.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. |date| date::

.. meta::
  :description: Integrating Linux machines in the Samba-AD domain
  :keywords: joining Linux boxes, Samba-AD, documentation

.. _client_join_clients_linux:

#################################################
Integrating Linux machines in the Samba-AD domain
#################################################

**************************************
Redhat8 servers without graphics layer
**************************************

* Install the necessary packages for Redhat:

  .. code-block:: bash

    yum install realmd sssd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools

* Install the **NTP** packages and point NTP to a domain controller:

  .. code-block:: bash

    yum install ntpdate ntpd
    ntpdate -bu srvads1.mydomain.lan

*********************************************
Debian / Ubuntu servers without graphic layer
*********************************************

.. note::

  We assume that the machine will have been installed by following this :ref:`procedure for Debian <server_prepare_debian>`:

.. code-block:: bash

   apt-get install realmd sssd oddjob oddjob-mkhomedir adcli samba-common packagekit sssd-tools

* Install the :program:`NTP` packages and point NTP to a domain controller:

 .. code-block:: bash

    apt-get install ntpdate ntpd
    ntpdate -bu srvads1.mydomain.lan

***************************************
Joining the Linux machine to the domain
***************************************

.. code-block:: bash

  realm join --user=administrator ad.mydomain.lan

* Edit :file:`/etc/sssd/sssd.conf`:

  .. code-block:: ini

    [sssd]
    domains = mydomain.lan
    config_file_version = 2
    services = nss, pam

    [domain/mydomain.lan]
    enumerate = true
    ad_domain = mydomain.lan
    krb5_realm = MYDOMAIN.LAN
    realmd_tags = manages-system joined-with-samba
    cache_credentials = True
    id_provider = ad
    krb5_store_password_if_offline = True
    default_shell = /bin/bash
    ldap_id_mapping = True
    use_fully_qualified_names = False
    fallback_homedir = /home/%u@%d
    access_provider = ad
    auth_provider = ad
    override_shell= /bin/bash
    override_homedir = /home/homes/%u
    ad_gpo_access_control = disabled
    enumerate = true

* If you are in RFC2307, add in the section **[domain]**:

  .. code-block:: ini

    ldap_id_mapping = False

* If you are in :abbr:`RID (Relative IDentifier)`, add in the section **[domain]**:

  .. code-block:: ini

    ldap_id_mapping = True
    ldap_idmap_autorid_compat = true
    ldap_idmap_range_min = 10000

* Finally, force the removal of the existing mapping:

  .. code-block:: bash

    rm -f /var/lib/sss/db/cache_mydomain.lan.ldb