Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 28. Integrating RHEL systems directly with AD using RHEL System Roles

With the ad_integration System Role, you can automate a direct integration of a RHEL system with Active Directory (AD) using Red Hat Ansible Automation Platform.

This chapter covers the following topics:

28.1. The ad_integration System Role
Copiar o link

Using the ad_integration System Role, you can directly connect a RHEL system to Active Directory (AD).

The role uses the following components:

  • SSSD to interact with the central identity and authentication source
  • realmd to detect available AD domains and configure the underlying RHEL system services, in this case SSSD, to connect to the selected AD domain
Note

The ad_integration role is for deployments using direct AD integration without an Identity Management (IdM) environment. For IdM environments, use the ansible-freeipa roles.

28.2. Variables for the ad_integration RHEL System Role
Copiar o link

The ad_integration RHEL System Role uses the following parameters:

Expand
Role VariableDescription

ad_integration_realm

Active Directory realm, or domain name to join.

ad_integration_password

The password of the user used to authenticate with when joining the machine to the realm. Do not use plain text. Instead, use Ansible Vault to encrypt the value.

ad_integration_manage_crypto_policies

If true, the ad_integration role will use fedora.linux_system_roles.crypto_policies as needed.

Default: false

ad_integration_allow_rc4_crypto

If true, the ad_integration role will set the crypto policy to allow RC4 encryption.

Providing this variable automatically sets ad_integration_manage_crypto_policies to true.

Default: false

ad_integration_timesync_source

Hostname or IP address of time source to synchronize the system clock with. Providing this variable automatically sets ad_integration_manage_timesync to true.

28.3. Connecting a RHEL system directly to AD using the ad_integration System Role
Copiar o link

You can use the ad_integration System Role to configure a direct integration between a RHEL system and an AD domain by running an Ansible playbook.

Note

Starting with RHEL8, RHEL no longer supports RC4 encryption by default. If it is not possible to enable AES in the AD domain, you must enable the AD-SUPPORT crypto policy and allow RC4 encryption in the playbook.

Important

Time between the RHEL server and AD must be synchronized. You can ensure this by using the timesync System Role in the playbook.

In this example, the RHEL system joins the domain.example.com AD domain, using the AD Administrator user and the password for this user stored in the Ansible vault. The playbook also sets the AD-SUPPORT crypto policy and allows RC4 encryption. To ensure time synchronization between the RHEL system and AD, the playbook sets the adserver.domain.example.com server as the timesync source.

Prerequisites

  • Access and permissions to one or more managed nodes.

  • Access and permissions to a control node.

    On the control node:

    • Red Hat Ansible Engine is installed.
    • The rhel-system-roles package is installed.
    • An inventory file which lists the managed nodes.

  • The following ports on the AD domain controllers are open and accessible from the RHEL server:

    Expand
    Table 28.1. Ports Required for Direct Integration of Linux Systems into AD Using the ad_integration System Role
    Source PortDestination PortProtocolService

    1024:65535

    53

    UDP and TCP

    DNS

    1024:65535

    389

    UDP and TCP

    LDAP

    1024:65535

    636

    TCP

    LDAPS

    1024:65535

    88

    UDP and TCP

    Kerberos

    1024:65535

    464

    UDP and TCP

    Kerberos change/set password (kadmin)

    1024:65535

    3268

    TCP

    LDAP Global Catalog

    1024:65535

    3269

    TCP

    LDAP Global Catalog SSL/TLS

    1024:65535

    123

    UDP

    NTP/Chrony (Optional)

    1024:65535

    323

    UDP

    NTP/Chrony (Optional)

Procedure

  1. Create a new ad_integration.yml file with the following content: 

    ---
- hosts: all
  vars:
    ad_integration_realm: "domain.example.com"
    ad_integration_password: !vault | vault encrypted password
    ad_integration_manage_crypto_policies: true
    ad_integration_allow_rc4_crypto: true
    ad_integration_timesync_source: "adserver.domain.example.com"
  roles:
    - linux-system-roles.ad_integration
---
    Copy to Clipboard Toggle word wrap

  2. Optional: Verify playbook syntax. 

    # ansible-playbook --syntax-check ad_integration.yml -i inventory_file
    Copy to Clipboard Toggle word wrap

  3. Run the playbook on your inventory file: 

    # ansible-playbook -i inventory_file /path/to/file/ad_integration.yml
    Copy to Clipboard Toggle word wrap

Verification

  • Display an AD user details, such as the administrator user: 

    getent passwd administrator@ad.example.com
administrator@ad.example.com:*:1450400500:1450400513:Administrator:/home/administrator@ad.example.com:/bin/bash
    Copy to Clipboard Toggle word wrap

28.4. Additional resources
Copiar o link

  • The /usr/share/ansible/roles/rhel-system-roles.ad_integration/README.md file.
  • man ansible-playbook(1)
Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat