Join AD using realmd on SUSE Linux Enterprise Server 15

Prerequisites:

- Make sure your SLES/SLED instance is up to date.
- Configure NTP (chronyd) to use the same configuration as the Active Directory server environment. Many authentication errors can occur if the client is not able to communicate with the Active Directory server due to time differences. ( Time synchronization with NTP - https://documentation.suse.com/sles/15-SP5/html/SLES-all/cha-ntp.html ) 
- Either disable NSCD or configure it not to cache the same information as SSSD. Having multiple caches for the same information can cause conflicts and issues.
- Ensure that the server is using the Active Directory servers as its DNS nameservers, or the same DNS servers that the Active Directory server is using. If this is not configured correctly, or if any required Active Directory DNS records are missing, the client may not be able to find and use the Active Directory server. ( check DNS resolution using the command nslookup <domain_controller_hostname>)
- Open all required Active Directory and Kerberos ports through the network and firewalls.
- Configure the system FQDN. The command hostname -f should return the FQDN. ( YaST network > Hostname/DNS tab > Static Hostname)
 

Join using realmd:

1. Install realmd and all the required packages on the system:

# zypper in realmd adcli sssd sssd-tools sssd-ad samba-client

2. Run the following command to discover the Active Directory domain:

# realm discover <domain-name>

3. Run the following command to join the Linux system to the Active Directory domain:

# realm join <domain-name> -U <domain-admin-user>

When prompted, enter the credentials for a user account in the Active Directory domain with the privilege to join computers to the domain. Once the join process is complete, the system will be a member of the Active Directory domain.

4. Run the following command to verify that the system has been successfully joined to the AD domain:

# realm list

# systemctl status sssd

Example:

1. Join the domain example.com:

# realm join example.com -U administrator -v

Use -v/--verbose flag at the end of the command for verbose diagnostics.

With the realm command, if the domain name is also used along with the username (username@EXAMPLE.COM), that must be defined uppercase. The realm command, in fact, expects a Kerberos domain which must be always written in capital letters. For example: 

# realm join example.com -U administrator@EXAMPLE.COM -v

Output:

Password for Administrator:
...
...
* Successfully enrolled machine in realm

2. Check the domain details:

# realm list

Output:

example.com
  type: kerberos
  realm-name: EXAMPLE.COM
  domain-name: example.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: adcli
  required-package: samba-client
  login-formats: %U@example.com
  login-policy: allow-realm-logins

3.  Verify SSSD status:

# systemctl status sssd

Output:

sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2023-11-05 13:22:32 UTC; 3min 49s ago
 Main PID: 479 (sssd)
    Tasks: 4
   CGroup: /system.slice/sssd.service
           ├─479 /usr/sbin/sssd -i --logger=files
           ├─505 /usr/lib/sssd/sssd_be --domain example.com --uid 0 --gid 0 --logger=files
           ├─548 /usr/lib/sssd/sssd_nss --uid 0 --gid 0 --logger=files
           └─549 /usr/lib/sssd/sssd_pam --uid 0 --gid 0 --logger=files

Removing the system from the AD domain:

# realm leave <domain-name> -U '<domain-admin-user>'