How do I join an Ubuntu machine to Active Directory?

Install realmd and sssd packages, then run: sudo realm join domain.com -U administrator. This configures PAM, NSS, and Kerberos automatically for domain authentication.

Can Ubuntu users log in with AD credentials after joining?

Yes, once joined, users can log in with domain\username or username@domain.com format. Configure /etc/sssd/sssd.conf for format preferences and home directory creation.

How to add an Ubuntu computer to an Active Directory Domain (.local included)

TL;DR — Quick Summary

The definitive guide to joining an Ubuntu machine to a Windows Active Directory domain using realmd and sssd (plus legacy Likewise Open notes).

Note: This article was originally published in 2013. Some steps, commands, or software versions may have changed. Check the current Ubuntu documentation for the latest information.

Prerequisites

Before you begin, make sure you have:

A system running Ubuntu (desktop or server edition)
Terminal access with sudo privileges
Basic familiarity with Linux command line

How to add your Ubuntu computer to your Active Directory Domain (The Modern Way)

There are a number of options to get Active Directory (AD) integration with your Ubuntu systems. While older distributions relied on packages like winbind or Likewise Open, the modern, officially supported standard in Ubuntu (20.04, 22.04, and 24.04) relies on realmd and sssd.

This guide covers how to set up DNS resolution correctly and integrate your Linux machine directly into a Windows network, even if your domain ends in a .local syntax.

Step 1: DNS Configuration

Before you join a domain, you need to ensure your Ubuntu machine can actually resolve the domain controller’s hostnames. In an AD environment, the domain controller must act as your primary DNS server.

Ensure your network interface is pointing to the Windows Server IP for DNS.
If your AD domain ends in .local (e.g., company.local), Avahi’s mDNS implementation on Ubuntu might intercept the resolution and fail.
Edit the systemd-resolved configuration to ensure proper resolution:
```
sudo nano /etc/systemd/resolved.conf
```
Add your AD Domain and DNS server IP under the [Resolve] section:
```
[Resolve]
DNS=192.168.1.10
Domains=company.local
```
Restart the resolver:
```
sudo systemctl restart systemd-resolved
```

Step 2: Install required packages

Install the realmd toolset, along with sssd (System Security Services Daemon) which will handle the actual authentication.

sudo apt update
sudo apt install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin

Step 3: Discover the Domain

Use the realm discover command to verify that your Ubuntu machine can see the Active Directory domain controllers.

realm discover company.local

If your DNS is configured correctly, it will output the domain details, the domain controllers it found, and confirm that it is ready to use sssd.

Step 4: Join the Domain

To execute the domain join, you must use an Active Directory user account that has permission to bind computers to the domain (usually a Domain Admin).

sudo realm join -U Administrator company.local

You will be prompted for the Administrator’s password. If no errors are returned, the computer has successfully joined the Active Directory. You can verify it by checking the status:

realm list

Step 5: Configure Automatic Home Directories

By default, when an AD user logs into the Ubuntu machine for the first time, their home directory will not exist. You can configure PAM to automatically create it.

Enable the feature using pam-auth-update:

sudo pam-auth-update --enable mkhomedir

You can now authenticate to your Ubuntu machine using any valid AD user credential!

Legacy Method: Joining via Likewise Open

Note: The likewise-open and pbis-open packages have been deprecated for several years and are no longer available in modern Ubuntu repositories. The documentation below is retained exclusively for historical systems (Ubuntu 10.04 - 14.04).

Likewise Open was a popular GUI and CLI tool based on winbind that simplified AD integration.

Installation & Joining

To install the package, open a terminal prompt and enter:

sudo apt-get install likewise-open

The main executable was /usr/bin/domainjoin-cli. To join a domain:

sudo domainjoin-cli join example.com Administrator

You would replace example.com with your domain and be prompted for the password.

Configuring default domains

To avoid having to type DOMAIN\username every time you logged via SSH, you could edit /etc/samba/lwiauthd.conf:

winbind use default domain = yes

Then restart the likewise-open daemons:

sudo /etc/init.d/likewise-open restart

Leaving the domain

The domainjoin-cli utility could also be used to unbind the machine:

sudo domainjoin-cli leave