Join Ubuntu 14.04 to Active Directory Domain using realmd

by on April 29, 2014 at 9:15 pm

This proved to be a difficult task.  I spent several hours scouring the internet for various bugs in this process to little avail.  I’m going to summarize what I did to actually get this puppy up and running.

Started with a clean install of Ubuntu 14.04 LTS Server Edition.  Pointed my DNS to my AD controller.


Installed realmd:  apt-get install realmd

Installed sssd: apt-get install sssd

sssd fails to start because the config file is not included, not even an empty one!

vi /etc/sssd/sssd.conf

Pasted in the following:

filter_groups = root
filter_users = root
reconnection_retries = 3

reconnection_retries = 3

Updated permissions because realmd won’t write to the file unless it’s explicitly writable:  chmod 0600 /etc/sssd/sssd.conf

PROBLEM STEP (see blow): Join the realm: realm –verbose join localdomain.xx -U Administrator

It will prompt you for a password for the domain admin Administrator.  You’ll see the output of a net join command somewhere as successful, but at the end of the command it will say it failed.  It didn’t actually fail if you have more contents in /etc/sssd/sssd.conf

Comment out the line use_fully_qualified_names = True

I found that line in a bug report over on Red Hat or Fedora.  I think it’s related to an upstream bug in the sssd/realmd software, and not so much Ubuntu.

Reboot your server.  You should now be able to id a domain user as follows:  id LOCALDOMAIN\\myuser

You can now su to a domain user:  su myuser@localdomain

I hope you found this useful.


Unfortunately, some package dependency problems have been introduced since I originally wrote this article.  After you try the problem step once, perform the following.  This is intended to be a temporary fix for now, hopefully the Ubuntu team will resolve this dependency issue:

Add the following to /etc/realmd.conf


automatic-install = no

Next, install the following packages:  samba-common-bin, samba-libs, sssd-tools, krb5-user, adcli

During installation of krb5-user, it will prompt you for the default Kerberos realm.  This should be your domain in all caps.  Example:  LOCALDOMAIN.XX

Now, go ahead and get a valid kerberos ticket for your AD admin:  kinit DomainAdmin@LOCALDOMAIN.XX

You should now be able to successfully join the domain with using the –user-principal switch and the –unattended switch:  realm –verbose join localdomain.xx –user-principal=myubuntuserver/DomainAdmin@LOCALDOMAIN.XX –unattended

After this command completes, you’ll know you were successful if the /etc/sssd/sssd.conf file is full of a bunch of stuff.  Go back to where we left off above, and finish the rest of the steps.

in Uncategorized

You can skip to the end and leave a response. Pinging is currently not allowed.

  • OlivierM

    Very interesting, it looks like realmd MIGHT BE the answer to likewise-open vanishing from Trusty.

    Still, I keep hitting the following wall : upon join’ing the domain, realmd tries to install missing software, and fails upon samba-common-bin’s dependencies.

    Did you have anything like that?

    • Mike

      No, I did not experience that problem. Make sure you run an “apt-get update” to make sure you have the newest repo listings. This missing software is supposed to be automatically installed by realmd.

  • b0rken

    Apparently installing packagekit, killing the aptd process and then attempting to join again is a bandaid but now I’m getting a signal 11

    realm: Couldn’t connect to realm service: Error calling StartServiceByName for org.freedesktop.realmd: GDBus.Error:org.freedesktop.DBus.Error.Spawn.ChildSignaled: Process /usr/lib/dbus-1.0/dbus-daemon-launch-helper received signal 11

    • Mike

      Yes, the process is plagued with problems. I ran through my steps twice successfully. If you follow what I did in order, you should be able to complete the process. I believe the problem is with sssd not having a config file. Since sssd doesn’t have a config file, it can’t start. Since realmd tries to install dependencies and then setup your .conf files automatically, if you haven’t installed sssd already it will hang. Also, make sure that you chmod the sssd.conf file so it’s writeable, otherwise realmd will continue to hang.

    • Mike

      Also, if you check

      You’ll notice your error is in relation to a bug in sssd itself. The last post on that page notes that you need to “include the lines… to reproduce.” Taking that information, I simply removed those lines (only one was present) and sssd was able to start normally.

  • Don

    I followed your instructions, including preceding the process with an apt-get update. All went well until after the realm command found my local domain, but then ran into dependency problems, like OlivierM described (see below). This was a clean updated 14.04 installation.

