Forum Discussion

ejc2_'s avatar
ejc2_
Copper Contributor
Jun 02, 2024

Problems to join Debian/Ubuntu machines to a domain

Is not posible to join Debian/Ubuntu machines to a domain based on Windows Server 2025 (using realm at least) this is the error:

 

! Couldn't set password for computer account: XXXX$: Message stream modified
adcli: joining domain xxxx.local failed: Couldn't set password for computer account: XXXX$: Message stream modified
! Failed to join the domain
realm: Couldn't join realm: Failed to join the domain

 

Domain is discoverable vía realm:

root@lnms01:/home/administrator# realm discover xxxx.local
xxxx.local
type: kerberos
realm-name: XXXX.LOCAL
domain-name: xxxx.local
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss

 

Tested on WS2025 build 26227 and Linux 6.1.0-21-amd64 x86_64, Linux 6.6.31+rpt-rpi-v8 aarch64 and Linux 6.8.0-31-generic x86_64.

 

Those 3 versions of Linux joined to another doman based con Windows Server 2022 without issues.

8 Replies

  • SebastianBanda's avatar
    SebastianBanda
    Copper Contributor

    Ran into this exact Message stream modified error on Ubuntu 24.04 and Windows Server 2025. I tried the Samba workaround (--client-software=samba), but it failed with realm: No such realm found due to Ubuntu's default DNS stub resolver.

    Here is how to fix it using the clean, native SSSD method instead:

    The Cause

    Windows Server 2025 blocks legacy, predictable computer passwords by default. When Ubuntu's adcli tries its standard handshake, the DC abruptly drops the connection.

     

    The Fix

    1. Delete the Broken AD Object: Open Active Directory Users and Computers on your DC and delete the orphaned Ubuntu computer object from the failed attempt, or the next join will fail.
    2. Disable the GPO Setting: On your DC, open Group Policy Management (gpmc.msc) and edit the Default Domain Controllers Policy.
    3. Navigate to: Computer Configuration ➔ Policies ➔ Windows Settings ➔ Security Settings ➔ Local Policies ➔ Security Options.
    4. Set Domain controller: Refuse setting default machine account password to Disabled.
    5. Run gpupdate /force in a command prompt on the DC.

     

    Now, just run your original native join command on Ubuntu.

  • Lutti1972's avatar
    Lutti1972
    Tin Contributor
    Hello,
    I also had the problem, my solution is to use the SAMBA client. :

    sudo hostnamectl set-hostname <hostname>
    sudo hostnamectl set-hostname <FQDN>

    sudo timedatectl set-timezone Europe/Berlin
    sudo apt install sssd-ad sssd-tools realmd adcli krb5-user samba-common-bin adsys oddjob oddjob-mkhomedir ca-certificates

    sudo realm -v discover <Domainname>
    realm join -v --membership-software=samba <Domainname>


    • DarienHawkins's avatar
      DarienHawkins
      Brass Contributor

      Joining a fully updated Ubuntu 24.04.1 system to an Active Directory with Server 2025 domain controllers at the Server 2025 forest/domain functions levels was not working.  That is until I came across your suggestion.  Thank you.  Using realm join -v --membership-software=samba <Domainname> did it!  

  • ejc2_ ZJonBelZ 

    • Open a terminal on your Debian/Ubuntu machine.
    • Run the following command, replacing ad.mycompany with your actual AD domain name and Administrator with a user account that has sufficient privileges to join workstations to the domain:

     sudo realm join ad.mycompany -U Administrator --verbose

     

    • You’ll be prompted to enter the password for the specified user (in this case, the AD Administrator account).
  • ZJonBelZ's avatar
    ZJonBelZ
    Copper Contributor

    ejc2_ 
    Hi, I just came across your post, did you find a solution?

    I am testing adding a Debian 12 machine as a computer to a Active Directory domain controller on Windows Server 2025 testing vm and am experiencing the same problem.

    I am trying to go through Group Policy Management Editor and change the default domain controllers policy in Computer Configuration > Policies > Windows Settings > Security Settings and find some settings that could be different by default between 2022 and 2025.

    If I find a solution I will update it here.

    • ejc2_'s avatar
      ejc2_
      Copper Contributor
      Hi ZJonBelZ, did you find any solution / workaround? I'm trying with v26296.5001 with no success.

      Thanks in advance.
    • desmond1337's avatar
      desmond1337
      Copper Contributor

      Hey,

       

      can confirm that SSSD is not able to join AD Server 2025 (with FL/DL 2025). I also tried alot in the Group Policy, but that wont work.

       

      i switched from SSSD back to Samba&Winbind. This works fine!

      (https://www.server-world.info/en/note?os=Debian_12&p=samba&f=4)

       

      Greetings