How to create domain server

hi there,

As i am new to linux and trying different things, Im wondering how in linux that we can create a domain server and how just like in windows you can join computers to that domain. Im currently using rocky, centos 7 and ubuntu. And im just curious and want to test to create a domain server and join computers to that domain.

Also is it possible for example my domain server is rocky linux and i would like to join my centos 7 and ubuntu to that rocky linux domain? Also is windows machine can be join to that domain as well?

What you’re looking for is FreeIPA. Highly recommend it. It’s installable on a Rocky Linux system by running:

dnf install ipa-server
ipa-server-install

For clients:

# centos 7
yum install ipa-client
# rocky linux, centos stream, rhel 8 and up
dnf install ipa-client

# ubuntu
apt-get install freeipa-client

# all
ipa-client-install

There’s numerous guides out there on how to set it up with examples.

• FreeIPA from Linux Guide and Hints (my own personal page)
• Server World

The OP asked how to create a domain, freeipa isn’t a domain, using their own terminology, ’ FreeIPA is an integrated security information management solution’.

The problem with creating an AD domain on rhel based distros comes from redhat deciding to push their inferior product (my opinion) and not to provide the functionality built into Samba that can provision as an Active Directory Domain Controller.

This leaves you with four options:
A) Use freeipa, but it isn’t a DC.
B) Build Samba with the required code (hint, if you do this, do not use MIT, it is experimental).
C) Find ready built Samba RPMs that can be provisioned as an AD DC.
D) Probably the most controversial on here, use Debian.

What is a “domain”? Particularly, in “rocky, centos, and ubuntu” environment?

Rocky and Centos (and by default, RHEL) do not have a domain, not unless you count a NIS domain and they are dead. Ubuntu on the other hand does provide Samba packages that can be provisioned as an Active Directory Domain, just like Windows, perhaps it doesn’t have all the bells & whistles that Microsoft AD has (yet), but it is being used in some pretty large setups.

I’ve renamed the topic. The topic title was misleading “how to create a domain”, when in the main body text it clearly mentioned:

The title of the topic now clearly reflects this now that I’ve changed it.

That does not answer what is a domain. For example, rockylinux.org is a (DNS) domain, but such domain is not a domain? “Microsoft Active Directory” isn’t really an answer either. IMHO, it is like saying that “domain” is an expletive.

Is domain perhaps centrally managed group of computers? Say authentication with Kerberos, account info in “directory” like LDAP, network defined via DHCP&DNS, time synced (to keep Kerberos happy), and “group policies” – i.e. system config – pushed to every system via configuration management “tower”.

I don’t have FreeIPA, because it is made from such components and I already have the components, but FreeIPA definitely sounds like “system that joins computers to such collective”. Yes, if I’d start from scratch, then I’d use FreeIPA today.

OK, yes, a domain is a centrally managed group of computers, with generally one place to control them (I say ‘generally’ because there is a least one directory server that has multiple controllers and replicates changes from one controller to all other controllers)

The OP asked about creating a domain and then joining various distro machines to it, so this, to myself, sounds like some form of directory server. The OP then went on to mention joining Windows machines to the domain, this instantly ruled out freeipa, you cannot join a Windows machine to freeipa, you have to use trusts, NIS is dead (or as good as), so this just leaves Samba running as an Active Directory server.

You are correct, the last OP question is whether Windows machines can join the domain.

Rather than Rocky, I would suggest looking into Zentyal Linux. It is based on Debian or Ubuntu… It offers something like an AD alternative. It is a modular system so you can also add other functions. The free Community version is not officially supported, for help you need to use the forums, but there is also a payed for version where you are entitled to help.

The “AD alternative” that zentyal provides is just Samba AD. Zentyal provides a lot more on top, but the point is that it uses samba as its AD. Samba AD will likely have schema and/or functional levels that are still lagging behind Microsoft’s AD. This may or may not be a problem in some environments, especially where Windows is used/required.

Yes, Samba AD is lagging behind Microsoft when it comes to the schema and functional level (the latter relies on the former), but there is lot of work going on to get these raised and it looks like this will come to fruition fairly soon.
There are a few other distros that are Samba AD at their core, such as Univention UCS and razdc, but they are usually a few versions behind the Samba head.

Do you really need to ask this question without being pedantic. Obviously from the question the OP asked and the wording involved he was referring to a Microsoft Windows AD domain. Which by common definition provides a Microsoft approved method of centrally managing computers and Users (Active Directory User and Computers), Roles (users) and functions (AD Forest support for Policies, and add-on components such as Exchange etc

Craig

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.