Join Ubuntu 18.04 to Active Directory

At work, we are building a data ingress environment for analytical purposes. The setup will include both Windows and Linux based machines for managing the infrastructure and data processing. One of my tasks (next to the usual security hardening) was to investigate how we could add the Linux based nodes to the Windows Active Directory domain for simplified management. Turns out that there are a couple of way of accomplishing that task. It’s not really that straight forward as it is with Windows but once you get the right tools and know what files to edit it’s really not that hard. With this post I want to share my experiences and show you step-by-step on how to add a Linux based host to a Windows Active Directory.

System Security Services Daemon

I’ve tried a couple of options/packages for joining a Linux machine into a Windows based Active Directory domain, but in the end, for me, using the System Security Services Daemon (SSSD) was the most effective way to accomplish my task at hand.  The SSSD is like the intermediary that helps you to configure the system without you needing to know what files you need to edit (Although it can be very useful). The other benefit that I discovered is that it’s available on all major distributions, like RedHat or Ubuntu. So What I will be describing here will be useful in many situations. Let’s dive in.


My setup is straightforward. A single Domain Controller, named DC01 in the “” domain. Next to the DC role it also hosts the DNS role. The client computer is an Ubuntu 18.04 machine, named “Ubuntu18”, and is configured to use the DNS server on DC01. I’ve checked connectivity to DC01 with a simple ICMP ping and name resolution with NSLookup. Both work as expected.


First thing we need to do is install all the appropriate packages. This post will focus on Ubuntu 18.04, but it’s almost the same on other distributions that use apt (or yum) as their package manager. Open up a terminal, gain root privileges, install these packages:

  • Realmd
  • sssd
  • sssd-tools
  • libnss-sss
  • libpam-sss
  • krb5-user
  • adcli
  • samba-common-bin


apt install -y realmd sssd sssd-tools libnss-sss libpam-sss krb5-user adcli samba-common-bin

During the installation of the “krb5-user” you’ll be prompted for the domain name. Fill in your domain name in capital letters. See my example below.


If for some reason this pop-up does not appear (That happened to me once) or you want to change it afterwards, edit the file “krb5.conf” file in the “/etc/” directory. I always add these two entries to the file:

  • dns_lookup_realm = true
  • dns_lookup_kdc = true

That will explicitly tell the client to use DNS for all lookups instead of expecting it to be present in the “krb5.conf” file.

More info about configuration options can be found here:

Timing is everything

Using Kerberos authentication relies heavily on the correct time being set at both ends. It should always be within a maximum of 5 minutes difference between the two entities trying to authenticate. On Ubuntu, “timesyncd” is responsible for all thing related with time. First we need to point the client to the closest time source. Usually this is the DC that will provide the correct time, but any time source will do. Edit the following file to add the NTP source as displayed in the example:



Use these steps to set the correct time:

  • timedatectl set-ntp true (Set the NTP sync to true)
  • systemctl restart systemd-timesyncd.service (restart the service)
  • timedatectl –adjust-system-clock (Force sync)

After a while the time will start to sync. Use “timedatectl status” to get the actual status.

Configure realmd

Realmd is the configuration to add the linux host to a Kerberos realm like Active Directory. It consists out of tools and configuration options. The configuration is stored in the “realmd.conf” file that’s located in the “/etc/” directory.

The configuration that I found useful is the following:

default-home = /home/%D/%U
default-shell = /bin/bash

default-client = sssd
os-name = Ubuntu Workstation
os-version = 18.04

automatic-install = no

fully-qualified-names = yes
automatic-id-mapping = no
user-principal = yes
manage-system = yes

Information about the various options of the realmd.conf file can be found here:

Auto create home folders

Before we join the domain the system needs to be told that is needs to auto create users home folders. By default this is turned off for domain accounts and needs to be enabled first. This is easily done with the “pam-auth-update” tool. Type in that command while having root privileges and tick the box “Create home directory on login”.


The changes are saved to the file “/etc/pam.d/common-session“.

