SQL Server on Linux: ADAuth issues 1: Issues with joining a VM to a domain
AD authentication is a popular mechanism for login and user authentication. It works very well in many scenarios, especially for enterprise applications. AD authentication is a supported scenario on SQL Server on Linux. Configuring the Linux VM to join with Active Directory (AD) can be a little tricky at sometimes though, especially in a complex enterprise environment.
- One error message you may see from “realm join” is “realm: Couldn’t join realm: This computer’s host name is not set correctly.” This is due to a generic hostname (e.g. “localhost”), an incorrect domain in your hostname (e.g. “host1.abcd.com” instead of “host1.contoso.com”), or a duplicate hostname on the domain. To fix this, edit /etc/hostname to have a unique hostname and reboot the machine. On Ubuntu, it can also be helpful to put the fully qualified domain name in /etc/hostname (e.g. “host1.contoso.com” instead of “host1”).
- Another possibility is that if the DNS is configured incorrectly, the host may be unable to resolve the domain. This will result in the message “realm: No such realm found” being returned from “realm join” command. To fix this, you need to use a DNS server on the realm you wish to join (can be on the same machine as the domain controller). The steps to fix this are described here: https://docs.microsoft.com/en-us/sql/linux/sql-server-linux-active-directory-authentication?view=sql-server-2017#join
Use nano editor (or your favorite editor) to edit the interfaces configuration. (You may need sudo privilege to edit the configuration.)
- Add the lines below:
dns-nameservers **<AD domain controller IP address>**
dns-search **<AD domain name>**
- Save and close the interfaces configuration file. Then restart the network service by issuing following command.
$sudo ifdown eth0 && ifup eth0
Note: The network interface (eth0) might differ for different machines. To find out which one you are using, run ifconfig and copy the interface that has an IP address and transmitted and received bytes.
- Use nano editor (or your favorite editor) to edit the eth0 (or a more appropriate) interface configuration file.
- Add the lines below:
DNS1=**<AD domain controller IP address>**
- Save and exit the file. Restart the network service to apply the network configuration change.
$systemctl restart network
- The realm join may also fail saying there are required packages which are missing from your system. To fix this problem, simply install the packages and try to join again.
- The message “Insufficient permissions to join the domain” means you need to use a different user when joining the domain. Not all users can add machines to a domain, so you must use a user with these permissions.
- use ‘-v’ on realm commands to get more logging on what is failing
- You can test if your machine can contact the domain with command “realm discover **contoso.com** ”
Dylan Gray | Senior Software Engineer
Tejas Shah | Senior Program Manager