For this tutorial I will be walking through how to use a tool called Realmd to connect an Ubuntu Server or Ubuntu Desktop system to a Windows Active Directory Domain.

In the past I wrote an article talking about how to use Powerbroker Identity Services to do the same thing, but the scope of the article was limited to the server version of Ubuntu only. Furthermore, it has since been my experience that PBIS is an unreliable solution at best.

Part of the confusion I have had on this issue in the last two years has been in thinking that there are only one or maybe two ways to make an Ubuntu Desktop/Server OS connect to a Microsoft Active Directory domain and they both used the same underlying stuff. In fact there are more like 10 different ways to do it all using a mix and match of different technologies.

Finally, I don’t like proprietary stuff. PBIS, while having a free version, was still proprietary. Today we will be using a suite of tools called SSSD. SSSD was created by Redhat and it’s opensource. Furthermore we will be using RealmD, which is a “wrapper” of sorts for SSSD that makes it easier to setup and configure. That’s the short of it. Let’s get started.

My Setup:
Windows Domain Controller (2012R2) w/ DNS:
Computer Name:
IP Address: (static)
DNS Server:
Domain Admin Account Name: Administrator
Second Domain Admin Account: jdoe
Security Group: linuxadmins – jdoe belongs to this group
Domain User Account: nbeam
Security Group: linuxusers – nbeam belongs to this account

As side note about the internal domain name I am using… read this: How To Choose A Sensible Local Domain Name – There are really good reasons not to use a “fake” TLD or to use what are honestly often traditional Microsoft conventions like .local – I ran into a world of headache with Ubuntu using a .local TLD when I tried to do this the first time through! If your company has already standardized on .local I will be writing something separate about how to handle it because Ubuntu Desktop has some issues with it and for good reason…

An Ubuntu Desktop running 14.04 with Unity:
Computer Name: nix01
IP Address: (static/manual)
DNS Server:
Search Domains:
Local Account Name: tester
Tester is also in the “Sudo” Group

The Goal
Be able to login with jdoe and/or Administrator domain accounts on Ubuntu and have sudo rights. Be able to login with nbeam domain account and have regular user rights. Deny all domain users that aren’t in specifically permitted security groups from logging in.

Install Packages
On the ubuntu box, logged in as “tester” and elevated with “sudo su”

apt-get update
apt-get install realmd sssd samba-common samba-common-bin samba-libs sssd-tools krb5-user adcli packagekit vim -y

You will get prompted to enter your domain during the above install, I entered “LOC.KILOROOT.COM” (note, ALL CAPS)

Next you will need to get a kerberos ticket from the domain controller. You do this with the kinit command and a username of one of the already existing domain users. I will use “jdoe” as he is also a domain admin.

kinit -V jdoe

It will prompt for that user’s domain password, enter it. You should get the response back “Authenticated to Kerberos v5”

If that checks out then the next step is to do the domain join!

realm --verbose join -U jdoe

You will be prompted for jdoe’s domain password, enter it. Then you should get a message back along the lines of:


That’s fine. We are going to fix this by putting some config lines in our SSSD configuration file. I think this is a failing overall of Realmd which otherwise makes this much easier.

echo 'ad_hostname =' >> /etc/sssd/sssd.conf
echo 'dyndns_update = True' >> /etc/sssd/sssd.conf
service sssd restart

The first line authoritatively sets your machine’s FQDN. Other tutorials I came across had me screwing with the /etc/hosts files but I think due to the way Ubuntu/Debian handles hosts that not everything quite translates…

The second setting enables Dynamic DNS updates to run under certain conditions, specifically when SSSD restarts, hence we restart it. If you have aging/scavenging enabled on your Domain Controller’s DNS server you may want to drop a script in /etc/cron.daily/ to just restart the SSSD service on a daily basis which will initiate a DNS update. If you hop on your domain controller and look in DNS, you should see an entry for your Ubuntu machine.

