Description
Join the current machine to an Active Directory, while creating a userPrincipalName.
Setup
- Make sure you have other required software:
- realmd 0.14.0 or later
- adcli 0.7 or later
- Verify that your Active Directory domain access works, or set a domain up.
- You need a domain account as an administrator.
- Leave realm(s) you are currently joined to.
- The user principal name is an additional kerberos principal which can be used to log in as the computer account. It should have the same capitalized realm portion (after the
@
sign) as the domain.
How to test
- Join the domain specifying a user principal name
$ realm join --user=Administrator --user-principal=host/Test@AD.EXAMPLE.COM ad.example.com
- The user principal name you choose must not be the name of another user or computer in the domain.
- Use your domain admin password when prompted. Specify a user other than
Administrator
if you have another domain administrative account. - On a successful join there will be no output.
Expected Results
- Check that the domain is now configured.
$ realm list
- Make sure the domain is listed.
- Make sure you have a
configured: kerberos-member
line in the output.
- Check that you have the upn entry in your hosts keytab.
sudo klist -k
- You should see a line with the user principal you specified, such as
2 Test@AD.EXAMPLE.COM
- Check that you can use your keytab with the user principal
sudo kinit -k host/Test@AD.EXAMPLE.COM
- Make sure the name is capitalized exactly as specified above.
- There should be no output from this command.
More: Automatically choose a user principal
If you specify the --user-principal
without an argument a name is automatically generated in the form of host/shortname@DOMAIN
$ realm join --user=Administrator --user-principal= ad.example.com
The automatically generated name depends on your host name. If the current host name is server.example.com
then the user principal chosen by the above command would be host/server@AD.EXAMPLE.COM
You can see the generated name by using:
$ sudo klist -k
More: Use with adcli membership software
Test the above commands with both the samba and adcli tools for joining a domain.
$ realm join --membership-software=samba --user-principal=host/Test@AD.EXAMPLE.COM ad.example.com $ realm join --membership-software=samba --user-principal=host/Test@AD.EXAMPLE.COM ad.example.com
More: Preconfigure user principal
The user principal to use for a computer with a given domain can be configured in /etc/realmd.conf
[ad.example.com] user-principal = yes
Make sure realmd is restarted:
$ sudo killall realmd
Now do the join without specifying a user principal.
$ realm join ad.example.com
Even though no user principal was specified, the above kinit
and kinit
command should work with the style of user principal as described above in the form of host/server@AD.EXAMPLE.COM
Troubleshooting
Use the --verbose
argument to see details of what's being done during a join. Include verbose output in any bug reports.
$ realm join --verbose ad.example.com