Join Active Directory using realmd on SUSE Linux Enterprise Server 15
This document (000021263) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 15 SP6
SUSE Linux Enterprise Server for SAP Applications 15 SP6
SUSE Linux Enterprise Server 15 SP5
SUSE Linux Enterprise Server for SAP Applications 15 SP5
Situation
Resolution
Prerequisites:
- Make sure your SLES/SLED instance is up to date.
- Configure NTP (chronyd
) to use the same configuration as the Active Directory server environment. Accurate time synchronization is critical for Kerberos authentication. Many authentication errors can occur if the client is not able to communicate with the Active Directory server due to time differences. It is highly recommended to use a central NTP time server for this purpose, this can be also the NTP server running on your Active Directory domain controller. ( Synchronizing Time Using NTP/NTS - https://documentation.suse.com/smart/network/html/ntp-time-synchronization/index.html)
- Either disable NSCD or configure it not to cache the same information as SSSD. Having multiple caches for the same information can cause conflicts and issues.
- The file /etc/resolv.conf should contain the IP addresses of your AD DNS servers. (yast2 lan > Hostname/DNS tab > Modify DNS Configuration) Ensure that the system is using the Active Directory servers as its DNS nameservers, or the same DNS servers that the Active Directory server is using. If this is not configured correctly, or if any required Active Directory DNS records are missing, the client may not be able to find and use the Active Directory server. ( check DNS resolution using the command nslookup <domain_controller_hostname>)
- Open all required Active Directory and Kerberos ports through the network and firewalls. This typically includes ports for Kerberos (88, 464), LDAP (389, 636), and DNS (53)
- Configure the system FQDN. The command hostname -f should return the FQDN. ( yast2 lan > Hostname/DNS tab > Static Hostname)
- Make sure to have proper Active Directory Domain Administrator credentials with permissions to create computer accounts in the AD domain.
Join using realmd:
1. Install realmd and all the required packages on the system:
# zypper in realmd adcli sssd sssd-tools sssd-ad samba-client
2. Run the following command to discover the Active Directory domain:
# realm discover <domain-name>
3. Run the following command to join the Linux system to the Active Directory domain:
# realm join <domain-name> -U <domain-admin-user>
When prompted, enter the credentials for a user account in the Active Directory domain with the privilege to join computers to the domain. Once the join process is complete, the system will be a member of the Active Directory domain.
4. Run the following command to verify that the system has been successfully joined to the AD domain:
# realm list
# systemctl status sssd
Example:
1. Join the domain example.com:
# realm join example.com -U administrator -v
Use -v/--verbose flag at the end of the command for verbose diagnostics.
With the realm command, if the domain name is also used along with the username (username@EXAMPLE.COM), that must be defined uppercase. The realm command, in fact, expects a Kerberos domain which must be always written in capital letters. For example:
# realm join example.com -U administrator@EXAMPLE.COM -v
Output:
Password for Administrator: ... ... * Successfully enrolled machine in realm
2. Check the domain details:
# realm list
Output:
example.com type: kerberos realm-name: EXAMPLE.COM domain-name: example.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: adcli required-package: samba-client login-formats: %U@example.com login-policy: allow-realm-logins
3. Verify SSSD status:
# systemctl status sssd
Output:
sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2023-11-05 13:22:32 UTC; 3min 49s ago Main PID: 479 (sssd) Tasks: 4 CGroup: /system.slice/sssd.service ├─479 /usr/sbin/sssd -i --logger=files ├─505 /usr/lib/sssd/sssd_be --domain example.com --uid 0 --gid 0 --logger=files ├─548 /usr/lib/sssd/sssd_nss --uid 0 --gid 0 --logger=files └─549 /usr/lib/sssd/sssd_pam --uid 0 --gid 0 --logger=files
Additional Information
If you want SSSD to not require fully qualified domain names (FQDNs) when authenticating users, change:
use_fully_qualified_names = False
... in /etc/sssd/sssd.conf.
This can be useful in environments where users have short usernames, or where there are multiple domains with the same name.
When use_fully_qualified_names = False is set, SSSD will try to authenticate users using the short username. If the authentication is unsuccessful, SSSD will then try to authenticate the user using the FQDN.
Removing the system from the AD domain:
To remove the system from the domain run the following command:
# realm leave <domain-name> -U '<domain-admin-user>'
For more complex configurations when joining an Active Directory Domain use adcli and follow the procedure described in this KB article:
Manually join AD on SUSE Linux Enterprise Server 12 or 15 without Yast usage
Man pages:
realm - Manage enrollment in realms
https://manpages.opensuse.org/Tumbleweed/realmd/realm.8.en.html
realmd.conf - Tweak behavior of realmd
https://manpages.opensuse.org/Tumbleweed/realmd/realmd.conf.5.en.html
sssd.conf
https://manpages.opensuse.org/Tumbleweed/sssd/sssd.conf.5.en.html
sssd-ad
https://manpages.opensuse.org/Tumbleweed/sssd-ad/sssd-ad.5.en.html
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021263
- Creation Date: 02-Nov-2023
- Modified Date:12-Feb-2025
-
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com