That all sounds quick and easy above but it took a lot of digging to figure out…

Then the pertinent part of the rest of the message that follows after the above:

Joined 'NIX01' to dns domain ''

Followed by yet another DNS error “ERROR_DNS_GSS_ERROR” and then finally a note about the SSSD service starting and “successfully enrolled machine in the realm.”

You can now check to make sure your machine is truly joined by running realm list:

realm list

Which should return a bunch of info about the domain you are now joined to. To further check domain functionality lets make sure we can view the groups that users belong to…

Returns this:

uid=270401105([email protected]) gid=270400513(domain [email protected]) groups=270400513(domain [email protected]),270401110([email protected])

And for good measure…

Returns this:

uid=270401106([email protected]) gid=270400513(domain [email protected]) groups=270400513(domain [email protected]),270400572(denied rodc password replication [email protected]),270400512(domain [email protected]),270401104([email protected])

As you can see, the groups are correct for both users.

As a side note, if you change group memberships on your domain controller midway through but “id [email protected]” is still not showing the updated groups, then use the command “sss_cache –users” to clear the credentials cache and then try again, that should tell Ubuntu to fetch their user info fresh from the DC.

Great, so we are now domain joined but we aren’t quite ready to authenticate with domain accounts into our machine yet…

Specify Which Groups Have Access
By default, SSSD and RealmD allow all domain users the right to login. If you want to disable that functionality, change the default to deny all.

realm deny -R -a

Next we want to allow the following groups the right to login: Domain Admins, LinuxAdmins, LinuxUsers

realm permit -R -g Domain\ Admins LinuxAdmins LinuxUsers

Specify Which Groups Have Sudo Privileges
Use the program ViSudo to modify the /etc/sudoers file and specify which groups have sudo privileges.


Add the following lines to the bottom of the file:

%domain\ [email protected] ALL=(ALL:ALL) ALL
%[email protected] ALL=(ALL:ALL) ALL

Make Sure Each New Domain User That Logs In Gets a Home Directory (REQUIRED FOR UBUNTU DESKTOP)

echo 'session required skel=/etc/skel/ umask=0022' >> /etc/pam.d/common-session

First Test of Truth – SSH Login with Domain Credentials
You can skip this if you don’t plan on using SSH. If you are running the server version of Ubuntu then SSH is probably already installed, if not (i.e. you are running Ubuntu Desktop) then you can install it with “apt-get install openssh-server”.

Now it is time for the first test of domain authentication. Open up an SSH session to your server and try to login with your domain credentials. The USERNAME format should be:

I tried with my nbeam account first, which should NOT have sudoer permissions. It worked and I was not able to elevate. I then tested with the jdoe account and could login and elevate and the same with the administrator account. I finally added one more dummy account in Active Directory with no group memberships and attempted to login and got denied. So all is working correctly.

Enabling Desktop Authentication
Finally, we need to enable a few more things to get authentication into the GUI desktop working. This is for Unity, which by default doesn’t allow you to “free-form” enter a username but rather only lets you select from a list of users. To change that…

echo 'greeter-show-manual-login=true' >> /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf
echo 'greeter-hide-users=true' >> /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf
echo 'allow-guest=false' >> /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf

The second item hides all of the user who have logged in previously from the selection list which is generally a requirement for most businesses. The third disables guest account access via the GUI.

Reboot the system, then you can login to unity with [email protected] and you should get a desktop!


I really like the combination of RealmD with SSSD. I feel like I have a lot more control and understanding vs. PBIS but that also might just be having a few more years under my belt compared to my first attempt. However I get the feeling that SSSD is a much better package and with Redhat behind it I would imagine it will continue to get updated over time.

That all being said, the above was a bit heavy as far as the amount of work required so I plan on scripting the majority of it and I will provide my results as an update on this post at a later time. I think it should be quite easy to script almost all of this out.

In the meantime, this is a full-fledged working solution from what I can tell! So enjoy!


RealmD & SSSD:



DNS Resolving and .local:

Pure SSSD Setup?

