Active Directory (AD) is the most common centralized identity management system in enterprise environments. Joining Linux servers to an AD domain lets users authenticate with their existing domain credentials, removing the need to manage local accounts on every machine. This guide covers how to join Rocky Linux 10, AlmaLinux 10, or RHEL 10 to a Windows Active Directory domain using realmd and SSSD.
We cover DNS configuration, package installation, domain discovery and join, SSSD tuning for home directory creation, firewall rules, sudo access for AD groups, and login verification. If you need to set up Active Directory Domain Services on Windows Server first, handle that before proceeding.
Prerequisites
- A server running Rocky Linux 10, AlmaLinux 10, or RHEL 10 with root or sudo access
- A working Windows Active Directory domain (Windows Server 2016 or later)
- An AD administrator account with permissions to join computers to the domain
- DNS resolution pointing to your AD domain controller (critical – covered in Step 1)
- Network connectivity between the Linux server and the domain controller on required ports
Step 1: Configure DNS for Active Directory
AD relies heavily on DNS for service discovery. Your Linux server must use the AD domain controller as its DNS server. Without correct DNS, domain discovery and join will fail.
On systems using NetworkManager (default on RHEL 10 family), set the DNS server to your domain controller IP. Replace 192.168.1.10 with your AD domain controller address and ens18 with your active network interface.
sudo nmcli connection modify ens18 ipv4.dns "192.168.1.10"
sudo nmcli connection modify ens18 ipv4.dns-search "example.com"
sudo nmcli connection down ens18 && sudo nmcli connection up ens18Verify DNS resolution works against the domain.
$ nslookup example.com
Server: 192.168.1.10
Address: 192.168.1.10#53
Name: example.com
Address: 192.168.1.10Also confirm the SRV records for LDAP are resolvable – realmd uses these during domain discovery.
$ nslookup -type=SRV _ldap._tcp.example.com
_ldap._tcp.example.com service = 0 100 389 dc01.example.com.If SRV lookups fail, your DNS is not pointing at the AD domain controller. Fix this before continuing.
Step 2: Install Required Packages
Install the packages needed for AD integration – realmd for domain management, SSSD for authentication, adcli for AD operations, and Kerberos for ticket-based auth.
sudo dnf install realmd sssd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation authselect-compat -yOn a fresh RHEL 10 system, register the subscription first if you haven’t already.
$ sudo subscription-manager register --auto-attach
Registering to: subscription.rhsm.redhat.com:443/subscription
Username: your-username
Password:
The system has been registered with ID: d39d60a7-3236-4287-b361-53264159f5d1
The registered system name is: server01.example.comRocky Linux and AlmaLinux do not need subscription registration – packages are available directly from the base repositories.
Step 3: Open Firewall Ports for Active Directory
The Linux server must reach the domain controller on several ports. If firewalld is running, open the required ports.
| Port | Protocol | Service |
|---|---|---|
| 53 | TCP/UDP | DNS |
| 88 | TCP/UDP | Kerberos |
| 389 | TCP/UDP | LDAP |
| 636 | TCP | LDAPS |
| 464 | TCP/UDP | Kerberos password change |
| 3268 | TCP | Global Catalog |
These are outbound connections from the Linux server to the domain controller. If your firewall only filters outbound traffic (uncommon), open these ports. For inbound, no special rules are needed unless you run services that AD clients connect to.
Verify connectivity to the domain controller on the Kerberos port.
$ nc -zv 192.168.1.10 88
Ncat: Connected to 192.168.1.10:88.Step 4: Discover the Active Directory Domain
Use realmd to discover the AD domain. This confirms DNS is working and the domain is reachable.
$ realm discover example.com
example.com
type: kerberos
realm-name: EXAMPLE.COM
domain-name: example.com
configured: no
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-toolsThe output shows configured: no, meaning the system recognizes the domain but hasn’t joined it yet. If this command returns an error, go back and fix your DNS configuration.
Step 5: Join Rocky Linux 10 / RHEL 10 to the AD Domain
Join the domain using an AD administrator account. Replace Administrator with your AD admin username and example.com with your domain name.
$ sudo realm join example.com -U Administrator
Password for Administrator:If the join succeeds, there is no output – just a return to the prompt. Verify the join was successful.
$ realm list
example.com
type: kerberos
realm-name: EXAMPLE.COM
domain-name: example.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %[email protected]
login-policy: allow-realm-loginsThe configured: kerberos-member line confirms the system is now part of the domain.
Step 6: Configure SSSD and Home Directory Creation
After joining the domain, configure the authentication profile using authselect. This enables SSSD and automatic home directory creation for AD users on first login.
sudo authselect select sssd with-mkhomedir --forceEnable and start the oddjobd service, which handles home directory creation.
sudo systemctl enable --now oddjobdCheck the SSSD configuration file that realmd generated automatically.
sudo cat /etc/sssd/sssd.confIt should look similar to this.
