Joining Ubuntu Server to AD

Oct 8, 2018 4 min read Linux

Joining linux servers to Microsoft AD for user login and authentication can be a daunting task. The following is the simplest (in my opinion) way to join an Ubuntu server or workstation to AD. This method was tested on Ubuntu 18.04 LTS and allows the use of AD group for SSH access and file permissions. It also automatically creates the local home directory when a user logs in.

  1. Enable the universe repository (required for krb5-user package):

    add-apt-repository universe

  2. Install the required packages:

    apt update
apt install krb5-user samba sssd chrony -y
During the krb5-user installation the setup wizard will ask for the default kerberos realm (example.com) and possibly the kerberos server (example.com:88)

If you get errors during the apt installation process, you’ll need to do a cleanup of residual files then run the install again to correct any missing packages:

apt autoclean
apt autoremove
apt install krb5-user samba sssd chrony

  1. Update the local dns resolver configuration file /etc/resolv.conf to point to the closest DC/DNS

    search example.com
nameserver 10.x.x.x
nameserver 10.x.x.x

  2. Modify the kerberos configuration file /etc/krb5.conf adding the following:

    [libdefaults]
    default_realm = example.com
    ticket_lifetime = 24h #
    renew_lifetime = 7d

[realms]
    example.com = {
        kdc = example.com:88
        default_domain = example.com
    }

[domain_realm]
    .example.com = example.com
    example.com = example.com

If the /etc/krb5.conf file does not exist, you may need to install the krb5-config package using:

apt install krb5-config

  1. Modify the NTP client configuration file /etc/chrony/chrony.conf to point to the PDC NTP server:

    server 10.x.x.x
You man need to remove other NTP entries, ubuntu by default contains the official ubuntu pool addresses. Remove any lines starting with pool

  1. Modify the samba configuration file /etc/samba/smb.conf with the NetBios name of the domain:

    [global]

workgroup = EXAMPLE-WINS-NAME
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = example.com
security = ads

  2. Create the SSSD configuration file /etc/sssd/sssd.conf as shown:

    [sssd]
    services = nss, pam
    config_file_version = 2
    domains = example.com

[domain/example.com]
    id_provider = ad
    access_provider = ad

    override_homedir = /home/%d/%u
Make sure the spacing is correct. The bracket lines ([]) should be full left with no whitespace while the config entries below should have a leading tab or 2-4 whitespaces.

  1. Correct the permissions of the SSSD configuration file:

    sudo chown root:root /etc/sssd/sssd.conf
sudo chmod 600 /etc/sssd/sssd.conf

  2. Verify that the /etc/nsswitch.conf config file contains sss in the authentication protocol list as shown here:

    passwd:         compat sss
group:          compat sss
...
netgroup:       nis sss
sudoers:        files sss

  3. Modify the pam configuration file /etc/pam.d/common-account with the following appended line to allow the automatic creation of the user home directory:

    session required pam_mkhomedir.so skel=/etc/skel umask=0022

  4. Add the domain admins and other domain users/groups (as needed) to the /etc/sudoers file to allow admin access.

    %domain\ admins ALL=(ALL) ALL

# This is an example user specification
jwozny ALL=(ALL) ALL
# This is an example group specification
%adminaccess-linuxservers ALL=(ALL) ALL

  5. Add the required users and groups to the SSH configuration file /etc/ssh/sshd_config to allow remote access

    AllowGroups localadmin domain^admins adminaccess-linuxservers
The AllowUsers specification will require all users listed that need ssh, in order to use an AD group, only the AllowGroups can be used. Local users will have their own local group created with the same name, that can be added to the AllowGroups list as shown with the localadmin account in the example.

  1. Restart all services to apply the changes

    service chrony restart
service smbd restart
service nmbd restart
service sshd restart
service sssd restart

The SSSD service may fail to start prior to joining the domain. After joining, start the service to allow the SSS daemon to process the account authentication using:

service sssd start

  1. Initialize the kerberos ticket using an account with domain join authorization:

    kinit username

  2. Verify that the kerberos ticket was successfully created

    klist

  3. Join the server to the domain

    net ads join -k

  4. Restart the authentication services

    service smbd restart
service nmbd restart
service sssd restart
Anytime a change is made to any of the previous configuration files, the services will need to be restarted
If the sssd service fails to start, go back to the /etc/sssd/sssd.conf configuration file in step 7 and make sure the spacing is correct. The bracket lines ([]) should be full left with no whitespace while the config entries below should have a leading tab or 2-4 whitespaces.
linux ad ubuntu 18.04 ssh
Avatar
Jack Wozny
BS, CISSP, CCSP, SSCP

As a computer engineer, I have a decade of expertise in securing various networks and systems. I have led and delivered several security projects, ensuring their compliance, availability, and security.

comments powered by Disqus

Related