Testing Directory Access

Now that I have installed all the packages and configured the appropriate settings, I’m ready to test the setup. Ubuntu has a few very useful tools to see if Kerberos authentication will succeed. Use the following command to test it out:

Discover the domain

realm discover

Get a Kerberos ticket for the user Admin

kinit Admin

Display the Kerberos ticket


Destroy the ticket



The reason I destroy the ticket first is that it will otherwise be used during the domain join that I’ll show you next.

Joining the domain

Now that Kerberos is successfully tested, I am ready to join the domain. The tools that I’ll be using was installed with the realmd package, “realm“. Use the following command:

realm join --verbose --user=admin --computer-ou=OU=Linux,DC=corp,DC=bitsofwater,DC=com

In the example above I’ve turned on verbose output, told the command that I will be using the user named “Admin” to join the domain, put the created object into the “Linux” organizational unit in the “” domain. Hit enter and you’ll be prompted for the password, enter it and the domain join is executed. If all goes well it ends with “Successfully enrolled machine in realm”. Easy right!?


Checking the domain, a new object is created in the organizational unit.


If you want to change any configuration setting at a later stage, edit the SSSD file located at “/etc/sssd/sssd.conf“. Only thing I changed is the entry “ldap_id_mapping”, changed it to “True” as I don’t have the POSIX attributes set in Active Directory. Without this set, I could not login because it can’t translate user id’s.

Login Screen

For domain users to be able to login On Ubuntu 16.04 the login screen need to reconfigured. Normally it would only list the local users without the possibility to login other, domain based users. This capability was enabled by editing the unity login screen located at “/usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf” and adding the line:


On Ubuntu 18.04 there’s no need to change the login screen anymore. Simply selecting “Not Listed?” on the screen will provide you with a username / password screen. Enter the username with or without the domain suffix.


And that’s it! login with a domain account, the user will be authenticate to Active Directory and a local home folder will automatically be created for the user.

I hope that you will find this information useful.

10-07-2018: Update after user feedback

Make sure that your active directory is prepared for IPv6 as Ubuntu 1804 combined with Windows 2016 seems to default to IPv6 under certain circumstances. A user and myself got this error message “Couldn’t join realm: Insufficient permissions to join the domain“. Kind of a bogus message, but it turned out to be missing IPv6 information in AD DNS. Solution was to fix DNS or disable IPv6.

In my example above I used the domain suffix during login. At that time I didn’t know that there was an option to select a default domain if you only enter the user name. Edit the [sssd] section in “/etc/sssd/sssd.conf” to include the following “default_domain_suffix“.




88 thoughts on “Join Ubuntu 18.04 to Active Directory

  1. I’ve tried these instructions just now using Ubuntu 18.04 in a Virtualbox VM, and I cannot authenticate. I have a computer object registered on my domain controller, but when I try to authenticate with su or even rebooting into the login prompt, nothing works. I’ve had this exact same problem with every other guide I follow.

    Liked by 1 person

  2. Hi Sarah,

    Thanks for your feedback! Is here any other error message that you got? Anything in the logs? I had that same problem also, just ddn’t understand it at first. Messed around a lot with the config.

    Where does it go wrong:
    realm join
    or interactive logon

    Let’s see if we can solve it.


    1. I have figured out the rest but the interactive logon doesn’t work, regardless of account attempted. Just get an error “Sorry that didn’t work. Please try again.” All usernames and pws are correct. No logs that provide any insight either.

      Kinit works. my domain is in the realm list. Cannot logon with AD user account though.

      What do you need from me to dissect this?


      1. I’ve been gathering information and did some testing with creating a sudoers object in AD. You will need to do a schema update though. I’m planning a new blog post on the subject. Seems to be more efficient to do centralized sudo users management.

        Liked by 1 person

  3. This problem on Ubuntu has bugged me for weeks:

    All the packages were installed fine. Realm discover went fine. Kinit, klist, kdestroy all went fine. But when I try realm join, after I entered password for the domain admin, I got this error message:

    ! Couldn’t authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
    adcli: couldn’t connect to domain: Couldn’t authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
    ! Insufficient permissions to join the domain
    realm: Couldn’t join realm: Insufficient permissions to join the domain

    At the same time, if I try the same thing from a CentOS box, then everything works just fine.

