Linux join to AD domain

This guide explains how to join Linux server (Ubuntu for example) into a Windows Active Directory domain. This solution uses the realmd and the sssd service to achieve this task.

There is other solutions that use:

  • samba and winbind
  • Likewise tool

this one is better suited for complicated AD infrastructures and provides more customization options.

The following instructions have been tested on Ubuntu 14.04 and is based on this.

If you want only login with users of AD domain you can use this guide.

About realmd and sssd

The realmd service is developed by the project as an abstraction layer on other authentication backends like winbind and sssd. The sssd service is developed by RedHat Inc and is one of the components of their FreeIPA suite. It can effectively replace winbind in several scenarios.

In this example, we will assume that our Active Directory domain is and we have two Domain Controllers in our infrastructure: and Also let’s name the Ubuntu Machine TESTARENA.

Make sure your Ubuntu Desktop machine has access to the Active Directory domain and the Domain Controllers:

dig -t SRV | grep -A2 "ANSWER SECTION"
;; ANSWER SECTION: 170 IN SRV 0 100 389 170 IN SRV 0 100 389

We can see from the output above that there are indeed, two domain controllers, in our Active Directory Domain.

Ping the Domain Controllers, to ensure they are accessible:

fping is alive is alive

Install all necessary packages

sudo apt-get -y install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli ntp

The Package Management subsystem will ask to to set your Default Kerberos version 5 realm. Type DOM.EXAMPLE.INT, select ΟΚ and press Enter.

Next we will need to define our Domain Controllers as Kerberos Servers. Type DC1.DOM.EXAMPLE.INT DC2.DOM.EXAMPLE.INT (space separated), select OK and Enter.

Then set the Administrative Kerberos Server. Type DC1.DOM.EXAMPLE.INT, select OK and Enter

Setup your ntp service to point to our domain timeservers

In a healthy Active Directory environment all systems must be in time synchronization with the domain controllers. The domain controllers in an Active Directory domain, also behave as ntp servers.

First edit the /etc/ntp.conf file. Comment out the preset timeservers and add our Domain Controllers instead:

# Use Ubuntu's ntp server as a fallback.

Then restart your ntp service:

sudo service ntp restart

Setting up realmd

Create a new /etc/realmd.conf file with the following settings:

default-home = /home/%D/%U
default-shell = /bin/bash
default-client = sssd
os-name = Ubuntu Desktop Linux
os-version = 14.04
automatic-install = no
fully-qualified-names = no
automatic-id-mapping = yes
user-principal = yes
manage-system = no

Explanation of the various options:

  • default-home: set the default homedir for each Active Directory User. In our example it will be something like /home/;
  • default-shell: the default shell used by the users. bash is usually the preferred default shell;
  • default-client: we are using sssd in our scenario. winbind is also a possible option;
  • os-name: the operating system name as it will appear in our Active Directory;
  • os-version: the operating system version as it will appear in our Active Directory;
  • automatic-install: we want to prevent realmd to try to install its dependencies;
  • fully-qualified-names: this will allow users to use just their username instead of the combination of domain and username. For example we can use the username domainuser instead of DOM\domainuser or Note, however, that this could cause conflicts with local users, if they have the same username as a domain user;
  • automatic-id-mapping: this option will auto-generate the user and group ids (UID, GID) for newly created users, if set to yes;
  • user-principal: this will set the necessary attributes for the Ubuntu machine when it joins the domain;
  • manage-system: if you don’t want policies from the Active Directory environment to be applied on this machine, set this option to no.

Join the server on the AD domain

Activate a new Kerberos ticket:

sudo kinit administrator@DOM.EXAMPLE.INT
Password for administrator@DOM.EXAMPLE.INT:

You will not see any output while you type the password. That’s normal. You can replace the administrator user with any other domain administrator or any user with domain join rights.

Add the server in the domain:

sudo realm --verbose join --user-principal=TESTARENA/administrator@DOM.EXAMPLE.INT --unattended

Setting up sssd

When we use realmd to join the machine in the domain, it also creates the configuration of sssd in the /etc/sssd/sssd.conf file. Unfortunately realmd does not get everything right so we need to tweak the sssd configuration a bit.

Modify the config in the /etc/sssd/sssd.conf file, as follows (only the * lines need to modify):

domains = domain.tld
config_file_version = 2
**services = nss, pam, sudo**
ad_domain = domain.tld
krb5_realm = DOMAIN.TLD
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_sasl_authid = HOSTNAME-$
ldap_id_mapping = True
**use_fully_qualified_names = False**
fallback_homedir = /home/%d/%u
**access_provider = ad**
**sudo_provider = none**

Restart the sssd service:

sudo service sssd restart

Setup homedir auto-creation for new users

Add the pam_mkhomedir pam module, as the last module in the /etc/pam.d/common-session file:

session required
session optional
session optional
session optional
session required skel=/etc/skel/ umask=0077
# end of pam-auth-update config

Check Active Directory users name resolution

Now let’s check if we can resolve the active directory users:

id domainuser
uid=54202865(domainuser) gid=54200513 groups=54200513

Setting up LightDM (optional in desktop version)

LightDM provides the Ubuntu graphical login. Now we need to disable guest login (a very good practice in enterprise environments) and enable manual login (to let domain users to login). These steps are not unnecessary for headless machines (on a CLI-only Ubuntu Server for example).

We need to create the /etc/lightdm/lightdm.conf (this file does not usually exist on a fresh Ubuntu Desktop 14.04 installation, but you may want to keep a backup if it does) and put these lines in it:

Aggiungi ai preferiti : permalink.

I commenti sono chiusi.