From Fedora Project Wiki

Revision as of 06:17, 9 May 2013 by Stefw (talk | contribs) (Update requirements and troubleshooting)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Join the current machine to an Active Directory domain using sssd as an AD client, without entering administrative credentials.


  1. Make sure you have the required software:
    • realmd 0.14.0 or later
    • adcli 0.7 or later
  2. Verify that your Active Directory domain access works, or set a domain up.
  3. You need a domain administrator account.
  4. Your machine must have a configured host name. Do not proceed if you host name is localhost or similar.
    $ hostname
    Make note of the host name.
  5. Remove the following packages, they should be installed by realmd as necessary.
    $ sudo yum remove sssd samba-client
  6. Precreate the computer account in the domain, and reset its password. You can either do:
    • You can use the Active Directory Users and Computers tool on Windows Server to do this. Open the directory, right click on Computers and choose New > Computer from the menu that pops up. Fill in the name, the same as your local machine. Once the computer is created, go into Computers right click on it and Reset Account.
    • You can also use the adcli tool to create a reset computer account:
      $ adcli preset --user=AdminUser --verbose --domain hostname
      Make sure the hostname is the same as the one returned above

How to test

  1. Perform the join command. Use the --user=xxx argument to specify your domain account name.
    $ realm join
    You will be not prompted for a password for the account.
    You will be prompted for Policy Kit authorization.
    On a successful join there will be no output.
    This can take up to a few minutes depending on how far away your Active Directory domain is.

Expected Results

  1. Check that the domain is now configured.
    $ realm list
    Make sure the domain is listed.
    Make sure you have a configured: kerberos-membership line in the output.
    Make note of the login-formats line for the next command.
  2. Check that you can resolve domain accounts on the local computer.
    $ getent passwd 'AD\User'
    Make sure to use the quotes around the user name.
    You should see an output line that looks like passwd(5) output. It should contain an appropriate home directory, and a shell.
    Use the login-formats you saw above, to build a remote user name. It will be in the form of DOMAIN\User, where DOMAIN is the first part of your full Active Directory domain name.
  3. Check that you have an appropriate entry in your hosts keytab.
    sudo klist -k
    You should see several lines, with your host name. For example 2 HOSTNAME$@AD.EXAMPLE.COM
  4. Check that you can use your keytab with kerberos
    sudo kinit -k 'HOSTNAME$@AD.EXAMPLE.COM'
    Make sure to use quotes around the argument, because of the characters in there. Make sure the hostname and domain are capitalized.
    Use the principal from the output of the klist command above. Use the one that's capitalized and looks like HOSTNAME$@DOMAIN.
    There should be no output from this command.
  5. You should not be able to use the automatic join again. To verify this, leave the domain using realm leave and then try the above How to test actions again. It should prompt for an administrative password this time.


Use the --verbose argument to see details of what's being done during a join. Include verbose output in any bug reports.

$ realm join --verbose