    In the case of Ubuntu box, the error from the AD side is: eRR-S-PRINCIPAL-UNKNOWN (7). As it turned out, the Kerberos request that resulted such an error is a TGS-REQ request.

    I compared the requests sending from a Ubuntu box and a CentOS box. In CentOS’s case, it’s kRB5-NT-SRV-HST ldap/, which worked perfectly. Where in Ubuntu’s case, the principal name for the service is: kRB5-NT-SRV-HST ldap/localhost, which inevitably result in a unknown principal name error.

    Here are the version of software I’m using:
    ii realmd 0.16.3-1 amd64 DBus service for configuring kerberos and other online identities
    ii adcli 0.8.2-1 amd64 Tool for performing actions on an Active Directory domain
    ii sssd 1.16.1-1ubuntu1 amd64 System Security Services Daemon — metapackage
    ii sssd-ad 1.16.1-1ubuntu1 amd64 System Security Services Daemon — Active Directory back end
    ii sssd-ad-common 1.16.1-1ubuntu1 amd64 System Security Services Daemon — PAC responder
    ii sssd-common 1.16.1-1ubuntu1 amd64 System Security Services Daemon — common files
    ii sssd-dbus 1.16.1-1ubuntu1 amd64 System Security Services Daemon — D-Bus responder
    ii sssd-ipa 1.16.1-1ubuntu1 amd64 System Security Services Daemon — IPA back end
    ii sssd-krb5 1.16.1-1ubuntu1 amd64 System Security Services Daemon — Kerberos back end
    ii sssd-krb5-common 1.16.1-1ubuntu1 amd64 System Security Services Daemon — Kerberos helpers
    ii sssd-ldap 1.16.1-1ubuntu1 amd64 System Security Services Daemon — LDAP back end
    ii sssd-proxy 1.16.1-1ubuntu1 amd64 System Security Services Daemon — proxy back end
    ii sssd-tools 1.16.1-1ubuntu1 amd64 System Security Services Daemon — tools

    Dear Sir, can you spot is there a version difference with what you are using? Or maybe you can point me to a different direction for troubleshooting? Thanks!

    Liked by 1 person

    1. Hi,

      What I can make out from the logs is that your account does not have the user rights to join the domain. “! Insufficient permissions to join the domain”. Could you give it a try with a domain admin or equivalent account?


    2. Ubuntu sets up the /etc/hosts file a little differently to CentOS and I think this is where your problem might be. Try remove the line from your hosts file for the and ensure you have a line using the nic IP address for your system with the fqdn and hostname of your server, e.g.

      # Comment this out
      # server

      # Add this server

      Liked by 1 person

      1. That’s a very good remark. I experienced somewhat the same when I started cloning my VM’s. Renamed my machine using “hostnamectl set-hostname “. Actually had some issues joining the domain as well. Turned out that the hosts file still contained the former name of the computer.


    3. Small update. I started to experience the exact same thing after I had upgraded my Windows server to 2016. After a few hours of troubleshooting I noticed that a ping dc01 would return an IPv6 address instead of IPv4. For simplicity sake I added the dc01 fqdn in the hosts file on a IPv4 address and it worked!

      Hope this helps anyone.


    4. Hey, I had this same error, for me at least it was an issue with reverse DNS being incorrect. You can either fix reverse DNS or add rnds=false to the krb5.conf. I suggest fixing reverse dns. but thats a workaround.


  4. Here’s a fun gotcha that took me a while to figure out: if you already *have* a local user with the same name as the username on your domain, you’ll need to rename that user account, otherwise (at least in 18.04) creating the domain user’s home directory will fail. Even though the new one is in /home//user and the old one was at /home/. No idea why.


