SUSE Support

Here When You Need Us

Join AD using realmd on SUSE Linux Enterprise Server 15

This document (000021263) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Desktop 15 SP6
SUSE Linux Enterprise Server 15 SP6
SUSE Linux Enterprise Server for SAP Applica­tions 15 SP6
SUSE Linux Enterprise Desktop 15 SP5
SUSE Linux Enterprise Server 15 SP5
SUSE Linux Enterprise Server for SAP Applica­tions 15 SP5
SUSE Linux Enterprise Desktop 15 SP4
SUSE Linux Enterprise Server 15 SP4
SUSE Linux Enterprise Server for SAP Applica­tions 15 SP4

Situation

Join AD via command line using realmd.

Resolution

Prerequisites:

- Make sure your SLES/SLED instance is up to date.
- Configure NTP (chronyd) to use the same configuration as the Active Directory server environment. Many authentication errors can occur if the client is not able to communicate with the Active Directory server due to time differences. ( Time synchronization with NTP - https://documentation.suse.com/sles/15-SP5/html/SLES-all/cha-ntp.html
- Either disable NSCD or configure it not to cache the same information as SSSD. Having multiple caches for the same information can cause conflicts and issues.
- Ensure that the server is using the Active Directory servers as its DNS nameservers, or the same DNS servers that the Active Directory server is using. If this is not configured correctly, or if any required Active Directory DNS records are missing, the client may not be able to find and use the Active Directory server. ( check DNS resolution using the command nslookup <domain_controller_hostname>)
- Open all required Active Directory and Kerberos ports through the network and firewalls.
- Configure the system FQDN. The command hostname -f should return the FQDN. ( YaST network > Hostname/DNS tab > Static Hostname)
 

Join using realmd:

1. Install realmd and all the required packages on the system:

# zypper in realmd adcli sssd sssd-tools sssd-ad samba-client

2. Run the following command to discover the Active Directory domain:

# realm discover <domain-name>

3. Run the following command to join the Linux system to the Active Directory domain:

# realm join <domain-name> -U <domain-admin-user>

When prompted, enter the credentials for a user account in the Active Directory domain with the privilege to join computers to the domain. Once the join process is complete, the system will be a member of the Active Directory domain.

4. Run the following command to verify that the system has been successfully joined to the AD domain:

# realm list
5. Verify the status of the SSSD service:
# systemctl status sssd
 

Example:

1. Join the domain example.com:

# realm join example.com -U administrator -v

 

Use -v/--verbose flag at the end of the command for verbose diagnostics.

With the realm command, if the domain name is also used along with the username (username@EXAMPLE.COM), that must be defined uppercase. The realm command, in fact, expects a Kerberos domain which must be always written in capital letters. For example: 

# realm join example.com -U administrator@EXAMPLE.COM -v

Output:

Password for Administrator:
...
...
* Successfully enrolled machine in realm


2. Check the domain details:

# realm list

Output:

example.com
  type: kerberos
  realm-name: EXAMPLE.COM
  domain-name: example.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: adcli
  required-package: samba-client
  login-formats: %U@example.com
  login-policy: allow-realm-logins


3.  Verify SSSD status:

# systemctl status sssd

Output:
sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2023-11-05 13:22:32 UTC; 3min 49s ago
 Main PID: 479 (sssd)
    Tasks: 4
   CGroup: /system.slice/sssd.service
           ├─479 /usr/sbin/sssd -i --logger=files
           ├─505 /usr/lib/sssd/sssd_be --domain example.com --uid 0 --gid 0 --logger=files
           ├─548 /usr/lib/sssd/sssd_nss --uid 0 --gid 0 --logger=files
           └─549 /usr/lib/sssd/sssd_pam --uid 0 --gid 0 --logger=files

Additional Information

If you want SSSD to not require fully qualified domain names (FQDNs) when authenticating users, change:

use_fully_qualified_names = False

... in /etc/sssd/sssd.conf.

This can be useful in environments where users have short usernames, or where there are multiple domains with the same name.

When use_fully_qualified_names = False is set, SSSD will try to authenticate users using the short username. If the authentication is unsuccessful, SSSD will then try to authenticate the user using the FQDN.

 

Removing the system from the AD domain:

To remove the system from the domain run the following command:
# realm leave <domain-name> -U '<domain-admin-user>'

Man pages:
realm - Manage enrolment in realms
https://manpages.opensuse.org/Tumbleweed/realmd/realm.8.en.html

sssd.conf
https://manpages.opensuse.org/Tumbleweed/sssd/sssd.conf.5.en.html

sssd-ad
https://manpages.opensuse.org/Tumbleweed/sssd-ad/sssd-ad.5.en.html

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000021263
  • Creation Date: 02-Nov-2023
  • Modified Date:12-Nov-2024
    • SUSE Linux Enterprise Server
    • SUSE Linux Enterprise Server for SAP Applications

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.