There are different approaches depending if You are using Windows or Linux workstations:
WINDOWS
Configure Network/DNS:
- On the Windows PC, go to Control Panel ⇒ Network and Sharing Center ⇒ Change adapter settings.
- Right-click your network adapter, select Properties, then Internet Protocol Version 4 (TCP/IPv4).
- Set the Preferred DNS server to the IP address of your Samba AD DC.
Join the Domain:
- Navigate to Control Panel ⇒ System and Security ⇒ System.
- Click Change settings next to the computer name.
- On the Computer Name tab, click Change.
- Select Domain, enter the FQDN of your Samba domain (e.g., ad.example.com), and click OK.
Authentication & Reboot:
- Enter the credentials for the Samba AD Administrator account when prompted.
LINUX
Prerequisites
A working Samba AD domain controller (or Windows AD)
Ubuntu PC with sudo access
DNS configured to point to the DC
1. Install Required Packages
bash
sudo apt update
sudo apt install -y realmd sssd sssd-tools adcli samba-common-bin krb5-user packagekit
During the Kerberos installation, enter your realm name in uppercase (e.g., DOMAIN.LOCAL).
2. Configure DNS
Make sure your Ubuntu machine resolves the AD domain. Edit /etc/resolv.conf or configure your network to use the DC as DNS:
nameserver 192.168.1.x # IP of your DC
search domain.local
For a permanent fix with NetworkManager:
bash
nmcli con mod "Your Connection" ipv4.dns "192.168.1.x"
nmcli con mod "Your Connection" ipv4.dns-search "domain.local"
sudo systemctl restart NetworkManager
3. Discover the Domain
bash
realm discover domain.local
You should see domain details, confirming DNS and network connectivity are working.
4. Join the Domain
bashsudo realm join --user=Administrator domain.local
Enter the Administrator password when prompted. To specify an OU:
bashsudo realm join --user=Administrator --computer-ou="OU=Linux,DC=domain,DC=local" domain.local
5. Verify the Join
bash
realm list
You should see your domain listed with configured: kerberos-member.
Also test with:
bash
id administrator@domain.local
6. Configure SSSD
Edit /etc/sssd/sssd.conf (it's usually auto-generated, but you may want to tune it):
sudo nano /etc/sssd/sssd.conf
"""""""""""""""""""""
[sssd]
domains = domain.local
config_file_version = 2
services = nss, pam
[domain/domain.local]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = DOMAIN.LOCAL
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = domain.local
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad
""""""""""""""""""""""""""""""""""""""""""""""
Restart SSSD:
bash
sudo systemctl restart sssd
7. Enable Home Directory Creation
So AD users get a home directory on first login:
bash
sudo pam-auth-update --enable mkhomedir
Or manually add to /etc/pam.d/common-session:
session optional pam_mkhomedir.so skel=/etc/skel umask=077
8. (Optional) Allow AD Users to Log In
By default, realm join may restrict logins. To permit all domain users:
bash
sudo realm permit --all
Or only specific users/groups:
bash
sudo realm permit user@domain.local
sudo realm permit -g "Linux Users" # AD group
9. (Optional) Grant Sudo to AD Users/Groups
Edit /etc/sudoers.d/domain-admins:
bash
sudo visudo -f /etc/sudoers.d/domain-admins
Add:
%domain\ admins@domain.local ALL=(ALL) ALL