    1. Hi Jason,

      I’ve just tested it on my setup and that worked as expected. Had both a superuser in AD and locally. Have you checked your sssd.conf file to include fallback_homedir = /home/%d/%u. The %d will create a directory that represents your domain, creating a home directory inside with the username.


      1. The fallback dir is definitely not colliding with the existing one – as far as I can tell (and nothing in the logs was really illuminating), it falls over simply because the usernames are the same. Once I used usermod to rename my old user, this all worked perfectly.

        Liked by 1 person

  5. I have one sort-of superficial question though: how can we populate the user information for the local account for the domain user? For example, at the moment instead of my full name, my entry on the login screen and in Gnome’s menu is simply the capitalised version of my domain username. Do you know of a way to change that?


    1. That I would have to guess. Take my user “John Doe” for example with the sAMAccountname “john”. In my setup the gnome menu on the top right of the screen shows “John Doe” instead of his login name. My best bet would be that the displayName attribute from the user account in AD is used here. Hope it helps.


      1. Hmm, my “displayName” is , – my Gnome menu definitely doesn’t display that. Do you know which part of this (sssd, realmd, pam) would be responsible for populating that?


  6. To answer my last question, it looks like SSSD, specifically the “sss_useradd” command. But there’s no way to configure displayed user name.


  7. Hi Michael,

    I’ve just followed your tutorial and it works parcially. I have a Domain in a Zentyal Server, I did everything and everything works except the login.

    I can’t login from Ubuntu using the %u@domain . Do you have any idea?


      1. Kinit works fine, I can order a ticket for the user I want to login.


        domains =
        config_file_version = 2
        services = nss, pam

        ad_domain =
        krb5_realm = CHARLOTTESCHOOL.UK
        realmd_tags = manages-system joined-with-adcli
        cache_credentials = True
        id_provider = ad
        krb5_store_password_if_offline = True
        default_shell = /bin/bash
        ldap_id_mapping = True
        use_fully_qualified_names = True
        fallback_homedir = /home/%d/%u
        access_provider = ad


  8. One more tip: you need to update apparmor’s home directories list. Do sudo dpkg-reconfigure apparmor and enter /home/ Not doing this makes snap apps fail with ‘cannot create user data directory’ as per bug #1620771.

    Liked by 2 people

  9. Thanks to everyone here for being so helpful. Starting a week ago maybe, it seems there was a change made to something that broke SSSD AD support. I can sudo -s -u %USER% and become that AD user with no issues after joining, but trying to log into a session in the first place as that user just says “system error.” There are no hints to speak of in /var/log/auth.log or anything in the SSSD logs beyond reiterating “system error.” Does anyone have any ideas what might be happening here?


  10. Great Article, after 2 days I came to this manual and solved my issue and now I am able to login with the domain user, thanks Michael.
    I have now one question- i am able to do RDP with XRDP with the regular admin user but can’t do RDP login with domain users, do you know why? or how can I solve it? I am using Ubuntu 18.04.



  11. Michael – thank you for the guide. I was even able to add the Domain Admins group to the ‘sudoers’ list so they could effectively be admins of the Ubuntu server. I added `”%domain admins” ALL=(ALL) ALL` to `/etc/sudoers` and then added “sudo” to the `/etc/sssd/sssd.conf` file; i.e. `services = nss, pam, sudo`.

    My goal now is to create a share on the Ubuntu box that the domain admins can access from windows. I would greatly appreciate any guidance you can give to help me accomplish this.


  12. Hi Derek,

    Thanks for the feedback. Always appreciate people taking the time to write back to me. Did you see my guide on centrally managing SUDO users? It’s listed here:

    As for creating a samba share that should be really straightforward. Look here:

    Hope it helps!


    1. Thanks for the prompt response, Michael.

      I did see your ‘sudo/AD’ guide and may try that in my local environment; but there would likely be too much red-tape involved to implement that in a client environment.

      I will check out your link for the samba share, thanks again!


