This is a simple guide to adding a Ubuntu workstation to a Windows Domain. This will allow Domain Users to be able to authenticate against Windows Active Directory.

Setup System

Run updates.

sudo apt-get -y update

Install SSSD, RealmD and Kerberos Auth packages.

$ sudo apt-get -y install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli ntp

At the Kerberos prompt enter <DOMAIN> in caps.

Configure NTP

Make sure the system can sync its time to the Domain Controllers.

Edit the ntp config file.

sudo vi /etc/ntp.conf

Comment out the default pools and add the servers, changing <host>@<DOMAIN> with the Domain Controller and FQ Domain Name.

server <host>@<DOMAIN>

Restart the service.

sudo systemctl restart ntp

Configure RealmD

Edit the RealmD config file.

sudo vi /etc/realmd.conf

Edit the os-name and os-version accordingly and change <DOMAIN> to the FQ Domain Name.

default-home = /home/%U
default-shell = /bin/bash

default-client = sssd
os-name = Ubuntu Server
os-version = 18.04

automatic-install = no

fully-qualified-names = no
automatic-id-mapping = yes
user-principal = yes
manage-system = no

Configure Kerberos

Open the Kerberos config file.

sudo vi /etc/krb5.conf

Make sure it contains the Domain.

default_realm = <DOMAIN>

Join System to Domain

Authenticate against the Domain with an Domain Administrator account.

sudo kinit <user>@<DOMAIN>

This will prompt for a password.

Then add the Domain.

sudo realm -v join <DOMAIN> --user-principal=<host>/<user>@<DOMAIN>

Local Home Directory

Add this line to allow local home directories to be created when a Domain User logs onto the system:

sudo vi /etc/pam.d/common-session

Add to the bottom of the file.

session required skel=/etc/skel/ umask=0077
#end of pam-auth-update config

Configure SSSD

This will allow users to login, ssh and rdp properly.

sudo vi /etc/sssd/sssd.conf

Edit ad_domain, krb5_realm and access_provider.

domains = <DOMAIN>
config_file_version = 2
services = nss, pam

ad_domain = <DOMAIN>
krb5_realm = <DOMAIN>
realmd_tags = joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
ad_gpo_access_control = permissive
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
simple_allow_users = $
access_provider = ad

Restart the service.

sudo systemctl restart sssd

Configure and Add User to sudoers

Edit the nsswitch config file to allow user to sudo locally (IF required).

sudo vi /etc/nsswitch.conf

Remove sss appended from files.

sudoers:        files

Now test that the Domain Administrator can logon via shell.

su - <user>

Instead of changing the original, create a new sudoer file:

sudo visudo -f /etc/sudoers.d/domain_admin

Add the Domain Administrators the sudoers file.

%<DOMAIN>\\domain\ Admins ALL=(ALL:ALL) ALL

Configure Local Login to GUI

Depending on the GUI installed the Greeter screen will need to be updated to allow higher UIDs. This is because Domain Users have 9 digit IDs as opposed to 6.

To check the length for example to see:

id <user>


If using sddm a different GUI Greeter screens may be needed to allow the “Switch User” or manual type in user.

sudo apt -y install sddm-theme-circles

Then edit the config file.

sudo vi /etc/sddm.conf

Edit the Theme and Max uid:



Test by logging out and logging in with the Domain User.