How Do I Remove A Linux VM From A Domain?

To remove a Linux VM from a domain, you will typically use the realm leave command, which manages the local machine's enrollment in a directory service. This process removes the local domain configuration from the System Security Services Daemon (SSSD), which handles authentication with the domain.

Prerequisites

Before beginning the process, ensure you have the following:

Root or sudo access on the Linux VM.
A domain administrator account and password to authorize the removal.
The fully qualified domain name (FQDN) of the domain you are leaving.
A local account with administrator privileges to log in to the VM after it is removed from the domain.

Method 1: Using the `realm` command

The most common and recommended method for modern Linux distributions that use realmd to join domains is to use the realm leave command.

Open a terminal on your Linux VM and switch to the root user or use sudo.
Run the realm leave command. Execute the command with your domain's FQDN.sh
```
sudo realm leave your.domain.com
```
Use code with caution.
Provide administrator credentials. You will be prompted to enter the password for a domain administrator account. This authenticates the request with the Active Directory server.
Confirm the result. The command will return a confirmation message indicating that the computer has successfully left the domain.
Restart the machine. For the changes to take full effect, reboot the VM.sh
```
sudo reboot
```
Use code with caution.
Log in locally. After the reboot, use the local administrator account to log in to the VM. Your domain credentials will no longer be valid for login.

To remove the computer account from Active Directory

When you use realm leave, the computer's record is typically not deleted from Active Directory; only the local configuration is removed. To remove the computer object from Active Directory as part of the same command, use the --remove option.

Execute the command with the --remove option. This is a powerful command that permanently deletes the computer object from Active Directory.sh
```
sudo realm leave --remove your.domain.com
```
Use code with caution.
Specify a domain user. If a different user account was used to join the domain, or you need to specify a different administrator, use the -U option.sh
```
sudo realm leave --remove your.domain.com -U 'AD.EXAMPLE.COM\adminuser'
```
Use code with caution.

Method 2: Forcibly removing the configuration (Offline or troubleshooting)

If your VM has lost network connectivity to the domain controller, or you need to remove it without communicating with the domain, you can manually force the removal. This is an "offline" method.

Disable the network interface. To ensure no communication with the domain controller occurs, you may want to temporarily disable the network interface.sh
```
sudo ip link set dev eth0 down
```
Use code with caution.

(Replace eth0 with your network interface name).
Manually stop and disable services. Stop the SSSD and realmd services to prevent them from attempting to connect to the domain.sh
```
sudo systemctl stop sssd realmd
sudo systemctl disable sssd realmd
```
Use code with caution.
Clean the SSSD configuration. SSSD is the service responsible for integrating with the domain. You will need to clean its configuration files.
- Delete the SSSD cache:sh
```
sudo rm -rf /var/lib/sss/db/*
```
  Use code with caution.
- Edit the SSSD configuration file (/etc/sssd/sssd.conf) and remove all sections related to the domain. An example of a clean configuration would look like:ini
```
[sssd]
config_file_version = 2
services = nss, pam
domains =
[nss]
homedir_substring = /home
[pam]
```
  Use code with caution.
Update the Name Service Switch (NSS) configuration. Edit the file /etc/nsswitch.conf and remove any sss entries.
- Before: passwd: files sss
- After: passwd: files
- Before: group: files sss
- After: group: files
Remove the domain-specific Kerberos files. Delete any Kerberos configuration that might be present.sh
```
sudo rm -f /etc/krb5.conf
```
Use code with caution.
Restart the machine. This ensures a clean slate and that no domain-related processes are running.sh
```
sudo reboot
```
Use code with caution.
Reconnect to the network. Log in locally and re-enable the network interface.sh
```
sudo ip link set dev eth0 up
```
Use code with caution.

Method 3: Using legacy tools (For older or specific setups)

Some older Linux setups or those using tools other than realmd might require different commands. For example, systems joined using samba and winbind.

Open a terminal and switch to the root user.
Run the net ads leave command.sh
```
sudo net ads leave -U <domain_admin_user>
```
Use code with caution.
Provide the password when prompted.
Confirm the result. The command will indicate whether the machine was successfully removed.

Stop and disable winbind.sh

sudo systemctl stop smb winbind
sudo systemctl disable smb winbind

Use code with caution.

Remove the samba packages, if desired.sh

# On Debian/Ubuntu
sudo apt purge samba winbind
# On Red Hat/CentOS
sudo yum remove samba winbind

Use code with caution.

Update the NSS configuration as described in Method 2 to remove winbind entries.

Post-removal cleanup

After successfully removing the VM from the domain, perform these final steps.

Clean up the domain controller. If you did not use the --remove option, an Active Directory administrator must manually delete the VM's computer object from the Active Directory Users and Computers (ADUC) console. This is a crucial step to avoid stale records in the directory.
Delete local domain user profiles. Any domain users who previously logged into the VM will have a local profile. You can delete these user accounts and home directories to free up disk space.sh
```
sudo deluser --remove-home <domain_user>
```
Use code with caution.
Verify local authentication. Test that you can log in and out using a local account to ensure local authentication is functioning correctly.

Enjoyed this article? Share it with a friend.