  13. Very nice manual and works really well. Big hug for this, been digging around in the web a lot and nearly was going to let Ubuntu down in favor of Windows …

    Just one addition for special case:
    If you have a AD domain with a .local ending, then you need to change something to make it work with avahi on Ubuntu 18.04 (FQDN resolution for local domain will not work otherwise). Credits to, I have removed [NOTFOUND=return] in /etc/nsswitch.conf and then it worked out fine.


  14. Hey Michael,

    Great article!

    I am having a similar problem as Al-Qalifah. I’ve can join the domain but I cannot get a user to authenticate when adding an account. The message I receive is “Failed to register account: No user with the name found.” Our domain users are not under the Users ou but rather the Employees ou. I’m assuming that is the problem. I cannot find anything else in the logs that hints at a solution.



    1. Okay I did the realm register. Now able to almost sign in with an AD account, but now it looks like it tries to log in then just circles back to the login screen where it has now created a second user listed. Still can’t get in. Any thoughts?


  15. Hi
    Very good guide.. many tx..

    Am sorry.. please help. Been scratching around for days…

    AD is server 2016. Ubuntu 18.04

    realm/sssd is making all the right noises. Joined the domain fine. Can id my ad user.
    can su – username. No probs.

    But I cannot login. After I type in my username is says Access Denied, but lets me put in my password. with another Access Denied.

    I get the feeling it is a PAM error.

    I ran the pam-auth-update to allow the creation of home directories..

    Whilst waiting for some wisedom 🙂 Will try home directory ignore switch ?

    Here is my sssd.conf… and below that a slab of a level 9 on the sssd_pam.log file.. See the error messages ?


    domains = orange.schools.internal
    config_file_version = 2
    services = nss, pam
    default_domain_suffix = ORANGE.SCHOOLS.INTERNAL

    ad_domain = orange.schools.internal
    realmd_tags = manages-system joined-with-adcli
    cache_credentials = True
    id_provider = ad
    krb5_store_password_if_offline = True
    default_shell = /bin/bash
    ldap_id_mapping = True
    use_fully_qualified_names = True
    fallback_homedir = /home/%d/%u
    access_provider = ad
    ad_gpo_access_control = permissive


    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [pd_set_primary_name] (0x0400): User’s primary name is E2052982@orange.schools.internal
    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [e2052982] added to PAM initgroup cache
    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:
    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [pam_print_data] (0x0100): domain: ORANGE.SCHOOLS.INTERNAL
    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [pam_print_data] (0x0100): user: E2052982@orange.schools.internal
    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [pam_print_data] (0x0100): rhost:
    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 2262
    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [pam_print_data] (0x0100): logon name: e2052982
    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x55712484e940
    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x55712484e940
    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x5571248399e0
    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching.
    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [17 (Failure setting user credentials)][ORANGE.SCHOOLS.INTERNAL]
    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [ldb] (0x4000): Added timed event “ltdb_callback”: 0x55712487d490

    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [ldb] (0x4000): Added timed event “ltdb_timeout”: 0x55712495be40

    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [ldb] (0x4000): Running timer event 0x55712487d490 “ltdb_callback”

    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [ldb] (0x4000): Destroying timer event 0x55712495be40 “ltdb_timeout”

    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [ldb] (0x4000): Ending timer event 0x55712487d490 “ltdb_callback”

    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [17]: Failure setting user credentials.
    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [ldb] (0x4000): Added timed event “ltdb_callback”: 0x5571248508e0

    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [ldb] (0x4000): Added timed event “ltdb_timeout”: 0x55712495be40

    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [ldb] (0x4000): Running timer event 0x5571248508e0 “ltdb_callback”

    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [ldb] (0x4000): Destroying timer event 0x55712495be40 “ltdb_timeout”

    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [ldb] (0x4000): Ending timer event 0x5571248508e0 “ltdb_callback”

    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [ldb] (0x4000): Added timed event “ltdb_callback”: 0x55712487d490

    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [ldb] (0x4000): Added timed event “ltdb_timeout”: 0x55712495be40

    (Wed Nov 28 15:31:48 2018) [sssd[pam]] [ldb] (0x4000): Running timer event 0x55712487d490 “ltdb_callback”


