Join Nethserver AD, and login linux desktop machines(Tuto)

Ubuntu 19.04 (gnome)client ad nethserver join
Ps: on your Linux desktop client machines put the ip dns servers to nethserver ad container (192.168.7. 40) and the second dns (, next edit the file resolve. conf, from terminal type

nano /etc/resolv.conf


And save this file and reboot your pc client…

Ubuntu client: (ver 18.04 / 18.10 / 19.4)

Open terminal,

Install Required Packages

sudo apt update sudo apt-get -y install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli ntp

Kerberos Authentication


Change adapter to enter virtual environment (No internet access from here).

sudo realm join -U administrator -v (respect all the spaces as i did, otherwise the join will fail)

Setting up realmd: (To discover and join windows domain)

sudo vi /etc/realmd.conf


default-home = /home/%D/%U

default-shell = /bin/bash


default-client = sssd

os-name = Ubuntu Desktop Linux

os-version = 18.10 [service]

automatic-install = no


fully-qualified-names = no

automatic-id-mapping = yes

user-principal = yes

manage-system = no

Join the Ubuntu machine on the AD domain: (Kerberos) sudo kinit
------------------------------------------------------------in case--------------------------------------------------------------------

Error: Cannot contact any KDC for realm while getting initial credentials

I’ve been testing FreeIPA on a small network of CentOS 7 hosts (all virtual machines running in VirtualBox on a host-only network). After installing the IPA server on one host and creating the realm (, I installed the IPA client on one of the other hosts and tried running kinit :

# kinit admin kinit: Cannot contact any KDC for realm '' while getting initial credentials

Searching for that error brought me to Kinit won’t connect to a domain server. Although that did not describe the same issue, it did point me to the /etc/krb5.conf file. The realms section looked like it was missing something:

pkinit_anchors = FILE:/etc/ipa/ca.crt

I added a kdc attribute:

kdc =
pkinit_anchors = FILE:/etc/ipa/ca.crt

No restart of any service was necessary. I ran kinit again and it worked:

# kinit admin Password for admin@AD.XYZ.LOCAL:

According to the krb5.conf documentation on realms:

The name or address of a host running a KDC for that realm. An optional port number, separated from the hostname by a colon, may be included.

I’m a Kerberos novice, but that seems like a necessary property. I’m not sure why the IPA client setup did not include it. I have a few more virtual machines to install the client on, so I’ll soon find if that behavior is consistent on subsequent installations.

Password for

Setup homedir auto-creation for new users:

sudo vi /etc/pam.d/common-session

session required

session optional

session optional

session optional

session required skel=/etc/skel/ umask=0077

Final Check: Restart the machine and try to login using the Ubuntu graphical login by domain user and password. xyz\user (example) (HOME\sarah) and sarah password, like on windows

and tanan


video inspired

extra step (not tested yet)

accessing windows file shares using samba

sudo apt-get install samba

sudo apt-get install winbind

mapp remote share

smb:// ad ip container)/share1/


smb:// HomeDir$
To test roaming user files and folder creation
Test 1

Test 2



override_homedir = /var/lib/nethserver/home/%f

I’ve changed %f with %u bacause %f is expanded as user@domain while %u is expanded as user without @domain

override_homedir = /var/lib/nethserver/home/%u

Then I’ve created a new user in RSAT/ADUC then I logged with that new user in Windows 7.

All seems to work correcly!