Joining an Ubuntu Desktop to an Active Directory Domain
Joining an Ubuntu Desktop to an Active Directory Domain can be a daunting task. There are a few things that you need to take into account when attempting this.
First and foremost, you will need to have an Ubuntu Desktop installed and configured. You can find instructions for doing this on the Ubuntu website.
Once you have an Ubuntu Desktop installed, you will need to configure it to join an Active Directory Domain. This can be done by following the instructions on the Ubuntu website.
Once you have configured your Ubuntu Desktop to join an Active Directory Domain, you will need to create a user account for it. This user account will need to have access to the Ubuntu Desktop and the Active Directory Domain. You can find instructions for doing this on the Ubuntu website.
Finally, you will need to configure your Active Directory Domain to allow access to the Ubuntu Desktop. This can be done by following the instructions on the Ubuntu website.
- About realmd and sssd
- Install all necessary packages
- Configure your ntp service to use our domain timeservers.
- Setting up realmd
- Connect to the Ubuntu machine on the AD domain.
- Setting up sssd
- Set up auto-creation of homedirs for new users.
- Examine the Active Directory user name resolution
- Setting up LightDM
- Final Check
- How do I connect a Linux machine to an Active Directory domain?
- How do I become a member of an Ubuntu 20 group?.04 machine to Active Directory?
- How do I add a desktop computer to a domain?
- How do I get my computer to connect to Active Directory?
This document describes how to add an Ubuntu Desktop machine to a Microsoft Active Directory Domain. To accomplish this task, this solution employs the realmd and the sssd services. Other solutions for the same task include samba winbind and the Likewise tool, which includes a GUI in addition to command line utilities. I chose realmd sssd because it is better suited for complex Active Directory infrastructures and provides more customization options.
The instructions below have been tested on Ubuntu Desktop 14.04, but they should also work on later versions.
About realmd and sssd
The freedesktop project created the realmd service.as an abstraction layer on other authentication backends such as winbind and sssd. RedHat Inc created the sssd service, which is one of the components of their FreeIPA suite. It can effectively replace winbind in a variety of situations.
We will assume in this example that our Active Directory domain is dom.example.Our infrastructure includes two Domain Controllers.: dc1.dom.example.int and dc2.dom.example.int. Let's also call the Ubuntu Machine TESTARENA.
Install an Ubuntu Desktop 14.04 (32 or 64 bit) on a physical or virtual machine and install all updates. Don't forget to configure the TESTARENA hostname during installation.
Ascertain that your Ubuntu Desktop machine has access to the Active Directory domain and Domain Controllers.:
dig -t SRV _ldap._tcp.dom.example.int | grep -A2 "ANSWER SECTION"
;; ANSWER SECTION: _ldap._tcp.dom.example.int. 170 IN SRV 0 100 389 dc1.dom.example.int. _ldap._tcp.dom.example.int. 170 IN SRV 0 100 389 dc2.dom.example.int.
The output above shows that there are two domain controllers in our Active Directory Domain.
Ping the Domain Controllers to ensure that they are reachable.:
fping dc1.dom.example.int dc2.dom.example.int
dc1.dom.example.int is alive dc2.dom.example.int is alive
Both domain controllers are accessible from our Ubuntu machine, as shown in the output.
Install all necessary packages
sudo apt-get -y install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli ntp
The Package Management subsystem will request that you configure your Default Kerberos version 5 realm. Type “DOM.EXAMPLE.When you see the following screen, enter "INT" and press "Enter.":
Following that, we must designate our Domain Controllers as Kerberos Servers. Type “DC1.DOM.EXAMPLE.INT DC2.DOM.EXAMPLE.INT" (separated by a space), then press "OK" and "Enter.":
Then, configure the Administrative Kerberos Server. Type “DC1.DOM.EXAMPLE.INT”, select “OK” and “Enter”:
Configure your ntp service to use our domain timeservers.