  16. I am getting the following error after the kerberos step

    Failed to join the domain
    realm: Couldn’t join realm: Failed to join the domain


  17. Hi! Thanks for your guide, that is very detailed!!
    I have joined my Ubuntu 18.04 to MS 2016 AD successfully!!
    But now I have some problems…

    I want my ubuntu to be a NFS client (NFS server is a NAS) with krb5 authentication
    So I need keytab generated by KDC (MS 2016 AD)
    I found that “net ads keytab create” can get keytab remotely
    but it said I should use order “net ads join” at first….
    the problem is that when I enter the command, it always shows

    Host is not configured as a member server.
    Invalid configuration. Exiting….
    Failed to join domain: This operation is only allowed for the PDC of the domain.

    What should I do ? and what’s difference between “realm join” and “net ads join” ???


  18. Hi,
    I’ve tried till now at least 10 diffrent guieds to join with ubuntu server an active directory but I failed every time. Most of your guid worked pretty well. But trying to join the active directory domain faild withe the following error:

    root@ubuntu-server-1804:~# realm join –verbose –user=Systemadmin –computer-ou=Linux,DC=admin-zahn,DC=local admin-zahn.local
    * Resolving: _ldap._tcp.admin-zahn.local
    * Performing LDAP DSE lookup on:
    * Performing LDAP DSE lookup on:
    * Successfully discovered: admin-zahn.local
    Passwort für Systemadmin:
    * Unconditionally checking packages
    * Resolving required packages
    ! PackageKit not available: The name org.freedesktop.PackageKit was not provided by any .service files
    ! Necessary packages are not installed: sssd-tools sssd libnss-sss libpam-sss adcli
    realm: Dem Bereich konnte nicht beigetreten werden: Necessary packages are not installed: sssd-tools sssd libnss-sss libpam-sss adcli

    Do you know what I’m doing wrong?



      1. But when I try to install this dependencies, it says that they are allready installed

        root@ubuntu-server-1804:~# apt-get install sssd-tools sssd libnss-sss libpam-sss adcli
        Paketlisten werden gelesen… Fertig
        Abhängigkeitsbaum wird aufgebaut.
        Statusinformationen werden eingelesen…. Fertig
        libnss-sss ist schon die neueste Version (1.16.1-1ubuntu1).
        libpam-sss ist schon die neueste Version (1.16.1-1ubuntu1).
        sssd ist schon die neueste Version (1.16.1-1ubuntu1).
        sssd-tools ist schon die neueste Version (1.16.1-1ubuntu1).
        adcli ist schon die neueste Version (0.8.2-1).
        0 aktualisiert, 0 neu installiert, 0 zu entfernen und 0 nicht aktualisiert.

        Do I have to configure something I maybe forgot?


    1. Not sure if you solved this, but I ran into the same problem. My issue was that packagekit wasn’t installed, which is apparently what realm uses to validate that necessary packages are available. just run the following command:

      apt-get install realmd packagekit


  19. First, thank you for creating this tutorial. As someone raised in a Windows environment and new to Linux, this was very helpful to begin configuring a hybrid environment. Following the steps listed above, I was able to successfully join an Ubuntu Server (not workstation) to my domain, and was able to su successfully.

    The only thing I can’t figure out at this point is how to allow domain users to log into the server via SSH. I believe it’s a PAM issue, but haven’t been able to identify the correct files or settings that need updated to allow for SSH login.

    The /var/log/auth.log reports the following when attempting to login using domain credentials:

    pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost= user=jason@mydomain.local
    pam_sss(sshd:account): Access denied for user jason@mydomain.local: 6 (Permission denied)
    Failed password for jason@mydomain.local from port 53156 ssh2

    I’ve sifted through conflicting information through various google searches and have attempted to update various files such as sshd_conf and access_conf with no success. Ideally, I would like both domain users and locally defined users to have access to login to the server via SSH.

    Do you (or anyone else monitoring this thread) have thoughts on what PAM settings need updated/defined to allow the domain users access via SSH?

