Join Ubuntu Workstation to a Windows Domain

Here is my guide on how to Join Ubuntu Workstation to a Windows Domain using SSSD and Realmd. There are a few different methods out there on how to do this but from what I’ve tested and researched, using SSSD and Realmd is the most up to date and easiest way to achieve the desired result at the time of writing this. I’ve included links to all of the relevant documentation that I used in researching putting together this guide.

I just want to say off the bat, that I’m no Linux expert. I’ve only recently started to dabble with Linux. I wanted to see if this could be done so I tried it out in my test lab. I created this guide for myself so that I could use it again later when I no doubt forget how I originally done it in the first place. I couldn’t really find an up to date step by step guide to join Ubuntu Workstation to a Windows Domain that was easy to follow for beginners so I’m putting this up on my site in the hope that it may help someone else. If you see any glaringly obvious mistakes or if there is a better way of doing something let me know in the comments. This isn’t really Ubuntu specific as a lot of the steps from this guide have been adapted from the Redhat and Fedora documentation. If you are here following this guide, I’d say try it out in a test environment first to make sure it does everything that you need.

So in my test lab I went through and tested few different methods on how to go about joining a Ubuntu 16.04 computer to a Windows Domain. The different methods I tried were: –

  • Winbind
  • SSSD
  • RealmD & SSSD

As I said earlier, I found that for a new linux user, the RealmD & SSSD method to Join Ubuntu Workstation to a Windows Domain, was the easiest and most effective. Your mileage may vary.

I’ll split this guide up in to separate sections.

  1. Configuring the hosts file.
  2. Setting up the resolv.conf file.
  3. Setting up NTP.
  4. Installing the required packages.
  5. Configuring the Realmd.conf file.
  6. Fixing a bug with the packagekit package.
  7. Joining the Active Directory Domain.
  8. Configuring the SSSD.conf file.
  9. Locking down which Domain Users can login.
  10. Granting Sudo access.
  11. Configuring home directories.
  12. Configuring LightDM.
  13. Final Thoughts & Failures
  14. Links

1. Configuring the hosts file

To update the hosts file edit the /etc/hosts file. On my workstation, by default the fully qualified domain name wasn’t in the hosts file so I had to add it. Note: Coming from Windows I’d never seen a address used as a loopback address. Seems legit though.

In this example the hostname of the workstation I want to join to the domain is ubutest01.

Set the address to your new hostname in the following format. ubutest01

Join Ubuntu Workstation to a Windows Domain - Ubuntu 16.04 Hosts File edit

Reboot the system for the changes to take effect.

To test if the name has been changed:

Join Ubuntu Workstation to a Windows Domain - Hostname Command

2. Setting up the resolv.conf file

Make sure you’re Ubuntu computer can talk to your DNS Servers. By default, the resolv.conf will be set like the following:

Join Ubuntu Workstation to a Windows Domain - Resolv.conf file edit

To change it to have the actual DNS servers that you are using do the following:

Comment out the dns=dnsmasq line.


Join Ubuntu Workstation to a Windows Domain - dnsmasq comment out

Then restart the network manager.

If you have set the dns servers via the GUI you should then see them in the resolv.conf file.

Join Ubuntu Workstation to a Windows Domain - Check all is well.

Check that you can resolve the SRV records for the domain by running the following:

3. Setting up NTP

It’s important to synchronize time with your Domain Controllers so Kerberos works correctly. Install NTP.

Join Ubuntu Workstation to a Windows Domain - Install ntp ubuntu 16.04

Edit the vi ntp.conf file.

Comment out the ubuntu servers and put your own dc’s in there. For example: –

server iburst prefer

Join Ubuntu Workstation to a Windows Domain - Edit ntp.conf ubuntu 16.04

Restart the ntp service.

Then to check if it’s working try running:

Join Ubuntu Workstation to a Windows Domain - ntpq command ubuntu 16.04

During this process I found this little tip. This is a handy tool to make sure your syncing correctly:

Then run:

Should be syncing like a boss.

Join Ubuntu Workstation to a Windows Domain - NTPStat command

4. Installing the required packages.

Install the necessary packages:

Join Ubuntu Workstation to a Windows Domain - Install Realmd and SSSD

If you are presented with the following screen, put the domain name in CAPITALS.

Join Ubuntu Workstation to a Windows Domain - Kerberos realm

5. Configuring the Realmd.conf file

Make the following changes to the realmd.conf file before using realmd to join the domain. This will make domain users have their home directory in the format /home/user. By default it will be /home/domain/user. You might want it like this, I do not. If you want to read more about these options you can do that here.

Note: If you are going to have your domain users not use fully-qualified domain names, then you may run in to issues if you have a local linux user with the same account name as the active directory account name.

os-name = Ubuntu Linux
os-version = 16.04

automatic-install = yes

default-home = /home/%u
default-shell = /bin/bash

user-principal = yes
fully-qualified-names = no

Join Ubuntu Workstation to a Windows Domain - Edit realm.conf file

6. Fix a bug with the Packagekit package.

There is a bug with the packagekit package in Ubuntu 16.04. You will need to do this as a workaround otherwise it will hang when you try to join the domain.

Note: I had to this when I originally wrote this guide in May of 2016. This may have been fixed by the time you are reading this. I thought I’d put it in just in case.

Join Ubuntu Workstation to a Windows Domain - sudo apt upgrade

7. Join Ubuntu Workstation to a Windows Domain.

Now, it’s time to join the domain. Check that realm can discover the domain you will be joining.

Join Ubuntu Workstation to a Windows Domain - Realm Discover

Create the kerberos ticket that will be used the domain user that has privileges to join the domain.

Join Ubuntu Workstation to a Windows Domain - kinit command

Now you can join the domain using realmd.

