Joining Ubuntu Server to AD

Joining linux servers to Microsoft AD for user login and authentication can be a daunting task. The following is the simplest (in my opinion) way to join an Ubuntu server or workstation to AD. This method was tested on Ubuntu 18.04 LTS and allows the use of AD group for SSH access and file permissions. It also automatically creates the local home directory when a user logs in.

  1. Enable the universe repository (required for krb5-user package):

    add-apt-repository universe
    
  2. Install the required packages:

    apt update
    apt install krb5-user samba sssd chrony -y
    
During the krb5-user installation the setup wizard will ask for the default kerberos realm (example.com) and possibly the kerberos server (example.com:88)

If you get errors during the apt installation process, you’ll need to do a cleanup of residual files then run the install again to correct any missing packages:

apt autoclean
apt autoremove
apt install krb5-user samba sssd chrony
  1. Update the local dns resolver configuration file /etc/resolv.conf to point to the closest DC/DNS

    search example.com
    nameserver 10.x.x.x
    nameserver 10.x.x.x
    
  2. Modify the kerberos configuration file /etc/krb5.conf adding the following:

    [libdefaults]
        default_realm = example.com
        ticket_lifetime = 24h #
        renew_lifetime = 7d
    
    [realms]
        example.com = {
            kdc = example.com:88
            default_domain = example.com
        }
    
    [domain_realm]
        .example.com = example.com
        example.com = example.com
    

If the /etc/krb5.conf file does not exist, you may need to install the krb5-config package using:

apt install krb5-config
  1. Modify the NTP client configuration file /etc/chrony/chrony.conf to point to the PDC NTP server:

    server 10.x.x.x
    
You man need to remove other NTP entries, ubuntu by default contains the official ubuntu pool addresses. Remove any lines starting with pool
  1. Modify the samba configuration file /etc/samba/smb.conf with the NetBios name of the domain:

    [global]
    
    workgroup = EXAMPLE-WINS-NAME
    client signing = yes
    client use spnego = yes
    kerberos method = secrets and keytab
    realm = example.com
    security = ads
    
  2. Create the SSSD configuration file /etc/sssd/sssd.conf as shown:

    [sssd]
        services = nss, pam
        config_file_version = 2
        domains = example.com
    
    [domain/example.com]
        id_provider = ad
        access_provider = ad
    
        override_homedir = /home/%d/%u
    
Make sure the spacing is correct. The bracket lines ([]) should be full left with no whitespace while the config entries below should have a leading tab or 2-4 whitespaces.
  1. Correct the permissions of the SSSD configuration file:

    sudo chown root:root /etc/sssd/sssd.conf
    sudo chmod 600 /etc/sssd/sssd.conf
    
  2. Verify that the /etc/nsswitch.conf config file contains sss in the authentication protocol list as shown here:

    passwd:         compat sss
    group:          compat sss
    ...
    netgroup:       nis sss
    sudoers:        files sss
    
  3. Modify the pam configuration file /etc/pam.d/common-account with the following appended line to allow the automatic creation of the user home directory:

    session required pam_mkhomedir.so skel=/etc/skel umask=0022
    
  4. Add the domain admins and other domain users/groups (as needed) to the /etc/sudoers file to allow admin access.

    %domain\ admins ALL=(ALL) ALL
    
    # This is an example user specification
    jwozny ALL=(ALL) ALL
    # This is an example group specification
    %adminaccess-linuxservers ALL=(ALL) ALL
    
  5. Add the required users and groups to the SSH configuration file /etc/ssh/sshd_config to allow remote access

    AllowGroups localadmin domain^admins adminaccess-linuxservers
    
The AllowUsers specification will require all users listed that need ssh, in order to use an AD group, only the AllowGroups can be used. Local users will have their own local group created with the same name, that can be added to the AllowGroups list as shown with the localadmin account in the example.
  1. Restart all services to apply the changes

    service chrony restart
    service smbd restart
    service nmbd restart
    service sshd restart
    service sssd restart
    

The SSSD service may fail to start prior to joining the domain. After joining, start the service to allow the SSS daemon to process the account authentication using:

service sssd start
  1. Initialize the kerberos ticket using an account with domain join authorization:

    kinit username
    
  2. Verify that the kerberos ticket was successfully created

    klist
    
  3. Join the server to the domain

    net ads join -k
    
  4. Restart the authentication services

    service smbd restart
    service nmbd restart
    service sssd restart
    
Anytime a change is made to any of the previous configuration files, the services will need to be restarted
If the sssd service fails to start, go back to the /etc/sssd/sssd.conf configuration file in step 7 and make sure the spacing is correct. The bracket lines ([]) should be full left with no whitespace while the config entries below should have a leading tab or 2-4 whitespaces.
Avatar
Jack Wozny
IS Security Operations Engineer

I’m a computer systems engineer! I love working with technology, tinkering with and optimizing new systems.

comments powered by Disqus

Related