Join in Active Directory Domain2025/08/12

Join in Windows Active Directory Domain with Realmd.

This tutorial needs Windows Active Directory Domain Service in your local network.
This example shows to configure on the environment below.

Domain Server	: Windows Server 2025
Domain Name	: srv.world
Hostname	: fd3s.srv.world (10.0.0.100)
NetBIOS Name	: FD3S01
Realm	: SRV.WORLD

[1]

Install some required packages.

root@dlp:~#

apt -y install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

[2]	Join in Windows Active Directory Domain.

# change DNS settings to refer to AD

root@dlp:~#

vi /etc/resolv.conf

nameserver 10.0.0.100

# discover Active Directory domain

root@dlp:~#

realm discover SRV.WORLD

srv.world
  type: kerberos
  realm-name: SRV.WORLD
  domain-name: srv.world
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin

# join in Active Directory domain

root@dlp:~#

realm join SRV.WORLD --membership-software=samba

Password for Administrator:

# AD Administrator password

# verify it's possible to get an AD user info or not

root@dlp:~#

id Serverworld@srv.world

uid=1587001103(serverworld@srv.world) gid=1587000513(domain users@srv.world) groups=1587000513(domain users@srv.world),1587000572(denied rodc password replication group@srv.world),1587000512(domain admins@srv.world)

# change setting if need

root@dlp:~#

vi /etc/pam.d/common-session

# add to last line if need (create Home Dir automatically when initial login)

session optional        pam_mkhomedir.so skel=/etc/skel umask=077

# verify it's possible to login as an AD user or not

root@dlp:~#

exit

logout

Debian GNU/Linux 13 dlp.srv.world ttyS0

dlp login: serverworld@srv.world
Password:
Linux dlp.srv.world 6.12.38+deb13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.38-1 (2025-07-16) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Creating directory '/home/serverworld'.
serverworld@srv.world@dlp:~$     # logined

[3]	If you'd like to omit domain name for AD user, configure like follows.

root@dlp:~#

vi /etc/sssd/sssd.conf

# line 16 : change

use_fully_qualified_names =

False

root@dlp:~#

systemctl restart sssd

root@dlp:~#

id Administrator

uid=1587000500(administrator) gid=1587000513(domain users) groups=1587000513(domain users),1587000572(denied rodc password replication group),1587000512(domain admins),1587000518(schema admins),1587000520(group policy creator owners),1587000519(enterprise admins)

[4]	AD users UID/GID are asigned randomly, but if you'd like to asign fixed UID/GID, configure like follows. Add UNIX attributes to AD accounts first, refer to here. This example is based on the environment AD accounts have [uidNumber/gidNumber] attributes. Next, change SSSD settings.

root@dlp:~#

vi /etc/sssd/sssd.conf

# line 17 : change

ldap_id_mapping =

False

# add to last line

ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber

# clear cache and restart sssd

root@dlp:~#

rm -f /var/lib/sss/db/*

root@dlp:~#

systemctl restart sssd

root@dlp:~#

id serverworld

uid=2000(serverworld) gid=100(users) groups=100(users)

Matched Content