Join Ubuntu to a Windows Domain - Join Active Directory with Realm and SSSD

To do a quick test to see if it’s worked:

Join Ubuntu Workstation to a Windows Domain - ID command

This is all the Domain Groups that the domain user Craig belongs to. It’s worked HUZZAH!

OK, now that’s done. Lets tweak!

8. Configuring the SSSD.conf file.

I’d like to enable Dynamic DNS and some other features that I couldn’t set via the realmd.conf file. We now have the opportunity to tweak these settings in the sssd.conf file. I’ve added the following:

auth_provider = ad
chpass_provider = ad
access_provider = ad
ldap_schema = ad
dyndns_update = true
dyndsn_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600

 Join Ubuntu Workstation to a Windows Domain - SSSD.conf file edit

You can find a full list of options to tweak at the sssd.conf man page.

9. Locking down which Domain Users can login.

Now, let’s restrict which domain users can login.

I want users specified in a specific group to be able to login, as well as the domain admins.

Join Ubuntu Workstation to a Windows Domain - Realm deny command

10. Granting Sudo Access.

Now lets grant some sudo access.

Join Ubuntu Workstation to a Windows Domain - edit sudoers

11. Configuring home directories.

Lets setup the home directory for domain users logging in.

Add to the bottom:

session required          skel=/etc/skel/ umask=0022

Join Ubuntu Workstation to a Windows Domain - pam edit

12. Configure Lightdm

The last thing I want to do is edit the lightdm conf file so that I can log in with a domain user at the login prompt.



Join Ubuntu Workstation to a Windows Domain - Lightdm edit

I think that’s all the tweaking I’m going to do. I’m going to reboot and see if I can login.

Once the login screen pops up you should be able to manually login. Click login.

Join Ubuntu Workstation to a Windows Domain

I can log in. Huzzah!

13. Final Thoughts & Failures

This was a fun process and I learned a lot about Ubuntu and Linux in creating this guide. There were a few failures however so it wasn’t all smooth sailing.

Dynamic DNS

So after all that, I still had issues with Dynamic DNS. I researched this as much as I could but couldn’t find a resolution. I manually added the A records on my DNS server but I’d really like to get Dynamic DNS working. If anyone knows where I have gone wrong or can point out how to get this working please leave a comment.

SAMBA File Sharing

I also had some issues after this with getting SAMBA/CIFS File sharing working with Windows Authentication. I would like to be able to share a folder in Ubuntu to Windows Users and have the Windows Users authtencticate to the Ubuntu share with their Windows credentials. I’ve spent a fair bit of time trying to find a resolution to this and played a bit with ACLS in Ubuntu as well but couldn’t get it working properly. I put this down to being fairly new to Linux and not fully understanding some of the intricacies with SAMBA and Linux authentication. If anyone can point me in the right direction for getting SAMBA File Sharing working please leave me a comment.

14. Links

Below are the links that I used when researching this guide.

SSSD-AD Man Page

SSSD.Conf Man Page

SSSD-KRB5 Man Page


PAM_SSS Module Man Page

SSSD – Fedora

Redhat – Ways to Integrate Active Directory and Linux Environments

Redhat – Using Realmd to Connect to an Active Directory Domain

Realm Man Page

Realmd.conf Man Page

Correcting DNS issue by editing Resolv.Conf file

Backing up Active Directory in Windows Server 2012 R2 with Powershell

Backing up Active Directory in Windows Server 2012 R2 with Powershell is now really easy thanks to the Windows Server Backup cmdlets provided in Powershell. Windows Server Backup allows you to create a Scheduled backup or a one time backup. In this example, I’ll be doing a one time backup but scheduling via a scheduled task to allow for more flexibility and I’ll be backing up the system state of the server.

The first thing that you will need to do if you haven’t done so already is to install the Windows Server Backup feature.

Once that is done, below is a little script that I created for myself that will backup a server’s system state. If this is a domain controller, you could use the system state backup to restore Active Directory if needed.

Here are some screen caps of what it looks like when it is running.

To finish things off, you can then create a scheduled task to run the script at a time you would like.

I’ve already created a post to show how to create a scheduled task using Powershell. You can find that here.

For further information or to checkout the material I used to create this script please click on the following links: –

Windows Server Backup Cmdlets in Windows Powershell
Using Windows Server Backup Cmdlets
Windows Server Backup Step by Step Guide for Windows Server 2008 R2



Active Directory Health Check automation via Powershell

It’s important to run some Active Directory Health checks on your domain. To that end, I thought it would be great to generate a weekly report that contained a DCdiag, a Repadmin and Best Practice Analyzer report. This could be done via a Scheduled task. It could then run once a week and then email you with any issues. A great way to keep on top of the health of your environment and to make sure no little niggling errors are hiding just under the covers, waiting to destroy your environment.

The hardest part of the script was executing the cmd prompt command via the script. Passing in arguments is messy in Powershell at the best of times, but passing in arguments with spaces and having to escape the correct characters etc is very tedious. So, as a disclaimer, this script is a work in progress. It works, but by no means is it an example of Powershell Best Practice. (I’ll keep a tinkering on it, and if anyone has any suggestions please leave a comment.) Hopefully, though, someone other then me may find this useful.

There are also a few caveats to be aware of. This script, the way it is presented here, will only work on Powershell v3. I found this out because in an effort to get the BPA cmdlets working, I realized that the syntax for the commands are different in the different versions of Powershell. If you would like to get this to work on Powershell v2, you just need to change the -ModelID parameters to -ID. A quick “Get-Help Invoke-BPAModel” should sort that out pretty swiftly. Also, the file locations are hard coded at this point.

You can find some more information about DCDiag command here.
You can find some more information about the Repadmin command here.
Here is some information aswell about running the BPA via Powershell