    Thank you!


  20. Hey, I have an error:

    root@a-lab-ubuntuserver-001:/home/elias# realm join -v -U lab.admin2 Azubi-Lab.local
    * Resolving: _ldap._tcp.azubi-lab.local
    * Performing LDAP DSE lookup on:
    * Successfully discovered: Azubi-Lab.local
    Password for lab.admin2:
    * Unconditionally checking packages
    * Resolving required packages
    ! PackageKit not available: The name org.freedesktop.PackageKit was not provided by any .service files
    ! Necessary packages are not installed: sssd-tools sssd libnss-sss libpam-sss adcli
    realm: Couldn’t join realm: Necessary packages are not installed: sssd-tools sssd libnss-sss libpam-sss adcli

    I tried to install thse packages but they are already installed.


  21. Hello Michael and thank you for such a good article.

    In my environment sometimes it’s take too long to authenticate or, even sometimes logon works after 3-4 attemtps

    I’m thinking if this could caused because of wrong configuration of the /etc/hosts file?
    I found that everywhere is mentioned at part of 127:0:1:1 | mymachine
    so what this should be like to add domain controller’s ip address and set it’s FQDN and shortname accordingly instead?
    Basically I don’t understand exactly what’s doing this hosts file, when there are options available at resolved.conf and also settings could be set in network manager as well.
    does this works for setting the default DNS maybe?


    1. Hi,

      Thanks for the feedback. Yes it could be that the default dns is part of the issue you’re facing. What I found is that, for example .local domains are also a thing that is trouble in the linux world. Ever since writing this article I’ve moved back to Windows. For the most part I’ve come to the conclusion that Linux can play a big part in a home situation, but for Enterprise desktops, not so much….. But that’s just one guys opinion 🙂


  22. Hey Pal,

    Thanks for the guide for 18.04. It works like a charm except for one hitch. I can switch user to the AD account and I can SSH remotely to the machine. But I can’t use the graphical logon screen.

    I have entered the correct username and password. It seems to log me in and immediately after returns me to the logon screen.

    When I look in the auth.log I can see this behavior too, but now what’s causing it. Have you any ideas on how to solve this issue?

    Thank you for your time.


  23. Henk, try investigating .profile configuration of the user, at the end you could find some trash descriptions generated by the system. Just delete this repeating strings which comes after basic descriptions and you should be fine to log in again. But do the backup first 🙂


  24. Thank you so much! I’ve tried this multiple times, but this is the guide that worked.

    However, when I log in, my terminal prompt looks like:$

    Is this expected, and is there a workaround so that the system believes the username is just “jdoe” instead of “”? I also had to su using the full domain name, I couldn’t use the short name (jdoe).



  25. I followed your tutorial to the letter and even copied your commands. “Kdestroy” should be made lower case. That got me in trouble 🙂


  26. HI, I’m having the same problem as Marshall from Oct 2018. I’ve managed to join my workstation to domain, but I’m unable to log-in as AD user. Could you help me?


  27. I wish I could do more for you. Since I published this article I haven’t played much with Linux and moved back to Windows. For me it was always like trial and error with these kind of messages. If you do find the solution, feel free to post it here and potentially help others.


  28. Hi – I have just set up my Kubuntu machine to join my Nethserver Samba 4 AD. Everything worked pretty well, except the realm join command I used needed a different computer-ou. I used CN=Computers,DC=domain,DC=name

    I did set this up before, then hosed my client and reinstalled. The server is pretty much a default setup – I don’t recall having to set anything else up on the server – certainly did not make a note of it, which I probably would have done.

    So cheers for the instructions. And thanks for answering all these questions 🙂


  29. Great set of instructions! The only issue I had was during 1st login (UI) it said it was creating the home directory, the screen went black for a couple of seconds and then I back at the login screen. Tried again, black screen and back to login. Logged back in as local user and checked, the new home directory exists so tried logging in from a virtual desktop and was succesful. Tried from UI and it is working now as well.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s