Join Ubuntu Workstation to a Windows Domain

Here is my guide on how to Join Ubuntu Workstation to a Windows Domain using SSSD and Realmd. There are a few different methods out there on how to do this but from what I’ve tested and researched, using SSSD and Realmd is the most up to date and easiest way to achieve the desired result at the time of writing this. I’ve included links to all of the relevant documentation that I used in researching putting together this guide.

I just want to say off the bat, that I’m no Linux expert. I’ve only recently started to dabble with Linux. I wanted to see if this could be done so I tried it out in my test lab. I created this guide for myself so that I could use it again later when I no doubt forget how I originally done it in the first place. I couldn’t really find an up to date step by step guide to join Ubuntu Workstation to a Windows Domain that was easy to follow for beginners so I’m putting this up on my site in the hope that it may help someone else. If you see any glaringly obvious mistakes or if there is a better way of doing something let me know in the comments. This isn’t really Ubuntu specific as a lot of the steps from this guide have been adapted from the Redhat and Fedora documentation. If you are here following this guide, I’d say try it out in a test environment first to make sure it does everything that you need.

So in my test lab I went through and tested few different methods on how to go about joining a Ubuntu 16.04 computer to a Windows Domain. The different methods I tried were: –

  • Winbind
  • SSSD
  • RealmD & SSSD

As I said earlier, I found that for a new linux user, the RealmD & SSSD method to Join Ubuntu Workstation to a Windows Domain, was the easiest and most effective. Your mileage may vary.

I’ll split this guide up in to separate sections.

  1. Configuring the hosts file.
  2. Setting up the resolv.conf file.
  3. Setting up NTP.
  4. Installing the required packages.
  5. Configuring the Realmd.conf file.
  6. Fixing a bug with the packagekit package.
  7. Joining the Active Directory Domain.
  8. Configuring the SSSD.conf file.
  9. Locking down which Domain Users can login.
  10. Granting Sudo access.
  11. Configuring home directories.
  12. Configuring LightDM.
  13. Final Thoughts & Failures
  14. Links

1. Configuring the hosts file

To update the hosts file edit the /etc/hosts file. On my workstation, by default the fully qualified domain name wasn’t in the hosts file so I had to add it. Note: Coming from Windows I’d never seen a address used as a loopback address. Seems legit though.

In this example the hostname of the workstation I want to join to the domain is ubutest01.

Set the address to your new hostname in the following format. ubutest01

Join Ubuntu Workstation to a Windows Domain - Ubuntu 16.04 Hosts File edit

Reboot the system for the changes to take effect.

To test if the name has been changed:

Join Ubuntu Workstation to a Windows Domain - Hostname Command

2. Setting up the resolv.conf file

Make sure you’re Ubuntu computer can talk to your DNS Servers. By default, the resolv.conf will be set like the following:

Join Ubuntu Workstation to a Windows Domain - Resolv.conf file edit

To change it to have the actual DNS servers that you are using do the following:

Comment out the dns=dnsmasq line.


Join Ubuntu Workstation to a Windows Domain - dnsmasq comment out

Then restart the network manager.

If you have set the dns servers via the GUI you should then see them in the resolv.conf file.

Join Ubuntu Workstation to a Windows Domain - Check all is well.

Check that you can resolve the SRV records for the domain by running the following:

3. Setting up NTP

It’s important to synchronize time with your Domain Controllers so Kerberos works correctly. Install NTP.

Join Ubuntu Workstation to a Windows Domain - Install ntp ubuntu 16.04

Edit the vi ntp.conf file.

Comment out the ubuntu servers and put your own dc’s in there. For example: –

server iburst prefer

Join Ubuntu Workstation to a Windows Domain - Edit ntp.conf ubuntu 16.04

Restart the ntp service.

Then to check if it’s working try running:

Join Ubuntu Workstation to a Windows Domain - ntpq command ubuntu 16.04

During this process I found this little tip. This is a handy tool to make sure your syncing correctly:

Then run:

Should be syncing like a boss.

Join Ubuntu Workstation to a Windows Domain - NTPStat command

4. Installing the required packages.

Install the necessary packages:

Join Ubuntu Workstation to a Windows Domain - Install Realmd and SSSD

If you are presented with the following screen, put the domain name in CAPITALS.

Join Ubuntu Workstation to a Windows Domain - Kerberos realm

5. Configuring the Realmd.conf file

Make the following changes to the realmd.conf file before using realmd to join the domain. This will make domain users have their home directory in the format /home/user. By default it will be /home/domain/user. You might want it like this, I do not. If you want to read more about these options you can do that here.

