Joining an Ubuntu Desktop to an Active Directory Domain

Joining an Ubuntu Desktop to an Active Directory DomainJoining an Ubuntu Desktop to an Active Directory Domain can be a daunting task. There are a ...

Emily Blunt
Emily Blunt
5 min read
Days of Wine and Roses with James Comey

Joining an Ubuntu Desktop to an Active Directory Domain

Joining an Ubuntu Desktop to an Active Directory Domain can be a daunting task. There are a few things that you need to take into account when attempting this.

First and foremost, you will need to have an Ubuntu Desktop installed and configured. You can find instructions for doing this on the Ubuntu website.

Once you have an Ubuntu Desktop installed, you will need to configure it to join an Active Directory Domain. This can be done by following the instructions on the Ubuntu website.

Once you have configured your Ubuntu Desktop to join an Active Directory Domain, you will need to create a user account for it. This user account will need to have access to the Ubuntu Desktop and the Active Directory Domain. You can find instructions for doing this on the Ubuntu website.

Finally, you will need to configure your Active Directory Domain to allow access to the Ubuntu Desktop. This can be done by following the instructions on the Ubuntu website.

Show

This document describes how to add an Ubuntu Desktop machine to a Microsoft Active Directory Domain. To accomplish this task, this solution employs the realmd and the sssd services. Other solutions for the same task include samba winbind and the Likewise tool, which includes a GUI in addition to command line utilities. I chose realmd sssd because it is better suited for complex Active Directory infrastructures and provides more customization options.

The instructions below have been tested on Ubuntu Desktop 14.04, but they should also work on later versions.

About realmd and sssd

The freedesktop project created the realmd service.as an abstraction layer on other authentication backends such as winbind and sssd. RedHat Inc created the sssd service, which is one of the components of their FreeIPA suite. It can effectively replace winbind in a variety of situations.

Assumptions

We will assume in this example that our Active Directory domain is dom.example.Our infrastructure includes two Domain Controllers.: dc1.dom.example.int and dc2.dom.example.int. Let's also call the Ubuntu Machine TESTARENA.

Prerequisites

Install an Ubuntu Desktop 14.04 (32 or 64 bit) on a physical or virtual machine and install all updates. Don't forget to configure the TESTARENA hostname during installation.

Ascertain that your Ubuntu Desktop machine has access to the Active Directory domain and Domain Controllers.:

dig -t SRV _ldap._tcp.dom.example.int | grep -A2 "ANSWER SECTION"
;; ANSWER SECTION:
_ldap._tcp.dom.example.int. 170 IN SRV 0 100 389 dc1.dom.example.int.
_ldap._tcp.dom.example.int. 170 IN SRV 0 100 389 dc2.dom.example.int.

The output above shows that there are two domain controllers in our Active Directory Domain.

Ping the Domain Controllers to ensure that they are reachable.:

fping dc1.dom.example.int dc2.dom.example.int
dc1.dom.example.int is alive
dc2.dom.example.int is alive

Both domain controllers are accessible from our Ubuntu machine, as shown in the output.

Install all necessary packages

sudo apt-get -y install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli ntp

The Package Management subsystem will request that you configure your Default Kerberos version 5 realm. Type “DOM.EXAMPLE.When you see the following screen, enter "INT" and press "Enter.":

Joining an Ubuntu Desktop to an Active Directory Domain

Following that, we must designate our Domain Controllers as Kerberos Servers. Type “DC1.DOM.EXAMPLE.INT DC2.DOM.EXAMPLE.INT" (separated by a space), then press "OK" and "Enter.":

Joining an Ubuntu Desktop to an Active Directory Domain

Then, configure the Administrative Kerberos Server. Type “DC1.DOM.EXAMPLE.INT”, select “OK” and “Enter”:

Joining an Ubuntu Desktop to an Active Directory Domain

Configure your ntp service to use our domain timeservers.

All systems in a healthy Active Directory environment must be in time synchronization with the domain controllers. In an Active Directory domain, domain controllers also function as ntp servers.

First edit the /etc/ntp.conf file. Remove the default timeservers and replace them with our Domain Controllers.:

...
#server 0.ubuntu.pool.ntp.org
#server 1.ubuntu.pool.ntp.org
#server 2.ubuntu.pool.ntp.org
#server 3.ubuntu.pool.ntp.org
server dc1.dom.example.int
server dc2.dom.example.int
# Use Ubuntu's ntp server as a fallback.
#server ntp.ubuntu.com
...