[sssd]
domains = example.com
config_file_version = 2
services = nss, pam
default_domain_suffix = example.com
[domain/example.com]
ad_domain = example.com
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = adIf you want users to log in with just their username (without the @domain.com suffix), edit the SSSD configuration file.
sudo vi /etc/sssd/sssd.confChange use_fully_qualified_names to False and update the home directory path.
use_fully_qualified_names = False
fallback_homedir = /home/%uRestart SSSD after any configuration changes.
sudo systemctl restart sssdVerify the service is running.
$ systemctl status sssd
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; preset: enabled)
Active: active (running) since Sat 2026-03-21 10:15:32 EAT; 5s ago
Main PID: 12345 (sssd)
Tasks: 4 (limit: 23108)
Memory: 48.2M
CPU: 320ms
CGroup: /system.slice/sssd.service
├─12345 /usr/sbin/sssd -i --logger=files
├─12346 /usr/libexec/sssd/sssd_be --domain example.com --uid 0 --gid 0 --logger=files
├─12347 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
└─12348 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=filesStep 7: Test AD User Authentication
Look up an AD user to confirm the integration is working. Replace jmutai with an actual user in your AD domain.
$ id [email protected]
uid=1783929917([email protected]) gid=1783800513(domain [email protected]) groups=1783800513(domain [email protected])If you set use_fully_qualified_names = False, you can query by username only.
$ id jmutai
uid=1783929917(jmutai) gid=1783800513(domain users) groups=1783800513(domain users)Test SSH login with the AD user account.
$ ssh [email protected]@server01.example.com
[email protected]@server01.example.com's password:
Creating home directory for [email protected].
[jmutai@server01 ~]$The home directory is automatically created on first login thanks to the with-mkhomedir option configured earlier.
Step 8: Control Access – Limit to Specific Users or Groups
By default, all domain users can log in after joining. Restrict access to specific users or groups as needed.
Permit specific users.
sudo realm permit [email protected]
sudo realm permit [email protected] [email protected]Permit access by AD group.
sudo realm permit -g sysadmins
sudo realm permit -g 'Security Users'To allow all domain users (default behavior).
sudo realm permit --allTo deny all domain users access.
sudo realm deny --allStep 9: Configure Sudo Access for AD Groups
Domain users have no sudo privileges by default. Grant sudo access to specific AD users or groups by creating a sudoers drop-in file.
sudo visudo -f /etc/sudoers.d/domain_adminsAdd entries for individual users or groups. For an alternative approach to centralized identity management, consider FreeIPA which provides HBAC and sudo rules natively.
# Single user
[email protected] ALL=(ALL) ALL
# AD group (prefix with %)
%[email protected] ALL=(ALL) ALL
# Group with spaces in the name (escape spaces with backslash)
%domain\ [email protected] ALL=(ALL) ALLVerify the sudoers file has no syntax errors.
sudo visudo -cf /etc/sudoers.d/domain_adminsExpected output.
/etc/sudoers.d/domain_admins: parsed OKStep 10: Verify AD Login with Sudo
Test that an AD user with sudo privileges can escalate to root.
$ ssh [email protected]@server01.example.com
[email protected]@server01.example.com's password:
[user1@server01 ~]$ sudo whoami
[sudo] password for [email protected]:
rootIf you need to join Ubuntu or Debian systems to Active Directory, the process is similar but uses different package names.
Troubleshooting Common Issues
realm discover fails with “No such realm found” – Your DNS is not pointing at the AD domain controller. Check /etc/resolv.conf and verify the nameserver entry is the DC’s IP address. Also confirm the DC is reachable on port 53.
realm join fails with “Insufficient permissions” – The AD account you are using does not have permission to join computers to the domain. Use an account that is a member of the Domain Admins group or has been delegated join permissions on the target OU.
id command returns “no such user” – Restart SSSD and clear the cache, then try again.
sudo systemctl stop sssd
sudo rm -rf /var/lib/sss/db/*
sudo systemctl start sssdHome directory not created on login – Make sure oddjobd is running and the authselect profile includes with-mkhomedir.
sudo systemctl status oddjobd
sudo authselect currentLeave the AD Domain
If you need to remove the system from the domain, run the following.
sudo realm leave example.comVerify the system has left.
$ realm list
An empty output confirms the system is no longer joined to any domain.
Conclusion
The Rocky Linux 10 / AlmaLinux 10 / RHEL 10 system is now joined to the Active Directory domain with SSSD handling authentication and home directory creation. AD users can log in via SSH using their domain credentials, and sudo access is controlled through the sudoers drop-in file.
For production environments, consider enabling LDAPS (port 636) for encrypted communication between SSSD and the domain controller, and set up Kerberos ticket renewal policies to handle long-running sessions. Refer to the SSSD documentation and realmd project page for advanced configuration options.
