Question: How can I join Ubuntu 20.04|18.04 to Windows domain?, can I join Debian 10 to Active Directory domain?. This article has been written to show you how to use realmd to join Ubuntu 20.04|18.04 / Debian 10 server or Desktop to an Active Directory domain. Active Directory domain is the central hub for user information in most corporate environments.

For example, in my Company’s infrastructure, it is a key requirement that all users are authenticated to all Linux systems with the Active Directory credentials. This should work for both Debian and Red Hat based Linux distributions. I had earlier written a guide for RHEL / CentOS, check it from the link below.

How To Join CentOS 8 / RHEL 8 System to Active Directory (AD) domain

This guide will illustrate how to configure SSSD to retrieve information from domains within the same Active Directory Resource Forest. if you’re working with more than one AD forest, this guide may not work for you. We’ll also go further and configure sudo rules for the users logging in through AD. Here is a diagram depicted the setup and how the setup works.

sssd realm centos redhat

So follow below steps to join Ubuntu 20.04|18.04 / Debian 10 To Active Directory (AD) domain.

Step 1: Update your APT index

Start by updating your Ubuntu / Debian Linux system.

sudo apt -y update

This is essential as installations may fail if the server is a freshly installed.

For Ubuntu 20.04|18.04, add the following repositories to your sources.list file.

sudo tee -a /etc/apt/sources.list <<EOF
deb bionic universe
deb bionic-updates universe

Step 2: Set server hostname & DNS

Set a proper hostname for your server with correct domain component.

sudo hostnamectl set-hostname

Confirm your hostname:

$ hostnamectl
   Static hostname:
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 5beb7ac3260c4f00bcfbe1088f48b8c7
           Boot ID: b2a0d9abe43b455fb49484dbaa59dc41
    Virtualization: vmware
  Operating System: Ubuntu 18.04.1 LTS
            Kernel: Linux 4.15.0-29-generic
      Architecture: x86-64

Confirm DNS ia configured correctly:

$ cat /etc/resolv.conf

Ubuntu 20.04|18.04 comes with systemd-resolve which you need to disable for the server to access your network DNS directly.

sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved

If on DHCP, you can update DNS server manually.

$ sudo unlink /etc/resolv.conf
$ sudo vim /etc/resolv.conf

Step 3: Install required packages

A number of packages are required for joining an Ubuntu 20.04|18.04 / Debian 10 system to Active Directory (AD) domain.

sudo apt update
sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

Only after a successful installation of dependencies can you proceed to discover Active Directory domain on Debian 10 / Ubuntu 20.04/18.04.

Step 4: Discover Active Directory domain on Debian 10 / Ubuntu 20.04|18.04

The realm discover command returns complete domain configuration and a list of packages that must be installed for the system to be enrolled in the domain.

$ sudo realm discover
  type: kerberos
  realm-name: EXAMPLE.COM
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin

Replace with your valid AD domain.

Step 5: Join Ubuntu 20.04|18.04 / Debian 10 To Active Directory (AD) domain

An AD administrative user account is required for integrating your Linux machine with Windows Active Directory domain. Check and confirm AD admin account and the password.

The realm join command will set up the local machine for use with a specified domain by configuring both the local system services and the entries in the identity domain. The command has a number of options which can be checked with:

$ realm join --help

A basic command execution is:

$ sudo realm join -U Administrator
Password for Administrator:


  • Administrator is the name of admin account used to integrate machine to AD.
  • is the name of AD domain

The command first attempts to connect without credentials, but it prompts for a password if required.

View current realmd details.

$ realm  list
  type: kerberos
  realm-name: EXAMPLE.COM
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %[email protected]
  login-policy: allow-realm-logins

On RHEL based systems, user’s home directory will be created automatically. On Ubuntu / Debian, you need to enable this feature.

sudo bash -c "cat > /usr/share/pam-configs/mkhomedir" <<EOF
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
        required               umask=0022 skel=/etc/skel

Then activate with:

sudo pam-auth-update

Select <OK>

freeipa enable mkhomedir ubuntu 01

Ensure  “activate mkhomedir” is selected, it should have [*]

freeipa enable mkhomedir ubuntu 02

Then Select <Ok> to save changes.