Note: If you are going to have your domain users not use fully-qualified domain names, then you may run in to issues if you have a local linux user with the same account name as the active directory account name.

os-name = Ubuntu Linux
os-version = 16.04

automatic-install = yes

default-home = /home/%u
default-shell = /bin/bash

user-principal = yes
fully-qualified-names = no

Join Ubuntu Workstation to a Windows Domain - Edit realm.conf file

6. Fix a bug with the Packagekit package.

There is a bug with the packagekit package in Ubuntu 16.04. You will need to do this as a workaround otherwise it will hang when you try to join the domain.

Note: I had to this when I originally wrote this guide in May of 2016. This may have been fixed by the time you are reading this. I thought I’d put it in just in case.

Join Ubuntu Workstation to a Windows Domain - sudo apt upgrade

7. Join Ubuntu Workstation to a Windows Domain.

Now, it’s time to join the domain. Check that realm can discover the domain you will be joining.

Join Ubuntu Workstation to a Windows Domain - Realm Discover

Create the kerberos ticket that will be used the domain user that has privileges to join the domain.

Join Ubuntu Workstation to a Windows Domain - kinit command

Now you can join the domain using realmd.

Join Ubuntu to a Windows Domain - Join Active Directory with Realm and SSSD

To do a quick test to see if it’s worked:

Join Ubuntu Workstation to a Windows Domain - ID command

This is all the Domain Groups that the domain user Craig belongs to. It’s worked HUZZAH!

OK, now that’s done. Lets tweak!

8. Configuring the SSSD.conf file.

I’d like to enable Dynamic DNS and some other features that I couldn’t set via the realmd.conf file. We now have the opportunity to tweak these settings in the sssd.conf file. I’ve added the following:

auth_provider = ad
chpass_provider = ad
access_provider = ad
ldap_schema = ad
dyndns_update = true
dyndsn_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600

 Join Ubuntu Workstation to a Windows Domain - SSSD.conf file edit

You can find a full list of options to tweak at the sssd.conf man page.

9. Locking down which Domain Users can login.

Now, let’s restrict which domain users can login.

I want users specified in a specific group to be able to login, as well as the domain admins.

Join Ubuntu Workstation to a Windows Domain - Realm deny command

10. Granting Sudo Access.

Now lets grant some sudo access.

Join Ubuntu Workstation to a Windows Domain - edit sudoers

11. Configuring home directories.

Lets setup the home directory for domain users logging in.

Add to the bottom:

session required          skel=/etc/skel/ umask=0022

Join Ubuntu Workstation to a Windows Domain - pam edit

12. Configure Lightdm

The last thing I want to do is edit the lightdm conf file so that I can log in with a domain user at the login prompt.



Join Ubuntu Workstation to a Windows Domain - Lightdm edit

I think that’s all the tweaking I’m going to do. I’m going to reboot and see if I can login.

Once the login screen pops up you should be able to manually login. Click login.

Join Ubuntu Workstation to a Windows Domain

I can log in. Huzzah!

13. Final Thoughts & Failures

This was a fun process and I learned a lot about Ubuntu and Linux in creating this guide. There were a few failures however so it wasn’t all smooth sailing.

Dynamic DNS

So after all that, I still had issues with Dynamic DNS. I researched this as much as I could but couldn’t find a resolution. I manually added the A records on my DNS server but I’d really like to get Dynamic DNS working. If anyone knows where I have gone wrong or can point out how to get this working please leave a comment.

SAMBA File Sharing

I also had some issues after this with getting SAMBA/CIFS File sharing working with Windows Authentication. I would like to be able to share a folder in Ubuntu to Windows Users and have the Windows Users authtencticate to the Ubuntu share with their Windows credentials. I’ve spent a fair bit of time trying to find a resolution to this and played a bit with ACLS in Ubuntu as well but couldn’t get it working properly. I put this down to being fairly new to Linux and not fully understanding some of the intricacies with SAMBA and Linux authentication. If anyone can point me in the right direction for getting SAMBA File Sharing working please leave me a comment.

14. Links

Below are the links that I used when researching this guide.

SSSD-AD Man Page

SSSD.Conf Man Page

SSSD-KRB5 Man Page


PAM_SSS Module Man Page

SSSD – Fedora

Redhat – Ways to Integrate Active Directory and Linux Environments

Redhat – Using Realmd to Connect to an Active Directory Domain

Realm Man Page

Realmd.conf Man Page

Correcting DNS issue by editing Resolv.Conf file

Tagged , , . Bookmark the permalink.

17 Responses to Join Ubuntu Workstation to a Windows Domain

  1. Barrado says:

    Thank you! Very helpful. I worked for me.

    Did you try using the AD provider? It worked for me with 14.04, but not 1604 🙁
    For example (sssd.conf):
    access_provider = ad
    ad_access_filter = (|(memberOf=cn=domain admins,cn=users,dc=domain,dc=net)(memberOf=cn=squid admins,ou=users,dc=domain,dc=net))

    • wolffhaven says:

      I’ll try that thanks! I noticed dynamic DNS worked on 14.04 too but still haven’t managed to get it to work on 16.04 unfortunatley.

