< Previous | Contents | Next >
5.8. Join the Active Directory
Now, restart chrony and samba and start sssd.
sudo systemctl restart chrony.service
sudo systemctl restart smbd.service nmbd.service sudo systemctl start sssd.service
Test the configuration by obtaining a Kerberos ticket:
sudo kinit Administrator
Verify the ticket with:
sudo klist
If there is a ticket with an expiration date listed, then it is time to join the domain:
sudo net ads join -k
A warning about "No DNS domain configured. Unable to perform DNS Update." probably means that there is no (correct) alias in /etc/hosts, and the system could not provide its own FQDN as part of the Active Directory update. This is needed for dynamic DNS updates. Verify the alias in /etc/hosts described in "Modify /etc/hosts" above.
(The message "NT_STATUS_UNSUCCESSFUL" indicates the domain join failed and something is incorrect. Review the prior steps before proceeding).
Here are a couple of (optional) checks to verify that the domain join was successful. Note that if the domain was successfully joined but one or both of these steps fail, it may be necessary to wait 1-2 minutes and try again. Some of the changes appear to be asynchronous.
Verification option #1:
Check the default Organizational Unit for computer accounts in the Active Directory to verify that the computer account was created. (Organizational Units in Active Directory is a topic outside the scope of this guide).
Verification option #2
Execute this command for a specific AD user (e.g. administrator)
getent passwd username
If enumerate = true is set in sssd.conf, getent passwd with no username argument will list all domain users. This may be useful for testing, but is slow and not recommended for production.