Active Directory - how to safely remove it?

I don’t use a splash screen and while removing the last issues after an upgrade to 24.04.3, I came across the following orange messages in an otherwise “green” boot process:

[Depend] Dependency failed for sssd-nss.socket - SSSD NSS Service responder socket.
[Depend] Dependency failed for sssd-autofs.socket - SSSD AutoFS Service responder socket.[Depend] Dependency failed for sssd-pac.socket - SSSD PAC Service responder socket.
[Depend] Dependency failed for sssd-pam-priv.socket - SSSD PAM Service responder private socket.
[Depend] Dependency failed for sssd-pam.socket - SSSD PAM Service responder socket.[Depend] Dependency failed for sssd-ssh.socket - SSSD SSH Service responder socket.
[Depend] Dependency failed for sssd-sudo.socket - SSSD SUDO Service responder socket.

A fix for this can be found here and here. It works and removes these messages.

But as I found out during my search, this sssd is needed for Microsoft Active Directory. It is only necessary for operating the PC inside a corporate MS environment or remotely logging on to one. For home use (e.g. accessing shared folders or OneDrive), it is NOT needed. Furthermore, it is a network service, allowing for remote administration, etc.

Since I have no use for this, I feel it should go. (What isn’t there, can’t be hacked and can not produce instabilities, e.g. after a bad update.)

So is there a safe way to uninstall it? I found no procedure for that and I don’t want to break what is now a flawlessly running OS…

Yes, you can either disable it or uninstall it safely.

if you uninstall it, it will also take care of the conforming systemd entries.
Using autoremove after the uninstall will get red of its dependencies.

This is the incantation for uninstalling and autoremoving in one command:

sudo apt purge sssd && sudo apt autoremove

But if you don't want to remove it but only want to disable it, use this:

sudo systemctl mask sssd.service

Either of those options will get rid of the errormessages

Thank you, @tkn!

I chose variant 2 and masked SSSD for now. So it is there but inaccessible and it simply needs to be unmasked if it is ever needed.

There is another component which is only necessary for Active Directory and LDAP: realmd. Should it be treated in the same way?

Yes, it is started by systemd, so masking it will work

Some remarks after I looked somewhat deeper into this:

1. Masking a service is a practice which is also used to "quaratine" non-critical services in case of security vulnerabilities, until a patch is out. That should be good enough for now.

2. At the time of this writing, SSSD has 32 unfixed bugs:

But as far as I could see, they only matter when actually using the package.

3. How did SSSD ever get on my machine? It was introduced with Ubuntu MATE 22.04 and during a clean install, the installer asks you whether you want a setup with or without support for Active Directory.

But if you do an upgrade from 20 to 22, there is no such option. I just upgraded a VM from 20 to 22 to make sure: It just installs and you end up with a network service that's useless for pure home users. (And to make matters worse: One designed by Microsoft. ) Unless I had investigated what these errors are, I would not even know that I have it.

4. Ironically enough, the fix which I had found (see Post-1) makes things worse. After the upgrade, a configuration file is missing and therefore

systemctl status sssd

shows SSSD as "Dead (inactive)". The fix puts the configuration file in the right place and then it IS active. Masking SSSD abolishes this by making it unreachable.

According to this article, https://www.zdnet.com/article/think-linux-desktop-market-share-isnt-over-6-this-15-million-system-scan-says-otherwise/ it's Canonical's fault:

"Contrary to popular belief, Linux desktops can be managed by AD. For example, Ubuntu 24.04 with Ubuntu Pro includes an AD Group Policy client."

Maybe @tkn can advise us: Will we still get extended service updates through Ubuntu Pro if we disable the AD client.

As far as I'm concerned, just mask your SSSD service.
I, for anything that it's worth, can not imagine how or why it would ever be able to stop updates.

SSSD and updates are two totally different things that have no connection whatsoever.

I uninstalled SSSD a long time ago and detected no side-effects.

Please remember that I'm just another regular user. I am in no way connected to anything MATE, Ubuntu or Canonical so your guess about things 'behind the screens' is as good as mine.

By the time of this writing, nobody automatically has functional AD support after upgrading to 24.04.3. That’s because of the the bug for which I described a fix in post-1. (Configuration file in the wrong place.)

I guess that answers your question. Whatever channels Ubuntu Pro uses, it can’t be AD because “out of the box” AD is not usable. Likewise, a functional AD support can not be a condition for getting Pro updates because most of us don’t meet it.

I spent some time to figure out how to produce functional VirtualBox VM of 24.04.3, so that I have “guinea pigs” to experiment with:

With that in hand I can safely try out what happens if you uninstall the AD support. That would be reversing this command for installing it on a Ubuntu machine with no AD support at all:

sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

(Found here: Join an Ubuntu Machine to Active Directory - This Is How I Spend My Time )

Looks a bit scary to purge/autoremove all of this on a real machine...

As a quick fix, masking realmd and sssd should be enough to prevent any hacks.

OK, here is my optimised removal procedure...

I trust @tkn, but every machine is a bit different, so I experimented with VMs a little first. In one of the experiments, the VM became very slow (almost unresponsive) upon just purging sssd and it took 2 reboots to regain most but not all of it's speed. I was not able to reproduce this and it can be an artifact caused by incompatibilities between VBox 7.1.14 and Ubuntu MATE 24.04.3.

Still, I find it safer to first disable sssd and reboot, so that no part of it is running and the OS is already adjusted to its absence:

sudo systemctl disable sssd.service

After rebooting:

sudo apt purge sssd realmd adcli && sudo apt autoremove

Say yes to everything, reboot and you are done.

Meanwhile, I did this also on the host (24.04.3) and I can confirm that this causes no problems. To be safe, I invested 9 minutes into an incremental backup of the Linux-SSD before. So far, it does not look like I'll need it soon.

A note on security: Active Directory requires ports 88 (Kerberos), 389 (LDAP), 135 (RPC), 445 (SMB) and others to be open (inbound/outbound). In most home routers, the NAT firewall will discard inbound traffic on those ports. (Mine does, as I just checked.) So even if there were a zero-day exploit with Sasser-like potential for AD one day, it could not reach me.

However, this code is just unneeded bells and whistles for me. Also, it is still relatively fresh and contains some unfixed bugs. (See above.) If I ever need to connect to an Active Directory Domain, I can use a Windows 11 VM or my Windows 11 laptop, where this stuff is implemented both user-friendly and inescapably. Last not least, the operation removed a total of 25 items which will not load an need updates anymore.

Special thanks to @tkn for his guidance!