Active Directory Domain Join
This guide assumes you have an existing Active Directory domain. This guide also assumes Debian based distributions.
Install required packages
Confirm domain discovery via DNS
You should see a result similar to the following if successful
* Resolving: _ldap._tcp.ad1.example.com
* Performing LDAP DSE lookup on: 10.51.0.5
* Successfully discovered: ad1.example.com
ad1.example.com
type: kerberos
realm-name: AD1.EXAMPLE.COM
domain-name: ad1.example.com
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
Join device to domain
Note
This adcli
command is being used for domain join. This is to combat issues with Server 2025 Domain Controllers as per: https://gitlab.freedesktop.org/realmd/adcli/-/issues/40
Configure SSSD
If the domain join operation was successful create a default SSSD configuration file at /etc/sssd/sssd.conf
and make sure to chmod 600
on the file once configured.
[sssd]
domains = ad1.example.com
config_file_version = 2
services = nss, pam
[domain/ad1.example.com]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = AD1.EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = ad1.example.com
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad
Restart the SSSD service for configuration settings to be applied.
Allow user home directory creation
This will allow any AD users to automatically create a new home directory upon logon.
Testing setup
Fetch AD User information
$ getent passwd john@ad1.example.com
john@ad1.example.com:*:1725801106:1725800513:John Smith:/home/john@ad1.example.com:/bin/bash