  2. teknojiz says:

    Add your FQDN to your /etc/hostname file. That resolved the issue of dynamic DNS updates for me.

  3. Carl Webster says:

    sudo vi /etc/Networkmanager/NetworkManager.conf

    shouldn’t that be:

    sudo vi /etc/NetworkManager/NetworkManager.conf

  4. Jesse Leonard says:

    Thanks so much for this! I used it to join my domain using Ubuntu Mate 16.10. What is your reasoning behind wanting dynamic DNS? I just want to ask, in case I am missing something important.

  5. The Ldap users can change their password itself?

    • Bernhard says:

      I have a test environment with Windows Server 2012R2 plus Linux Mint 18 Cinnamon running. My Users can change their password with kpasswd, but that changes only the password on the Windows Server – not for the Mint-login.

  6. notesbytom says:

    Problem with DNS Dynamic Updates resolved for me by adding system FQDN to my domain/realm section in sssd.conf:
    ad_hostname =
    This workaround was described at for 14.04, but applies equally well to 16.04. Upstream bug is listed at but labeled as “won’t fix” so we may be stuck with the workaround. Changing debug_level to 6 or greater in sssd.conf will show the dns update log messages under /var/log/sssd/* (grep for “update”).

  7. Bob Ross says:

    Hey there!

    I was trying to get a linux desktop (ubuntu 16.04) into a windows server 2012 domain. I fully followed your tutorial and i’m stuck at the point where i create a Kerberos ticket. Somehow i keep getting:

    Kinit: Cannot contact any KDC for realm ‘’ while getting initial credentials.

    Also when i do the ‘realm discover’ command i get the following output:

    type: kerberos
    realm-name: LOCALDOMAIN
    domain-name: localdomain
    configured: no

    Any ideas?

  8. Joao says:

    Hello, when i type last part. ubuntu does not work. Gui does not work i need access by console and delete this for start again to work



  9. Gordon says:

    It seems, that sssd tries to get the hostname as fqdn. If that don’t works, like on Ubuntu, and it gets only the hostname without the domain part, it will fail to register on DNS (see also:

    Just add “ad_hostname = your.hosts.fq.dn” to sssd.conf and restart the daemon. So sssd knows the fqdn und can update DNS. At least it works perfect for me 🙂

  10. Ron Michalowski says:

    Hi, I’m just starting to get my AD server operational. I am able to have a Windows 10 machine log in, and if I log into Ubuntu at the machine user, I can access the shares by putting in my domain users credentials.

    When you joined the Realm:

    sudo realm –verbose join -U a_craig
    you used “a_creig”

    then when you logged in at GUI, you used “craig”? Can you explain this?
    You also used “craig” when you performed the id command.

    I didn’t get and output from my id command. Any suggestions would be greatly appreciated.

  11. Juho says:

    This was helpfull indeed! Thanx a bunch! …and cudos for the mass effect N7 logo on your profile 😀 !

  12. Angelo says:

    This tutorial is not as good as it seams… you forgot lots of things… (something about kerberos configuration… is case sensitive or not?) for not so skilled linux persons…
    I’m lost in step 7… i can’t find the default realm and i’m not able to understand what’s wrong in the previous phases…

    How can i verify kerberos config?

  13. Dan says:

    I have a solution to both your samba and dynamic dns issues.

    Install samba alongside the samba-libs, etc
    edit the samba configuration file /etc/samba/smb.conf
    find the “workgroup” line and replace “WORKGROUP” with the netbios name of your windows domain.

    Add the following lines below the workgroup line:
    client signing = yes
    client use spnego = yes
    kerberos method = secrets and keytab
    realm = DOMAINNAME.TLD
    security = ads

    Save the file and restart the service.

    For the dynamic DNS, first ensure you allow secure and non-secure updates in your DNS console.

    Add the following to your /etc/sssd/sssd.conf file:
    ad_hostname = “fully qualified hostname”

    Save the file and restart sssd. You should see your A record appear in DNS.

    I still haven’t figured out how to get it to update ptr records through sssd, so I use an nsupdate workaround.
    Ensure bind9utils is installed, then create this script in /etc/cron.daily



    echo -e “update add $((/sbin/ifconfig|grep inet|head -1|sed ‘s/\:/ /’|awk ‘{print $3}’) | awk -F. ‘{print $4″.”$3″.” $2″.”$1}’)$zone 3600 PTR $(hostname).$(hostname -d).\nsend\n” | nsupdate -v

    Make sure the script is executable (chmod +x). This will update your reverse look up daily, assuming your network adapter is called “eth0”

    Happy to contribute to this absolutely fantastic domain joining guide! Great work!

Leave a Reply