Set the system hostname as the server's FQDN
hostnamectl set-hostname [server-hostname].example.com2. Ensure that DNS is pointing to your DCs to properly resolve your AD domain
cat /etc/resolv.conf3. Stop resolved so that the server will talk to the DNS servers directly without attempting to resolve locally.
systemctl disable systemd-resolved
systemctl stop systemd-resolved4. Install the required packages.
apt install -y realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit5. Discover the Active Directory domain.
realm discover ad.example.com6. Join the AD domain.
realm join -U ross ad.example.com7. Enable the creation of home user's directories.
bash -c "cat > /usr/share/pam-configs/mkhomedir" <<EOF
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel
EOF8. Activate the latter config.
pam-auth-updateA prompt will appear, ensure that ‘active mkhomedir’ is selected then select ‘ok’
9. Modify /etc/sssd/sssd.conf to disable FQDNs during login and enable group creation for users.
sed -i 's/use_fully_qualified_names = True/use_fully_qualified_names = False/' /etc/sssd/sssd.conf
echo "auto_private_groups = true" >> /etc/sssd/sssd.conf10. Restart SSSD after making the latter changes.
systemctl restart sssd.service11. Permit only the desired group(s). This will modify the sssd.conf file, make sure to restart sssd.service
realm permit -g <AD-Group>12. To allow users to use sudo, first create the sudo permissions grants file.
vim /etc/sudoers.d/domain_admins13. Add a new line to the file to allow group desired group(s).
%<AD-Group> ALL=(ALL:ALL) ALL1. Remove the from AD
realm leave --remove2. Change the system's hostname
3. Add back to AD
realm join <domain>Make sure to update DNS and local hosts file where applicable.