1 of 1

35 comments on: Add Ubuntu 14.04 Server or Desktop to Microsoft Active Directory Domain – Login to Unity with Windows Domain Credentials

  1. Pingback: Add Ubuntu 14.04 LTS Server to a Windows Active Directory Domain – Fullest Integration « KiloRoot

  2. Kevin

    What kind of problems were you having with PBIS? I found you article a long time ago and have been using it for a while now. The only thing I noticed was after a reboot it took a little while for login to start working (minute or so).

    Thanks for the great articles!

    • nbeam

      Namely – Domain Authentication stopped working for almost all of my Ubuntu servers. πŸ™‚ That was the problem. IMHO a primary requirement of an authentication system is that is should work with minimal admin intervention. Time will only really tell if SSSD and RealmD meet this requirement and perhaps I will end up writing a third article about some other method in a year or two’s time. That being said, I “feel” a lot better about SSSD and RealmD because SSSD is actively developed by Redhat and it is part of the Ubunto repositories (I can apt-get it) which means it is (hopefully) going to stay more up-to-date with less manual intervention. Furthermore, I don’t have to go to some third-party site, register, give them my personal contact info (so they can market to me) to download it. Something I always hated with PBIS (and other proprietary software). As a point of clarification, my understanding of RealmD is that it is essentially a took-kit for easing configuration and management of SSSD but isn’t actively running and doing stuff for authentication.

      Cheers πŸ™‚ – I am happy to write the articles. It is like an easy dumping ground for all the stuff in my head (and my browser lol). One of my favorite experiences is closing the 10 or 20 (or 40 or 50…) Chrome Tabs I have open (from research) after I finish an article. (My system has 12 GB of RAM and anywhere from 4 to 9 GB is typically taken up by just Chrome I think on any given day) This blog helps me out immensely (I reference articles from my own blog almost daily) and I hope it does the same for others.

      • Kevin

        Thank you for letting me know. I haven’t come across the auth issues yet… I do like that you can apt-get it and that it is open. I hope to give this a try soon.

        It think as sysadmin you are required to have three browsers with as many tabs open as possible! πŸ˜‰

  3. Nick

    have a .local domain that is already established but would like to authenticate to Linux machines using Active Directory… When I try to run the kinit -v command against a domain admin account I get the following error: “kinit: Credentials cache file ‘/tmp/krb5cc_0’ not found while validating credentials”

    I can successfully run kinit administrator and it will prompt for a password and let me authticate, I’m assuming caching the credentials.. Then I tried running kinit -v again I get this error: “kinit: KDC can’t fulfill requested option while validating credentials”

    Haven’t tried going through the rest of your guide yet.. as I assume the “-v” option is important…

    Any help for us “.local” domain admins? πŸ™‚


    • nbeam

      I setup on a test domain and setup so I could get the bloody article finished because, I, like you, am also often working with .local domains in the professional space. πŸ™‚

      Okay so I haven’t gotten any articles written regarding fixing all the issues that occur when using .local however I did go ahead and reference all the pages for my research on the issue in the “references” section below. Click on “references” at the bottom of the post to expand, then look at the links under “DNS Resolving and .local” and that should give you a place to start.

      My guess is this is less of an issue with the server version of ubuntu because the Avahi daemon is not in use (at least, when I run, avahi-daemon –check, I get “Avahi-daemon” is not installed). Long story short, Ubuntu (and many many many other platforms) use .local as a sort of “windows workgroup” type setup. So lets say you have a bunch of ubuntu desktop boxes on the same local network/subnet. I believe the AVAHI daemon runs and provides a sort of piecemeal DNS so that I can talk to ubuntu-desktop-200 at by its hostname from ubuntu-desktop-100 at by, for example, ping ubuntu-desktop-200.local.

      Windows does the same/similar with workgroups (I think, I don’t use them very often) in that windows machines on the same subnet can all be contacted by name (using WINS I think).

      That is my very unscientific and under-researched understanding of what is going on.