Your sssd.conf configuration file is located at /etc/sssd/sssd.conf. Whenever there is a change in the file, restart is required.

sudo systemctl restart sssd

Status should be running.

$ systemctl status sssd

If the integration is working, it should be possible to get an AD user info.

$ id jmutai
uid=1783929917([email protected]) gid=1784800513(domain [email protected]) groups=1783870513(domain [email protected])

Step 6: Control Access – Limit to user/group

Access to the server enrolled can be limited by allowing only specific users/ and groups.

Limit to users

To permit a user access via SSH and console, use the command:

$ sudo realm permit [email protected]
$ sudo realm permit [email protected] [email protected]

Permit access to group – Examples

$ sudo ream permit -g sysadmins
$ sudo realm permit -g 'Security Users'
$ sudo realm permit 'Domain Users' 'admin users'

This will modify sssd.conf file.

If instead you like to allow all users access, run:

$ sudo realm permit --all

To deny all Domain users access, use:

$ sudo realm  deny --all

Step 7: Configure Sudo Access

By default Domain users won’t have permission to escalate privilege to root. Users have to be granted access based on usernames or groups.

Let’s first create sudo permissions grants file.

$ sudo vi /etc/sudoers.d/domain_admins

Add single user:

[email protected]        ALL=(ALL)       ALL

Add another user:

[email protected]     ALL=(ALL)   ALL
[email protected]     ALL=(ALL)   ALL

Add group

%[email protected]     ALL=(ALL)   ALL

Add group with two or three names.

%security\ [email protected]       ALL=(ALL)       ALL
%system\ super\ [email protected] ALL=(ALL)       ALL

Step 8: Test SSH Access

Access the server remotely as user on AD allowed to login.

$ ssh [email protected]
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:wmWcLi/lijm4zWbQ/Uf6uLMYzM7g1AnBwxzooqpB5CU.
ECDSA key fingerprint is MD5:10:0c:cb:22:fd:28:34:c6:3e:d7:68:15:02:f9:b4:e9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.

This is a confirmation that our configuration was successful. Visit realmd and sssd wiki pages to learn more.


  • Join Ubuntu 20.04|18.04 to Windows domain
  • Join Ubuntu 20.04|18.04 to AD
  • Join Ubuntu 20.04|18.04 to Active directory
  • Join Ubuntu 20.04|18.04 to Samba domain
  • Join Debian 10 to Windows domain
  • Join Debian 10 to AD
  • Join Debian 10 to Active directory
  • Join Debian 10 to Samba domain

Related guides:

Set Default Login Shell on SSSD for AD trust users using FreeIPA

Configure FreeIPA Client on Ubuntu / CentOS 7

How To Install and Configure OpenLDAP Server on Debian 10 (Buster)

How to Install and configure OpenLDAP Server on Ubuntu LTS

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!

As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.


  1. Fine article.
    Definitely helpful.

    A few corrections:
    1. Running a command:
    $ sudo realm join -U Administrator EXAMPLE.COM
    the last parameter is a realm-name, not domain – pay attention for Upper/Lower case;
    2. Running a command
    $ sudo realm permit ‘Domain Users’ ‘admin users’
    do not miss the ‘-g’ option

    Thank you.

  2. Good post.

    I notice some gaps between text is that for images or results of commands down the road?

    Had trouble resolving after removing systemd-resolved and couldn’t complete. Went back and started on fresh install without removing it and was able to resolve.

    Suggestion would be to post a sample of resolv.conf that will replace the symbolic link file.

    Having an issue getting id details back from AD – any idea why?

    [email protected]:~$ id Administrator
    id: ‘Administrator’: no such user

  3. For two forests, your forests will need a Forest Level Trust established between them, then you join the system to most relevant domain.

  4. If you have `use_fully_qualified_names = False` set in `/etc/sssd/sssd.conf` then your sudoers files must not include the “@foo.domain.local” suffix.

    Example: `%domain\ admins ALL=(ALL) ALL`


Please enter your comment!
Please enter your name here