Bug 27369 - Add realmd and adcli tools from RHEL8/CentOS8 to join Active Directory Domains, NEW PACKAGE REQUEST
Summary: Add realmd and adcli tools from RHEL8/CentOS8 to join Active Directory Domain...
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: New RPM package request (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: Mageia 8
Assignee: All Packagers
QA Contact:
Depends on:
Reported: 2020-10-07 02:09 CEST by Ezequiel Partida
Modified: 2022-02-25 18:45 CET (History)
3 users (show)

See Also:
Source RPM:
Status comment:


Description Ezequiel Partida 2020-10-07 02:09:39 CEST

I am trying to join my mageia laptop to my Windows Active Directory and if possible to Azure AD.\

Checking on this webpage; https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-rhel-linux-vm

The problem is that the required packages cannot be found on Mageia.... like realmd it's only available on MGA5.

Packages like realmd sssd oddjob oddjob-mkhomedir are not available.

Are they included in other packages?.

I need to use "realm join --verbose AADDSCONTOSO.COM -U 'contosoadmin@AADDSCONTOSO.COM'" to join..

Please advice.
Ezequiel Partida
Comment 1 Dave Hodgins 2020-10-07 03:43:34 CEST
$ urpmq -y sssd

I have no experience with active directory. From it's description, sssd-ad may be what is needed.

CC: (none) => davidwhodgins

Comment 2 Aurelien Oudelet 2020-10-07 20:37:40 CEST
All online tutorials I saw today refers to a "realmd" binaries.
On some RHEL8 / CentOS8 tutos, an install command:

# dnf install realmd sssd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation authselect-compat

Some above packages are no equivalent on Mageia.

Assigning this as RPM package request.

Assigning this package request to all packagers collectively. On a voluntary basis, one of them might, if there are no license or other legal issues, want to integrate it to the distribution and maintain it for bug and security fixes.

You might also want to join the packager team to maintain this piece of software: see https://wiki.mageia.org/en/Becoming_a_Mageia_Packager

Target Milestone: --- => Mageia 8
Summary: How to join mageia to Active Directory => Add realmd and adcli tools from RHEL8/CentOS8 to join Active Directory Domains, NEW PACKAGE REQUEST
Component: RPM Packages => New RPM package request

Aurelien Oudelet 2020-10-07 20:46:49 CEST

Assignee: bugsquad => pkg-bugs
CC: (none) => ouaurelien

Comment 3 David Walser 2020-10-13 21:43:50 CEST
We do have sssd.  adcli is pretty handy and would be nice to have.  The current sssd version actually expects that you have it, and uses it to rotate the machine account password periodically.  The net command (from Samba) for joining doesn't work reliably with newer Windows versions.

The oddjob stuff isn't needed, as we have pam_mkhomedir in the pam package, and that can be used.

The realmd package isn't as useful as documentation makes it sound.  It does multiple things incompletely and incorrectly by default, so you end up having to fix the configuration manually anyway, it doesn't save much effort over just reading documentation and doing the configuration manually.  I wouldn't be in favor of bringing this package back, at least without fixing those things.

A better idea would be integrating Active Directory support into drakauth.
David Walser 2020-10-15 00:35:44 CEST

CC: (none) => luigiwalser

Comment 4 Ezequiel Partida 2021-07-15 00:07:12 CEST
Hello everyone,

Did someone took this?.

I just setup my first server in Mageia and would not like to install ubuntu o fedora... I did try Rocky Linux but for my surprise it did not detected my SAS 5 Raid...

Mageia 8 on the otherhand works great...

I used the draktools to share my server folders but it seems I am not doing thing right since I cannot see them from Windows, but I can read windows shared folders from other servers by typing ¨domain\username¨.

I setup samba as a standalone, I wonder if it should be PDC.

Are there any documentation on this or on the Mandriva Docs?.. I could not find anything.

Comment 5 Ezequiel Partida 2022-02-24 04:23:05 CET
This is a nice video on this.

So sad that no packages are available for mageia on this. Unfortunately I don´t know hot to pack.

Comment 6 David Walser 2022-02-25 18:45:54 CET
You should file a separate bug if drakshare isn't working.  Standalone and PDC don't sound right, but there are different ways of doing shares (security = share, old, deprecated, and less secure, and security = user, which is more complicated), and then there's the fact that newer Windows have SMBv1 disabled by default so you have to be using SMBv3.

Like I said in Comment 3, ignore any articles or videos that tell you to use the realm command.  Even when it's available, I don't recommend it unless you know what you're doing.  It completely neglects to save the Samba configuration and it gets things wrong in the sssd configuration that you have to fix manually anyway.  Oddjob-mkhomedir is needed if SELinux is in use and /home is a local filesystem, as pam_mkhomedir doesn't set SELinux contexts for newly created home directories correctly, but Mageia doesn't support SELinux anyway.

Here's some of my notes from Mageia 5, using example.com as the domain (you'll have to change this to whatever your LAN domain is) and $admin as your AD admin account.  These are snippets of the key parts of the configurations.

urpmi krb5-workstation sssd samba-common

search example.com
nameserver <AD DC IP>

 default_realm = EXAMPLE.COM
 kdc_timesync = 0
 dns_lookup_realm = true
 dns_lookup_kdc = true
 forwardable = true
 proxiable = true
 udp_preference_limit = 0
 rdns = false

   workgroup = EXAMPLE
   realm     = EXAMPLE.COM
   kerberos method = secrets and keytab
   security = ads

/etc/pam.d/system-auth (each line follows the pam_unix/tcb one):
auth        sufficient    pam_sss.so forward_pass
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
password    sufficient    pam_sss.so use_authtok
session     optional      pam_sss.so

I also had to end the account section with:
account     required      pam_permit.so

and start the session section with:
session     required      pam_mkhomedir.so umask=0026 skel=/etc/skel/ silent

passwd:         files sss
shadow:         files sss
group:          files sss

domains = example.com
config_file_version = 2
services = nss,pam
cache_credentials = true
id_provider = ad
access_provider = ad
min_id = 1000
ldap_id_mapping = true
krb5_store_password_if_offline = true
use_fully_qualified_names = false
fallback_homedir = /home/%u
default_shell = /bin/bash
ad_gpo_ignore_unreadable = true

Joining domain:
# kinit $admin
# net ads join -k
## OR if you have adcli built and installed locally
# adcli join -U $admin -C --add-samba-data example.com
# systemctl restart sssd

Note You need to log in before you can comment on or make changes to this bug.