Join the current machine to an Active Directory, while creating a userPrincipalName.
- Make sure you have other required software:
- realmd 0.14.0 or later
- adcli 0.7 or later
- Verify that your Active Directory domain access works, or set a domain up.
- You need a domain account as an administrator.
- Leave realm(s) you are currently joined to.
- The user principal name is an additional kerberos principal which can be used to log in as the computer account. It should have the same capitalized realm portion (after the
@sign) as the domain.
How to test
- Join the domain specifying a user principal name
$ realm join --user=Administrator --user-principal=host/Test@AD.EXAMPLE.COM ad.example.com
- The user principal name you choose must not be the name of another user or computer in the domain.
- Use your domain admin password when prompted. Specify a user other than
Administratorif you have another domain administrative account.
- On a successful join there will be no output.
- Check that the domain is now configured.
$ realm list
- Make sure the domain is listed.
- Make sure you have a
configured: kerberos-memberline in the output.
- Check that you have the upn entry in your hosts keytab.
sudo klist -k
- You should see a line with the user principal you specified, such as
- Check that you can use your keytab with the user principal
sudo kinit -k host/Test@AD.EXAMPLE.COM
- Make sure the name is capitalized exactly as specified above.
- There should be no output from this command.
More: Automatically choose a user principal
If you specify the
--user-principal without an argument a name is automatically generated in the form of
$ realm join --user=Administrator --user-principal= ad.example.com
The automatically generated name depends on your host name. If the current host name is
server.example.com then the user principal chosen by the above command would be
You can see the generated name by using:
$ sudo klist -k
More: Use with adcli membership software
Test the above commands with both the samba and adcli tools for joining a domain.
$ realm join --membership-software=samba --user-principal=host/Test@AD.EXAMPLE.COM ad.example.com $ realm join --membership-software=adcli --user-principal=host/Test@AD.EXAMPLE.COM ad.example.com
More: Preconfigure user principal
The user principal to use for a computer with a given domain can be configured in
[ad.example.com] user-principal = yes
Make sure realmd is restarted:
$ sudo killall realmd
Now do the join without specifying a user principal.
$ realm join ad.example.com
Even though no user principal was specified, the above
kinit command should work with the style of user principal as described above in the form of
--verbose argument to see details of what's being done during a join. Include verbose output in any bug reports.
$ realm join --verbose ad.example.com