Then restart your ntp service:

sudo service ntp restart

Setting up realmd

Create a new /etc/realmd.conf file with the following parameters:

[users]
default-home = /home/%D/%U
default-shell = /bin/bash
[active-directory]
default-client = sssd
os-name = Ubuntu Desktop Linux
os-version = 14.04
[service]
automatic-install = no
[dom.example.int]
fully-qualified-names = no
automatic-id-mapping = yes
user-principal = yes
manage-system = no

Explanation of the various options:

  • default-home: configure the default home directory for each Active Directory User. In our example it will
    be something like /home/dom.example.int/domainuser.
  • default-shell: the default shell that users use. Bash is the most commonly used default shell.
  • default-client: In our scenario, we are utilizing sssd. Winbind is another possibility.
  • os-name: the name of the operating system as it will appear in our Active Directory.
  • os-version: the version of the operating system as it will appear in our Active Directory.
  • automatic-install: We don't want realmd to attempt to install its dependencies.
  • fully-qualified-names: This allows users to use only their username rather than the domain and username combination. For example, instead of DOMdomainuser or [email protected], we can use the username domainuser. However, this may cause issues with local users who share the same username as a domain user.
  • automatic-id-mapping: If set to yes, this option will generate the user and group ids (UID, GID) for newly created users.
  • user-principal: When the Ubuntu machine joins the domain, this will set the necessary attributes.
  • manage-system: Set this option to no if you do not want Active Directory policies to be applied to this machine.

Connect to the Ubuntu machine on the AD domain.

Activate a new Kerberos ticket:

sudo kinit [email protected]
Password for [email protected]:

There will be no output while you type the password. That’s normal. You can substitute any other domain administrator or user with domain join rights for the administrator user.

Incorporate the Ubuntu machine into the domain.:

;; ANSWER SECTION:
_ldap._tcp.dom.example.int. 170 IN SRV 0 100 389 dc1.dom.example.int.
_ldap._tcp.dom.example.int. 170 IN SRV 0 100 389 dc2.dom.example.int.
0

Setting up sssd

When we use realmd to add a machine to the domain, it also adds the sssd configuration to the /etc/sssd/sssd/conf file. Unfortunately, realmd does not get everything right, so we must modify the sssd configuration slightly.

Change the access_provider = simple option in the /etc/sssd/sssd configuration file.conf file, as follows:

;; ANSWER SECTION:
_ldap._tcp.dom.example.int. 170 IN SRV 0 100 389 dc1.dom.example.int.
_ldap._tcp.dom.example.int. 170 IN SRV 0 100 389 dc2.dom.example.int.
1

Restart the sssd service:

;; ANSWER SECTION:
_ldap._tcp.dom.example.int. 170 IN SRV 0 100 389 dc1.dom.example.int.
_ldap._tcp.dom.example.int. 170 IN SRV 0 100 389 dc2.dom.example.int.
2

Set up auto-creation of homedirs for new users.

As the last module in the /etc/pam file, add the pam_mkhomedir pam module.d/common-session file:

;; ANSWER SECTION:
_ldap._tcp.dom.example.int. 170 IN SRV 0 100 389 dc1.dom.example.int.
_ldap._tcp.dom.example.int. 170 IN SRV 0 100 389 dc2.dom.example.int.
3

Examine the Active Directory user name resolution

Let's see if we can resolve the active directory users now.:

;; ANSWER SECTION:
_ldap._tcp.dom.example.int. 170 IN SRV 0 100 389 dc1.dom.example.int.
_ldap._tcp.dom.example.int. 170 IN SRV 0 100 389 dc2.dom.example.int.
4
;; ANSWER SECTION:
_ldap._tcp.dom.example.int. 170 IN SRV 0 100 389 dc1.dom.example.int.
_ldap._tcp.dom.example.int. 170 IN SRV 0 100 389 dc2.dom.example.int.
5

Setting up LightDM

The Ubuntu graphical login is provided by LightDM. We must now disable guest login (a good practice in enterprise environments) and enable manual login (to allow domain users to log in). These steps are not required for headless machines (such as a CLI-only Ubuntu Server).

We must create the /etc/lightdm/lightdm directory.conf. This file is not usually present on a fresh Ubuntu Desktop 14 installation.04 installation, but you should keep a backup in case it fails.

