Join a Linux VM to a domain

This page shows you how to join a Linux VM, running supported Linux distributions, to a domain in Managed Service for Microsoft Active Directory using the System Security Services Daemon (SSSD).

Managed Microsoft AD interoperability works for many Linux distributions and other connectivity tools. Learn about these open source connectivity tools.

Before you begin

  • Create a Managed Microsoft AD domain.

  • Create a Linux VM. When you create the VM, make sure that you complete the following tasks:

    • On the Public images tab, select the appropriate distribution. For example, Ubuntu 16.04 LTS or Red Hat Enterprise Linux 8.
    • Select a Linux version that Managed Microsoft AD supports.
    • Create the VM in the project that hosts your Managed Microsoft AD domain. If your Managed Microsoft AD domain has a Shared VPC as an authorized network, you can also create the VM in any of the Shared VPC service projects.
    • Create the VM on a VPC network that you have peered with the Managed Microsoft AD domain.

  • Install realmd on the VM. Learn about realm.

    See Ubuntu and Red Hat documentation for instructions.

    The following are some sample commands:

    Ubuntu 16.04 LTS 

    apt-get update
apt-get install realmd sssd packagekit

    RHEL 8.2 (Ootpa) 

    sudo yum install realmd oddjob oddjob-mkhomedir
sssd adcli

Join a Linux VM to a domain

To join a Linux VM to a domain, you need the following information:

  • The domain name of your Managed Microsoft AD domain. For example, mydomain.example.com.

  • The username and password of an account that has permissions to join a VM to the domain. By default, members of the Cloud Service Domain Join Accounts group have these permissions. For more information about the default groups that Managed Microsoft AD creates, see Groups.

    • The username must be in the following format: USERNAME@DOMAIN_NAME. The domain name part of the username must be in uppercase. For example, user@MYDOMAIN.EXAMPLE.COM.

You can join the Linux VM to the Managed Microsoft AD domain using the realm join command. The following is a sample command:

realm join DOMAIN_NAME -U 'USERNAME@DOMAIN_NAME'

For verbose output, add the -v flag at the end of the command.

Specify account location with realm join

By default, the realm join command creates a machine account that is located at:

CN=ACCOUNT_NAME,OU=Computers,OU=Cloud,DC=MACHINE,DC=MID_LEVEL,DC=EXTENSION

To specify where to create the account, use the --computer-ou flag to provide the path for the realm join command. The following example shows how to specify the path:

--computer-ou="OU=CUSTOM_OU,DC=MACHINE,DC=MID_LEVEL,DC=EXTENSION"

The user must have the permissions that are required to create accounts in the specified OU.

Remove a Linux VM from a domain

To remove a Linux VM from a domain, you need the domain name of your Managed Microsoft AD domain and the username of your user account.

You can remove a Linux VM from the Managed Microsoft AD domain using the realm leave command. The following is a sample command:

realm leave DOMAIN_NAME -U 'USERNAME@DOMAIN_NAME'

What's next