How to Join a Debian Linux System to an Active Directory (AD) Domain

What is an Active Directory (AD) Domain Linux System?

An Active Directory (AD) domain is a database of user, computer, and network resources that is used to manage access to network resources. In a Windows network, the AD domain is used to authenticate users and authorize access to network resources.

On a Debian Linux system, you can join an AD domain to allow users to log in to the Linux system using their AD credentials and to manage access to Linux resources with AD group policies. To join an AD domain on a Debian system, you will need to install and configure the realmd and sssd packages.

Once the Linux system is joined to the AD domain, users can log in to the Linux system using their AD username and password, and access to network resources can be controlled using AD group policies.

How to Join a Debian Linux System to an Active Directory (AD) Domain

To join a Debian Linux system to an Active Directory (AD) domain, you will need to install and configure the realmd and sssd packages.

  1. First, update the package list and install the necessary packages:
sudo apt update
sudo apt install realmd sssd sssd-tools samba-common samba-common-bin samba-libs adcli
  1. Next, you will need to configure realmd to use the AD domain. You can do this by modifying the /etc/realmd.conf file or by using the realm command.

To use the realm command, run the following command, replacing example.com with the actual domain name:

sudo realm join example.com --user=administrator

This will prompt you for the password of the administrator account. Enter the password and press Enter.

  1. After joining the domain, you will need to configure sssd to authenticate against the AD domain. Edit the /etc/sssd/sssd.conf file and add the following lines:
[domain/example.com]
ad_domain = example.com
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%[email protected]%d
access_provider = ad

Replace example.com with the actual domain name.

  1. Restart the sssd service to apply the changes:
sudo systemctl restart sssd
  1. You can now log in to the system using your AD credentials. To test the configuration, try logging in with an AD user account.