      The short answer is that you can hack the setup and change it so that avahi uses a different domain other than .local –or– you can just remove it all together. I think my preference would be to just remove it. However I am not sure if that is the only component expecting to use the .local so I can’t give much advice beyond this general explanation.

      I think the third link in that section “smallbusiness.chron” is the one that shed the most light on the issue for me.

      I hope this is of some help πŸ™‚

      • Nick

        Other contributing factors, I’m running this Ubuntu 14.04 (desktop version) on a VM through Hyper-V. I don’t know if that changes anything that would affect domain name resolution, however I do believe the problems stem from the fact that /etc/resolv.conf and hostname -i both return results like, also local files that have to do with name resolution refer to the nameservers…

        So I may try going through these steps again using the Ubuntu Server version and see if I’m still hitting the same roadblocks. I did find a way to input manually defined nameservers ahead of the which may have an affect. I’ll post back when I have the time to run through this again.. and when Ubuntu server 14.04 finally finishes downloading…


      • nbeam

        See my comment to In Sung Cho regarding the thing. It is an oddity unique to Debian and it’s variants but is there with reason. Kind regards, and good luck.

  4. In Sung Cho

    Thank you very much for detailed information.

    I followed your steps in Ubuntu 14.04 and got it to work up-to the step below.
    “id [email protected]

    When I run the query the above with our id and domain, I get “no such user” error.

    Do you happen to know what could cause this? (Joined AD and DNS seems to be working.)

    • nbeam

      First the basics I guess:
      What is your DNS resolver set to on your ubuntu machine? It must be set to the domain controller’s IP address, and ONLY the Domain Controller’s IP address. Do not use like or for a secondary. This is a good rule for purely windows networks as well by the way. You should always be running all DNS queries through a DC, otherwise you end up with sporadic authentication problems (which will make an admin tear his hair out slowly over the course of several days…). At least, that has been my experience but all my hair grew back.

      If that is set, the next thing I would ensure is that you can ping your DC and that you don’t have any firewall’s in-between. So as a temporary measure, disable IPtables (if in use) on the ubuntu host, disable Windows Firewall (if in use) on your Windows DC, and finally Setup rules on any intervening hardware firewalls allowing all traffic to pass through.

      Then try again, if it works, then you have a firewall issue somewhere you need to resolve (probably just a port that needs to be open). I have an article on which ports need to be open for Windows AD stuff:

      If you firewall isn’t the issue, and your DNS is set properly, and it sounds like you were able to do a domain join, you can try running: realm list

      on your ubuntu machine and tell us what comes back… That was the step right before the step you listed in your post. If that is running correctly then my next guess would be it is something with your active directory setup (i.e. your user is off in some OU that for whatever reason isn’t being picked up) –or– perhaps your username isn’t what you think it is? I have seen this happen where, for whatever reason, a user’s email differs from their username and that can cause some confusion.

      Anyhow, I am stabbing a bit in the dark and I hope this is somewhat helpful. Please come back and tell us if you figure it out and what the problem/fix was.

      Cheers and good luck!

      • In Sung Cho

        Thanks very much for detailed information.

        I was reviewing the SSSD log file and found that I was getting “object uid is too long to map” error. so I defined ldap_idmap_range_max in sssd.conf.

        After this – its working now.

        Thank you very much for all your support!!!!!!

      • nbeam

        That’s excellent!! Thank you for the update, I am sure this will help other folks running into similar issues! I appreciate you taking the time to report back.

    • nbeam

      Another note on the DNS setup, do not edit /etc/resolv.conf directly on an Ubuntu desktop. Use the GUI stuff to make the modifications. Ubuntu Desktop uses network-manager with GUI to handle networking which differs from the Server version. This has tripped me up on countless occasions. Also do not the edit the IP addresses in /etc/hosts directly unless you want to find yourself a bit confused. Debian/Ubuntu introduced a bug work around that interposes a address bound to the loopback interface and this is somehow linked/routed/whatever to whichever real IP address is tied to your server. More on that here:

      There are honestly a slew of “quirks” I have run into when moving from the pure “server” version of Ubuntu to the Desktop version. Just be aware that while the two distributions are largely similar, there are some key differences.