Put these lines in /etc/lightdm/lightdm now.conf:

;; ANSWER SECTION:
_ldap._tcp.dom.example.int. 170 IN SRV 0 100 389 dc1.dom.example.int.
_ldap._tcp.dom.example.int. 170 IN SRV 0 100 389 dc2.dom.example.int.
6

Final Check

Restart the machine and attempt to log in with the Ubuntu graphical login. Select "Login" and enter your domain credentials.:

How do I connect a Linux machine to an Active Directory domain?

Adding a Linux Server to a Windows Active Directory Domain .
In the /etc/hostname file, specify the name of the configured computer. .. .
Specify full domain controller name in the /etc/hosts file. .. .
Configure the DNS server on the configured computer. .. .
Configure time synchronization. .. .
Install a Kerberos client.

How do I become a member of an Ubuntu 20 group?.04 machine to Active Directory?

So, to join Ubuntu 20, simply follow the steps below.04|18.To Active Directory (AD) domain 04 / Debian 10. .
Step 1: Update your APT index. .. .
Step 2: Set server hostname & DNS. .. .
Step 3: Install required packages. .. .
Step 4: Debian 10 / Ubuntu 20 Active Directory domain discovery.04|18.04.

How do I add a desktop computer to a domain?

Connecting a computer to a domain Navigate to System and Security, then System. Change settings under Computer name, domain, and workgroup settings. Click Change on the Computer Name tab. Click Domain under Member of, type the name of the domain you want this computer to join, and then click OK.

How do I get my computer to connect to Active Directory?

By the graphical interface .
Open Windows Explorer.
Right-click This PC and select Properties 1 from the menu..
Click Change settings.
Click Edit 1.
1 Enter the domain name and press OK 2.
Validate your domain administrator account credentials..
Check the Welcome message in the field..
Restart your computer.

join ubuntu desktop active directory domain
Emily Blunt

Emily Blunt Twitter

Hi, my name is Emily Blunt and I am a 5-year experienced blogger in the field of pet care.

Related Post

Public

Joining an Ubuntu Desktop to an Active Directory Domain

Joining an Ubuntu Desktop to an Active Directory DomainJoining an Ubuntu Desktop to an Active Directory Domain can be a daunting task. There are a few things that you need to take into account when at

Joining an Ubuntu Desktop to an Active Directory Domain
Public

How to setup ubuntu on virtualbox

Ubuntu is a Linux distribution that is popular for its ease of use and wide range of applications. It is a popular choice for desktop and server use. Ubuntu is available in a virtualbox format. This d

How to setup ubuntu on virtualbox
Public

What is an email ip address

An email address is a unique identifier assigned to an email account. It consists of the user's name followed by "@" and the domain name of the email provider, for example "[email protected]". Emai

What is an email ip address
Public

How do I join an ARK server on Nitrado?

Nitrado is a popular ARK server hosting platform. Joining an ARK server on Nitrado is easy. First, you need to create an account on Nitrado. Next, you need to find an ARK server that you want to join.

How do I join an ARK server on Nitrado?
Public

How to delete an old email address that keeps popping up in gmail

If you've ever had an email address that you no longer use, but it keeps popping up in your Gmail inbox, there are a few steps you can take to get rid of it.First, open up Gmail and click on the "Inbo

How to delete an old email address that keeps popping up in gmail
Public

What does domain name system do

Domain name system (DNS) is a hierarchical naming system for computers, phones, and other devices. It assigns unique numerical addresses to each device connected to the internet. DNS is used to transl

What does domain name system do
Public

How to send calls to voicemail on Android

Android devices allow users to record and send calls to voicemail. This can be helpful for people who do not want to answer calls or for people who are busy and do not have time to answer calls.To sen

How to send calls to voicemail on Android
Public

How to write a Python for loop to write data to a CSV file?

A for loop is a programming construct that allows you to repeat a set of instructions a set number of times. In Python, a for loop looks like this:for i in range(1, 10):This for loop will execute the

How to write a Python for loop to write data to a CSV file?
Public

How to Pair Bluetooth Headphones to a Vizio TV

If you're looking for a way to enjoy your favorite music or movies without having to deal with wires, Bluetooth headphones are a great option. Bluetooth headphones work with most TVs, so you can easil

How to Pair Bluetooth Headphones to a Vizio TV
Public

How to get cat to stop crying at night

There are a few things you can do to try and get your cat to stop crying at night. One is to try and find out the reason why they are crying. Some cats cry because they are lonely, while others cry be

How to get cat to stop crying at night