From Fedora Project Wiki
Join the current machine to an Active Directory domain using sssd as an AD client, without entering administrative credentials.
- You need the following software:
- control-center 126.96.36.199 or later
- realmd 0.14.0 or later
- Verify that your Active Directory domain access works, or set a domain up.
- You need a domain user account and administrator account, or both. If you have both, enter the use account as the user you're going to add below.
- Your machine must have a configured host name. Do not proceed if you host name is
- Remove the following packages, they should be installed by realmd as necessary.
$ yum remove sssd samba-client adcli
- Make sure you are not joined to a domain. Use
realm listto check, and
realm leaveto leave.
How to test
gnome-control-centerfrom a terminal.
- Choose the Users panel.
- Click the Unlock button.
- You should get a Policy Kit authorization prompt.
- Click the add [+] button in the lower left.
- Choose the Enterprise login pane.
- Enter an invalid domain, invalid user, and invalid password for the account.
- Click on Add. You should see a problem icon on the domain.
- Enter the valid domain, invalid user, and invalid password for the account.
- Click on Add. You should see a problem icon on the user.
- Enter the valid domain, valid user, and invalid password for the account.
- Click on Add. You should see a problem icon on the password.
- Enter the right password.
- Click on Add
- If you user a non-administrative user, you may be prompted for administrative credentials. It is tricky to duplicate this at times. Active Directory is an odd one like that :)
- The user should now be listed in the User Accounts panel of the GNOME Control Center.
- Check that the domain is now configured.
$ realm list
- Make sure the domain is listed.
- Make sure you have a
configured: kerberos-membershipline in the output.
- Make note of the
login-formatsline for the next command.
- Check that you can resolve domain accounts on the local computer.
$ getent passwd 'AD\User'
- Make sure to use the quotes around the user name.
- You should see an output line that looks like passwd(5) output. It should contain an appropriate home directory, and a shell.
- Use the
login-formatsyou saw above, to build a remote user name. It will be in the form of
DOMAIN\User, where DOMAIN is the first part of your full Active Directory domain name.
- Check that you have an appropriate entry in your hosts keytab.
sudo klist -k
- You should see several lines, with your host name. For example
- Check that you can use your keytab with kerberos
sudo kinit -k 'HOSTNAME$@AD.EXAMPLE.COM'
- Make sure to use quotes around the argument, because of the characters in there. Make sure the hostname and domain are capitalized.
- Use the principal from the output of the
klistcommand above. Use the one that's capitalized and looks like
- There should be no output from this command.
- The user should show up here:
$ realm list
- Look at the
- You should also see
You can see verbose output in the terminal that you started gnome-control-center from.