  5. Arnoldas Moisejukas

    We had issues with PBIS and SAMBA, so the other options wore winbind and sssd,
    we set up sssd using the guide you provided and we can’t login
    the realm list and id are displaying everything correct, we added the rights for domain admins group in visudo and realm
    but we cant login, we get access denied, I even blocked the user several times, have you any idea how to troubleshoot this problem?

    • nbeam

      What logs on the system have you looked at? Start with /var/log/auth.log and work your way around. I believe sssd also generates a log.

      • Arnold

        the problem was that when setting up the packages I did not get the kerberos configuration message, so I assumed that it filled everything in, but the part that was missing was:
        [realms] = {
        kdc =
        kdc =
        admin_server =
        now everything works perfectly!

      • nbeam

        Awesome. I don’t remember having to manually configure SSSD with the KDC information. I was thinking RealmD autopopulated that for me. I am glad you found the source of your trouble, I am curious what led up to it though. Thanks for reporting back!

  6. Sean

    Hi I’m currently having an issue with the “Specify Which Groups Have Access” section when i run “realm deny -R -a” or “realm permit -R -g Domain\ Admins LinuxAdmins LinuxUsers” i get the following error message “realm: Couldn’t find a matching realm” and cant seem to get past this. any help is appreciated.

    • nbeam

      Does “realm list” give you anything back? You should get a tidy bit of info back from that command.

  7. Phillip Ankerson

    Great article. Any idea if this will work for ProxMox boxes? I want to add a cluster of them to an AD domain…

    • nbeam

      I have an “idea” that it might work :), but I haven’t tested it. I am loathe to make heavy modifications to my proxmox host machines. I have a lab environment though and it might be fun to play with.

      That being said, Proxmox is based on Debian. So as long as the packages are available in the debian repos I think you would have a pretty good shot. I haven’t tested it though.

      Have you built a cluster with Proxmox yet? I have built one but I found it to be a tad on a flaky side. When you start clustering it adds all kinds of stuff the proxmox deployment. I would strongly suggest deploying in dev/test/lab first (if you haven’t already).

      That being said, when I built my cluster I was toying around with CEPH for distributed shared storage. I wanted to see what “cheap” hyper-converged infrastructure looked like. I also didn’t have a proper shared storage infrastructure. I essentially had some free NFS software running on a windows desktop to present a network share for some of the shared storage.

      Oh, I also did clustering across two public servers (in different countries) using TINC to create a private vpn network between them. That was an interesting setup. However when I went to back one of the devices out of the cluster all hell broke loose. All that to say, if/when you are ready to cluster be very sure you want to cluster because there is no (easy) way to go back short of rebuilding the host.

      One other word of caution of sorts. What is the end of your domain name? If you are using “.local” you may run into issues. A lot of MS AD “legacy” networks were setup with internal “.local” domains because microsoft used to use “constoso.local” in a lot of their documentation as an example. The short answer is that linux and domains that end in “.local” don’t always play nicely together. Debian and Ubuntu particularly have issues.

      • Phillip

        It’s a hosted box ( I believe) with four VMs so I assume it is solid. But we will see.

  8. Jimmy Griffin


    Within in the sssd.conf file, does anyone know what the syntax should be to allow me to switch between different shells?


    [email protected]:~$ chsh -s /bin/zsh Password: chsh: user ‘example’ does not exist in /etc/passwd

    Great article and reference guide!

  9. ztagre

    This process worked perfectly for me on my Ubuntu 16.04 Server system! I am running a Windows Server 2008 R2 AD domain with two domain controllers and two DNS servers (DNS servers also on the Windows DC boxes…). The Ubuntu box joined this domain without a hitch, and user authentication works perfectly as described…

    My question is: How do I go about getting my Samba shares to work again? I’m pretty sure that the “standard” default smb.conf file will no longer be valid in this configuration (or am I wrong here?). Anyhow, If nothing needs to change, and the original file DOES work, then why can’t I share any folders from my Ubuntu box? I know how to do this when this machine is NOT joined to the AD domain, so I don’t need any help along those lines…

    I really NEED to access those shares, or this process will not work for me!