    Password for Administrator:
    * Unconditionally checking packages
    * Resolving required packages
    * Installing necessary packages: sssd-tools, samba-common-bin
    ! Failed to enroll machine in realm: The following packages have unmet dependencies:

    samba-common-bin: Depends: samba-common (= 2:4.1.6+dfsg-1ubuntu2) but 2:4.1.6+dfsg-1ubuntu2.14.04.1 is to be installed
    Depends: python2.7:any but it is a virtual package
    Depends: samba-libs (= 2:4.1.6+dfsg-1ubuntu2) but 2:4.1.6+dfsg-1ubuntu2.14.04.1 is to be installed

    realm: Couldn’t join realm: Failed to enroll machine in realm. See diagnostics.

    • Mike

      Okay, I’m going to look into this. I will run through this tutorial again later this weekend to see if the Ubuntu package maintainers actually broke anything since I wrote it (they often do such things on less-frequently used software).

      • Frederick D

        It looks like the Ubuntu package maintainers, in preparation for 14.04.1, added a “newer” version in the update repo. The package dependencies seem to have been screwed up somehow. I purged all of the samba packages, disabled the update repositories in `/etc/apt/sources.list`, ran an apt-get update, and tried again from there.

        14.04 as-released worked fine. I was annoyed that the update repos broke this on an LTS release.

      • Cristiano

        Same dependency error here…the strange fact is that i have already installed samba-libs python2.7 and samba-common

  • ChrisM

    Hi Mike,

    I had a play with this, and found I can avoid a lot of the problems by adding this section (in addition to disabling automatic-install) in my /etc/realmd.conf:

    fully-qualified-names = no

    Then I do:
    kinit myuser@MY.DOMAIN.FQDN.HERE

    realm join

    • Mike

      Thank you for sharing!

  • Billy

    I have gone through all of these steps, and still can’t get it to work. I keep getting stuck with:

    Couldn’t join realm: Necessary packages are not installed: samba-common-bin

    I’ve run it both with/without the packages installed several times, to no avail.

    Adding the lines to “/etc/realmd.conf” seems to do nothing.

    Any suggestions?

    Mike, I appreciate this article, and envy anyone that got this running on what is SUPPOSED TO BE AN LTS.

    • Mike

      Yes, I got it joined using the updates I have already outlined in the article. Basically, you have to set it up in unattended mode and use Kerberos authentication to join the domain.

  • Bob Tanner

    This did work, but I’m attempting to spin up a new 14.04 VM with


    # realm join –user=Administrator –verbose local domain.xx
    realm: Couldn’t join realm: Necessary packages are not installed: samba-common-bin

    # dpkg -l | grep samba-common-bin
    ii samba-common-bin 2:4.1.6+dfsg-1ubuntu2.14.04.2 amd64 Samba common files used by both the server and the client

    Worked before but not now and I cannot seem to figure out what the changes are.

    • Bob Tanner

      Turning on –verbose I see the following:

      * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-uQXhMN/krb5.d/adcli-krb5-conf-4WY2zs

      ! Couldn’t authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)

      adcli: couldn’t connect to localdomain.xx domain: Couldn’t authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
      ! Insufficient permissions to join the domain
      realm: Cannot prompt for a password when running in unattended mode

      • Mike

        See the portion for “Problem Step”. Make sure you get a valid Kerberos ticket before running in unattended mode.

  • Randy Faux

    I had to install packagekit to clear up the missing packages message. This allowed me to join the domain.

  • Stephen

    I have join the computer to AD as suggested which works fine. However cannot login from the login screen as fields. How did you resolve this?


    • Mike

      Are you using the GUI to log in? I’m sorry, I’m not familiar with GUI authentication. I would imagine it is somewhat similar to the command line, but cannot say for certain. Try the domain\\user format as well as the user@domain format for authentication.

  • john swails

    in pam I had to add this from this article and i was finally able to logon using gui

    session optional skel = /etc/skel/ mask=0077

    • Mike

      John, thanks for sharing that!

  • Geetha Subramani

    I could add domain but couldn’t login with username and keeps on prompted the password

    Aug 13 14:30:05 ip-10-0-1-116 sshd[1851]: pam_unix(sshd:auth): check pass; user unknown
    Aug 13 14:30:05 ip-10-0-1-116 sshd[1851]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
    Aug 13 14:30:05 ip-10-0-1-116 sshd[1851]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= user=testuser
    Aug 13 14:30:05 ip-10-0-1-116 sshd[1851]: pam_sss(sshd:auth): received for user testuser: 10 (User not known to the underlying authentication module)
    Aug 13 14:30:07 ip-10-0-1-116 sshd[1849]: error: PAM: Authentication failure for illegal user testuser from
    Aug 13 14:30:07 ip-10-0-1-116 sshd[1849]: Failed keyboard-interactive/pam for invalid user testuser from port 48954 ssh2
    Aug 13 14:30:07 ip-10-0-1-116 sshd[1849]: Postponed keyboard-interactive for invalid user testuser from port 48954 ssh2 [preauth]