Chapter 28. Integrating RHEL systems directly with AD using RHEL System Roles
With the ad_integration
System Role, you can automate a direct integration of a RHEL system with Active Directory (AD) using Red Hat Ansible Automation Platform.
This chapter covers the following topics:
28.1. The ad_integration
System Role
Using the ad_integration
System Role, you can directly connect a RHEL system to Active Directory (AD).
The role uses the following components:
- SSSD to interact with the central identity and authentication source
-
realmd
to detect available AD domains and configure the underlying RHEL system services, in this case SSSD, to connect to the selected AD domain
The ad_integration
role is for deployments using direct AD integration without an Identity Management (IdM) environment. For IdM environments, use the ansible-freeipa
roles.
Additional resources
28.2. Variables for the ad_integration
RHEL System Role
The ad_integration
RHEL System Role uses the following parameters:
Role Variable | Description |
---|---|
ad_integration_realm | Active Directory realm, or domain name to join. |
ad_integration_password | The password of the user used to authenticate with when joining the machine to the realm. Do not use plain text. Instead, use Ansible Vault to encrypt the value. |
ad_integration_manage_crypto_policies |
If
Default: |
ad_integration_allow_rc4_crypto |
If
Providing this variable automatically sets
Default: |
ad_integration_timesync_source |
Hostname or IP address of time source to synchronize the system clock with. Providing this variable automatically sets |
Additional resources
-
The
/usr/share/ansible/roles/rhel-system-roles.ad_integration/README.md
file.
28.3. Connecting a RHEL system directly to AD using the ad_integration
System Role
You can use the ad_integration
System Role to configure a direct integration between a RHEL system and an AD domain by running an Ansible playbook.
Starting with RHEL8, RHEL no longer supports RC4 encryption by default. If it is not possible to enable AES in the AD domain, you must enable the AD-SUPPORT
crypto policy and allow RC4 encryption in the playbook.
Time between the RHEL server and AD must be synchronized. You can ensure this by using the timesync
System Role in the playbook.
In this example, the RHEL system joins the domain.example.com
AD domain, using the AD Administrator
user and the password for this user stored in the Ansible vault. The playbook also sets the AD-SUPPORT
crypto policy and allows RC4 encryption. To ensure time synchronization between the RHEL system and AD, the playbook sets the adserver.domain.example.com
server as the timesync
source.
Prerequisites
- Access and permissions to one or more managed nodes.
Access and permissions to a control node.
On the control node:
- Red Hat Ansible Engine is installed.
-
The
rhel-system-roles
package is installed. - An inventory file which lists the managed nodes.
The following ports on the AD domain controllers are open and accessible from the RHEL server:
Table 28.1. Ports Required for Direct Integration of Linux Systems into AD Using the ad_integration System Role Source Port Destination Port Protocol Service 1024:65535
53
UDP and TCP
DNS
1024:65535
389
UDP and TCP
LDAP
1024:65535
636
TCP
LDAPS
1024:65535
88
UDP and TCP
Kerberos
1024:65535
464
UDP and TCP
Kerberos change/set password (
kadmin
)1024:65535
3268
TCP
LDAP Global Catalog
1024:65535
3269
TCP
LDAP Global Catalog SSL/TLS
1024:65535
123
UDP
NTP/Chrony (Optional)
1024:65535
323
UDP
NTP/Chrony (Optional)
Procedure
Create a new
ad_integration.yml
file with the following content:--- - hosts: all vars: ad_integration_realm: "domain.example.com" ad_integration_password: !vault | vault encrypted password ad_integration_manage_crypto_policies: true ad_integration_allow_rc4_crypto: true ad_integration_timesync_source: "adserver.domain.example.com" roles: - linux-system-roles.ad_integration ---
Optional: Verify playbook syntax.
# ansible-playbook --syntax-check ad_integration.yml -i inventory_file
Run the playbook on your inventory file:
# ansible-playbook -i inventory_file /path/to/file/ad_integration.yml
Verification
Display an AD user details, such as the
administrator
user:getent passwd administrator@ad.example.com administrator@ad.example.com:*:1450400500:1450400513:Administrator:/home/administrator@ad.example.com:/bin/bash
28.4. Additional resources
-
The
/usr/share/ansible/roles/rhel-system-roles.ad_integration/README.md
file. -
man ansible-playbook(1)