    Any help would be very much appreciated!


  10. perwez

    Thanks for the post, i have setup everything as per suggestion but while i am trying to login on my desktop through [email protected] it display massage invalid password and user not able to login, please sugegst what to do.

    i am using windows server 2012 for AD
    and ubuntu 14.04 for client


    • Balaji Mohan

      @Perwez. Did you manage to resolve the issue ? If yes can you share the resolution please. Im running into the same issue

  11. Steven Steiner

    Just found your article, followed it to the tee, until the setup for the GUI (running on server). Using a .local domain and it works wonderfully!! πŸ™‚

    Tried many other methods, yours just worked and did what I wanted it to.

    Thank you!

  12. Biso

    I followed the instructions but I am not able to login via ssh.
    I added to domain, getent passwd works, kinit username works, but not the login.

    On the pam log I found:
    (Thu Oct 20 08:20:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 3143
    (Thu Oct 20 08:20:07 2016) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x40b150:3:[email protected]]
    (Thu Oct 20 08:20:07 2016) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [][3][1][name=bisontim]
    (Thu Oct 20 08:20:07 2016) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x40b150:3:[email protected]]
    (Thu Oct 20 08:20:07 2016) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider – DP error code: 1 errno: 11 error message: Offline
    (Thu Oct 20 08:20:07 2016) [sssd[pam]] [pam_check_user_dp_callback] (0x0040): Unable to get information from Data Provider
    Error: 1, 11, Offline

    What could I check?

    Thanks a lot.
    Best regards

    • Biso

      I solved it.
      It was an authorization problem : ubuntu host can reach only one Domain Controller, so I solved it with parameter:
      subdomains_provider = none and using parameter:
      krb5_server and ad_server

      But now, I would like to login with username = [email protected]
      that is the userprincipalname of ad.

      But my domain is, how can I map it ?

  13. Balaji Mohan


    Thank you very much for such a wonderful article !

    I followed your article step by step – No error message. It worked only once for me, now whenever i complete the steps and restart the machine to login with Domain Admin or User account it give me “Password Invalid”

    here is my realm list
    type: kerberos
    realm-name: xyz.COM
    configured: kerberos-member
    server-software: active-directory
    client-software: sssd
    required-package: sssd-tools
    required-package: sssd
    required-package: libnss-sss
    required-package: libpam-sss
    required-package: adcli
    required-package: samba-common-bin
    login-formats: %[email protected]
    login-policy: allow-permitted-logins
    permitted-groups: Domain Admins, Users

    Please help

    • Wonder

      edit etc/krb5.conf with the following

      [realms] = {
      kdc =
      admin_server =

  14. Vance Ayres

    This is just a preliminary post to see if I can get some help with a problem. After setting this up everything worked fine until I was required to change the user’s password. I can still login locally with the old password but of course I have no access due to the wrong password on the server. I can provide whatever information you need. What do you think?

  15. Vance Ayres

    I forgot to mention that I tried the sss_cache tool as well as deleting all files from the /var/lib/sss/db folder to no avail.

  16. Vance Ayres

    I’m not sure this is the best solution for this problem but what I ended up doing was restoring a backup of the computer before I started trying different solutions & then used “realm leave” to disjoin from the domain & then after a restart I used “realm join” to rejoin to the domain. Everything seems to be fine now. It seems kind of drastic though to have to go to these measures. Has anyone got a better solution?

  17. Vini

    Hey guys,

    When I type the command;

    echo ‘ad_hostname =’ >> /etc/sssd/sssd.conf

    It’s coming up…Permission denied.

    Any idea how to fix it?


Join the discussion

Your email address will not be published. Required fields are marked *