Linux join to AD domain

This guide explains how to join Linux server (Ubuntu for example) into a Windows Active Directory domain. This solution uses the realmd and the sssd service to achieve this task.

There is other solutions that use:

  • samba and winbind
  • Likewise tool

this one is better suited for complicated AD infrastructures and provides more customization options.

The following instructions have been tested on Ubuntu 14.04 and is based on this.

If you want only login with users of AD domain you can use this guide.

About realmd and sssd

The realmd service is developed by the freedesktop.org project as an abstraction layer on other authentication backends like winbind and sssd. The sssd service is developed by RedHat Inc and is one of the components of their FreeIPA suite. It can effectively replace winbind in several scenarios.

In this example, we will assume that our Active Directory domain is dom.example.int and we have two Domain Controllers in our infrastructure: dc1.dom.example.int and dc2.dom.example.int. Also let’s name the Ubuntu Machine TESTARENA.

Make sure your Ubuntu Desktop machine has access to the Active Directory domain and the Domain Controllers:

We can see from the output above that there are indeed, two domain controllers, in our Active Directory Domain.

Ping the Domain Controllers, to ensure they are accessible:

Install all necessary packages

The Package Management subsystem will ask to to set your Default Kerberos version 5 realm. Type DOM.EXAMPLE.INT, select ΟΚ and press Enter.

Next we will need to define our Domain Controllers as Kerberos Servers. Type DC1.DOM.EXAMPLE.INT DC2.DOM.EXAMPLE.INT (space separated), select OK and Enter.

Then set the Administrative Kerberos Server. Type DC1.DOM.EXAMPLE.INT, select OK and Enter

Setup your ntp service to point to our domain timeservers

In a healthy Active Directory environment all systems must be in time synchronization with the domain controllers. The domain controllers in an Active Directory domain, also behave as ntp servers.

First edit the /etc/ntp.conf file. Comment out the preset timeservers and add our Domain Controllers instead:

Then restart your ntp service:

Setting up realmd

Create a new /etc/realmd.conf file with the following settings:

Explanation of the various options:

  • default-home: set the default homedir for each Active Directory User. In our example it will be something like /home/dom.example.int/domainuser;
  • default-shell: the default shell used by the users. bash is usually the preferred default shell;
  • default-client: we are using sssd in our scenario. winbind is also a possible option;
  • os-name: the operating system name as it will appear in our Active Directory;
  • os-version: the operating system version as it will appear in our Active Directory;
  • automatic-install: we want to prevent realmd to try to install its dependencies;
  • fully-qualified-names: this will allow users to use just their username instead of the combination of domain and username. For example we can use the username domainuser instead of DOM\domainuser or domainuser@dom.example.int. Note, however, that this could cause conflicts with local users, if they have the same username as a domain user;
  • automatic-id-mapping: this option will auto-generate the user and group ids (UID, GID) for newly created users, if set to yes;
  • user-principal: this will set the necessary attributes for the Ubuntu machine when it joins the domain;
  • manage-system: if you don’t want policies from the Active Directory environment to be applied on this machine, set this option to no.

Join the server on the AD domain

Activate a new Kerberos ticket:

You will not see any output while you type the password. That’s normal. You can replace the administrator user with any other domain administrator or any user with domain join rights.

Add the server in the domain:

Setting up sssd

When we use realmd to join the machine in the domain, it also creates the configuration of sssd in the /etc/sssd/sssd.conf file. Unfortunately realmd does not get everything right so we need to tweak the sssd configuration a bit.

Modify the config in the /etc/sssd/sssd.conf file, as follows (only the * lines need to modify):

Restart the sssd service:

Setup homedir auto-creation for new users

Add the pam_mkhomedir pam module, as the last module in the /etc/pam.d/common-session file:

Check Active Directory users name resolution

Now let’s check if we can resolve the active directory users:

Setting up LightDM (optional in desktop version)

LightDM provides the Ubuntu graphical login. Now we need to disable guest login (a very good practice in enterprise environments) and enable manual login (to let domain users to login). These steps are not unnecessary for headless machines (on a CLI-only Ubuntu Server for example).

We need to create the /etc/lightdm/lightdm.conf (this file does not usually exist on a fresh Ubuntu Desktop 14.04 installation, but you may want to keep a backup if it does) and put these lines in it:

Aggiungi ai preferiti : Permalink.

I commenti sono chiusi