All systems in a healthy Active Directory environment must be in time synchronization with the domain controllers. In an Active Directory domain, domain controllers also function as ntp servers.
First edit the /etc/ntp.conf file. Remove the default timeservers and replace them with our Domain Controllers.:
... #server 0.ubuntu.pool.ntp.org #server 1.ubuntu.pool.ntp.org #server 2.ubuntu.pool.ntp.org #server 3.ubuntu.pool.ntp.org server dc1.dom.example.int server dc2.dom.example.int # Use Ubuntu's ntp server as a fallback. #server ntp.ubuntu.com ...
Then restart your ntp service:
sudo service ntp restart
Setting up realmd
Create a new /etc/realmd.conf file with the following parameters:
[users] default-home = /home/%D/%U default-shell = /bin/bash [active-directory] default-client = sssd os-name = Ubuntu Desktop Linux os-version = 14.04 [service] automatic-install = no [dom.example.int] fully-qualified-names = no automatic-id-mapping = yes user-principal = yes manage-system = no
Explanation of the various options:
- default-home: configure the default home directory for each Active Directory User. In our example it will
be something like /home/dom.example.int/domainuser.
- default-shell: the default shell that users use. Bash is the most commonly used default shell.
- default-client: In our scenario, we are utilizing sssd. Winbind is another possibility.
- os-name: the name of the operating system as it will appear in our Active Directory.
- os-version: the version of the operating system as it will appear in our Active Directory.
- automatic-install: We don't want realmd to attempt to install its dependencies.
- fully-qualified-names: This allows users to use only their username rather than the domain and username combination. For example, instead of DOMdomainuser or [email protected], we can use the username domainuser. However, this may cause issues with local users who share the same username as a domain user.
- automatic-id-mapping: If set to yes, this option will generate the user and group ids (UID, GID) for newly created users.
- user-principal: When the Ubuntu machine joins the domain, this will set the necessary attributes.
- manage-system: Set this option to no if you do not want Active Directory policies to be applied to this machine.
Connect to the Ubuntu machine on the AD domain.
Activate a new Kerberos ticket:
sudo kinit [email protected]
Password for [email protected]:
There will be no output while you type the password. That’s normal. You can substitute any other domain administrator or user with domain join rights for the administrator user.
Incorporate the Ubuntu machine into the domain.:
;; ANSWER SECTION: _ldap._tcp.dom.example.int. 170 IN SRV 0 100 389 dc1.dom.example.int. _ldap._tcp.dom.example.int. 170 IN SRV 0 100 389 dc2.dom.example.int.0
Setting up sssd
When we use realmd to add a machine to the domain, it also adds the sssd configuration to the /etc/sssd/sssd/conf file. Unfortunately, realmd does not get everything right, so we must modify the sssd configuration slightly.
Change the access_provider = simple option in the /etc/sssd/sssd configuration file.conf file, as follows:
;; ANSWER SECTION: _ldap._tcp.dom.example.int. 170 IN SRV 0 100 389 dc1.dom.example.int. _ldap._tcp.dom.example.int. 170 IN SRV 0 100 389 dc2.dom.example.int.1
Restart the sssd service:
Set up auto-creation of homedirs for new users.
As the last module in the /etc/pam file, add the pam_mkhomedir pam module.d/common-session file:
Examine the Active Directory user name resolution
Let's see if we can resolve the active directory users now.:
Setting up LightDM
The Ubuntu graphical login is provided by LightDM. We must now disable guest login (a good practice in enterprise environments) and enable manual login (to allow domain users to log in). These steps are not required for headless machines (such as a CLI-only Ubuntu Server).
We must create the /etc/lightdm/lightdm directory.conf. This file is not usually present on a fresh Ubuntu Desktop 14 installation.04 installation, but you should keep a backup in case it fails.
Put these lines in /etc/lightdm/lightdm now.conf:
Restart the machine and attempt to log in with the Ubuntu graphical login. Select "Login" and enter your domain credentials.: