come back fine, but when I then try to login, I get:

    login as: [email protected]
    [email protected]@g000100.mydomain.local’s password:

    And it fails. How can I fix this? Thanks

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>