Join AD using realmd on SUSE Linux Enterprise Server 15

This document (000021263) is provided subject to the disclaimer at the end of this document.


SUSE Linux Enterprise Desktop 15 SP5
SUSE Linux Enterprise Server 15 SP5
SUSE Linux Enterprise Server for SAP Applica­tions 15 SP5
SUSE Linux Enterprise Desktop 15 SP4
SUSE Linux Enterprise Server 15 SP4
SUSE Linux Enterprise Server for SAP Applica­tions 15 SP4


Join AD via command line using realmd.



- Make sure your SLES/SLED instance is up to date.
- Configure NTP (chronyd) to use the same configuration as the Active Directory server environment. Many authentication errors can occur if the client is not able to communicate with the Active Directory server due to time differences. ( Time synchronization with NTP -
- Either disable NSCD or configure it not to cache the same information as SSSD. Having multiple caches for the same information can cause conflicts and issues.
- Ensure that the server is using the Active Directory servers as its DNS nameservers, or the same DNS servers that the Active Directory server is using. If this is not configured correctly, or if any required Active Directory DNS records are missing, the client may not be able to find and use the Active Directory server. ( check DNS resolution using the command nslookup <domain_controller_hostname>)
- Open all required Active Directory and Kerberos ports through the network and firewalls.
- Configure the system FQDN. The command hostname -f should return the FQDN. ( YaST network > Hostname/DNS tab > Static Hostname)

Join using realmd:

1. Install realmd and all the required packages on the system:
# zypper in realmd adcli sssd sssd-tools sssd-ad samba-client
2. Run the following command to discover the Active Directory domain:
# realm discover <domain-name>
3. Run the following command to join the Linux system to the Active Directory domain:
# realm join <domain-name> -U '<domain-admin-user>'
When prompted, enter the credentials for a user account in the Active Directory domain with the privilege to join computers to the domain. Once the join process is complete, the system will be a member of the Active Directory domain.

4. Run the following command to verify that the system has been successfully joined to the AD domain:
# realm list
5. Verify the status of the SSSD service:
# systemctl status sssd


1. Join the domain

# realm join -v

Use -v/--verbose flag at the end of the command for verbose diagnostics.


Password for Administrator:
* Successfully enrolled machine in realm

2. Check the domain details:

# realm list

  type: kerberos
  realm-name: EXAMPLE.COM
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: adcli
  required-package: samba-client
  login-policy: allow-realm-logins

3.  Verify SSSD status:

# systemctl status sssd

sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2023-11-05 13:22:32 UTC; 3min 49s ago
 Main PID: 479 (sssd)
    Tasks: 4
   CGroup: /system.slice/sssd.service
           ├─479 /usr/sbin/sssd -i --logger=files
           ├─505 /usr/lib/sssd/sssd_be --domain --uid 0 --gid 0 --logger=files
           ├─548 /usr/lib/sssd/sssd_nss --uid 0 --gid 0 --logger=files
           └─549 /usr/lib/sssd/sssd_pam --uid 0 --gid 0 --logger=files

Additional Information

If you want SSSD to not require fully qualified domain names (FQDNs) when authenticating users, change:

use_fully_qualified_names = False

... in /etc/sssd/sssd.conf.

This can be useful in environments where users have short usernames, or where there are multiple domains with the same name.

When use_fully_qualified_names = False is set, SSSD will try to authenticate users using the short username. If the authentication is unsuccessful, SSSD will then try to authenticate the user using the FQDN.


Removing the system from the AD domain:

To remove the system from the domain run the following command:
# realm leave <domain-name> -U '<domain-admin-user>'

Man pages:
realm - Manage enrolment in realms




This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000021263
  • Creation Date: 02-Nov-2023
  • Modified Date:15-Nov-2023
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center