Success: Debian 11 Bullseye Joining Domain (UCS 5.0-0 errata134)

Debian 11 Bullseye works and can join UCS 5.x domain as a client. Tested with net-install installation method and with both “gnome-core” (only) as well as default Gnome environment selections (including Debian desktop, GNOME, and standard system utilities). In both cases, auth-client-config will not be found as a package and will throw errors on the last script. This can be safely ignored if only one domain is used according to an earlier post.

Latest reference with source scripts needed is domain-5.0. Open that and find Section 1 first.

SEVEN scripts are provided in grey boxes in Sections 1.1 through 1.4.
NOTE: Each script begins with: # Become root
NOTE: Each script ends with: EOF on a line by itself

These scripts are great but unfortunately they will result in some prompts that can be confusing. If you don’t read and understand the scripts before using them, you might not know which password to enter at what prompt or why. So, notes for each script are included here to help with that. Modifying the scripts to provide HINTS (e.g. using ‘echo’) could alleviate confusion but that will have to wait for another day.

Copy and paste EVERY line from EACH of the grey boxes into separate scripts (e.g. paste into ‘gedit’ Gnome Editor and save as and in your Documents folder).

Modify scripts (mandatory) and (optional).
Script, change the IP address to your UCS Primary Directory Node (Domain Controller DC).


Replace (the script’s example IP) with your UCS PRIMARY DC’s IP

Ubuntu now has univention-domain-join from Univention’s PPA. In order to differentiate between Ubuntu (as ‘Ubuntu’) and Debian (as ‘Linux’) within UCS:
Script, change the line from:

ssh -n root@${ldap_master} udm computers/ubuntu create \

to be:

ssh -n root@${ldap_master} udm computers/linux create \

NOTE: You can safely ignore script It is not needed (by default). It will fail and return an error. This is discussed later in this post.

Make all scripts executable (with GUI checkbox in file properties using Nautilus/File Manager or ‘chmod u+x {filename}’ in terminal for all 7 scripts)

Now in order, run each script in terminal (except script If you run script it will simply output a harmless error.

Since each script begins by obtaining root, run scripts as user that has sudo privileges (member of sudoers). No need to use the ‘sudo’ in terminal, though. Just ‘./’ in terminal will suffice and it will prompt you to enter the account password.

  • - script gains sudo so enter [sudo] password for [your-sudo-enabled-user] and ‘yes’ to fingerprint; see key permanently added warning; SSH is silently attempted so when you see “Password:” prompt then enter root password for UCS Primary Directory Node/DC so SSH can happen

  • - enter ‘yes’ to continue past authenticity/key fingerprint prompt. SSH is silently attempted so when you see “Password:” prompt then enter root password for the UCS Primary Directory Node/DC so SSH can work.

  •,, and - no inputs needed

  • - when prompted, enter UCS domain Administrator password (named “Administrator” account by default) and same password (by default) as root on DC.

  • Reboot. Log in with domain account name and password by clicking “not shown?”.

About Script 06: It attempts to configure LightDM, formerly a default display manager in Ubuntu. LightDM is no longer used by default for Debian 11 or Ubuntu but is used by some derivatives. As written, this script fails because the CONF file cannot be written to a non-existent directory. Even if it were, this would have no effect unless LightDM were installed and active (e.g. sudo apt install lightdm && dpkg-reconfigure lightdm).

Today, instead of lightDM, Gnome/Ubuntu/Debian default to GDM3. This greeter/display manager is good for displaying UCS domain accounts and local accounts without including non-users and reserved IDs. It behaves as expected. If you switch to a different display manager (e.g. to SDDM for KDE) or another you will find they behave less predictably than GDM3. Themes also can affect this.

Other references/thanks for earlier posts:
how to integrate debian client into ldap base

1 Like