Join AD using realmd on SUSE Linux Enterprise Server 15
This document (000021263) is provided subject to the disclaimer at the end of this document.
SUSE Linux Enterprise Server 15 SP5
SUSE Linux Enterprise Server for SAP Applications 15 SP5
SUSE Linux Enterprise Desktop 15 SP4
SUSE Linux Enterprise Server 15 SP4
SUSE Linux Enterprise Server for SAP Applications 15 SP4
Prerequisites:- Make sure your SLES/SLED instance is up to date.
- Configure NTP (
chronyd) to use the same configuration as the Active Directory server environment. Many authentication errors can occur if the client is not able to communicate with the Active Directory server due to time differences. ( Time synchronization with NTP - https://documentation.suse.com/sles/15-SP5/html/SLES-all/cha-ntp.html )
- Either disable NSCD or configure it not to cache the same information as SSSD. Having multiple caches for the same information can cause conflicts and issues.
- Ensure that the server is using the Active Directory servers as its DNS nameservers, or the same DNS servers that the Active Directory server is using. If this is not configured correctly, or if any required Active Directory DNS records are missing, the client may not be able to find and use the Active Directory server. ( check DNS resolution using the command
- Open all required Active Directory and Kerberos ports through the network and firewalls.
- Configure the system FQDN. The command hostname -f should return the FQDN. ( YaST network > Hostname/DNS tab > Static Hostname)
Join using realmd:1. Install realmd and all the required packages on the system:
# zypper in realmd adcli sssd sssd-tools sssd-ad samba-client2. Run the following command to discover the Active Directory domain:
# realm discover <domain-name>3. Run the following command to join the Linux system to the Active Directory domain:
# realm join <domain-name> -U '<domain-admin-user>'When prompted, enter the credentials for a user account in the Active Directory domain with the privilege to join computers to the domain. Once the join process is complete, the system will be a member of the Active Directory domain.
4. Run the following command to verify that the system has been successfully joined to the AD domain:
# realm list
# systemctl status sssd
1. Join the domain example.com:
# realm join example.com -v
Use -v/--verbose flag at the end of the command for verbose diagnostics.
Password for Administrator: ... ... * Successfully enrolled machine in realm
2. Check the domain details:
# realm list
example.com type: kerberos realm-name: EXAMPLE.COM domain-name: example.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: adcli required-package: samba-client login-formats: %U@example.com login-policy: allow-realm-logins
3. Verify SSSD status:
# systemctl status sssd
sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2023-11-05 13:22:32 UTC; 3min 49s ago Main PID: 479 (sssd) Tasks: 4 CGroup: /system.slice/sssd.service ├─479 /usr/sbin/sssd -i --logger=files ├─505 /usr/lib/sssd/sssd_be --domain example.com --uid 0 --gid 0 --logger=files ├─548 /usr/lib/sssd/sssd_nss --uid 0 --gid 0 --logger=files └─549 /usr/lib/sssd/sssd_pam --uid 0 --gid 0 --logger=files
use_fully_qualified_names = False
... in /etc/sssd/sssd.conf.
This can be useful in environments where users have short usernames, or where there are multiple domains with the same name.
When use_fully_qualified_names = False is set, SSSD will try to authenticate users using the short username. If the authentication is unsuccessful, SSSD will then try to authenticate the user using the FQDN.
Removing the system from the AD domain:To remove the system from the domain run the following command:
# realm leave <domain-name> -U '<domain-admin-user>'
realm - Manage enrolment in realms
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021263
- Creation Date: 02-Nov-2023
- Modified Date:15-Nov-2023
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com