Join Ubuntu 16.04 into Active Directory Domain

There are quite a few guides lying around the internet for getting Ubuntu 16.04 working with Active Directory. I followed a few of them, and always ended up with problems. Can su – to the user, but can’t ssh. Can su – to the user and ssh as the user, but cannot connect via RDP, or local X11. Searched all over the place for solutions, but nothing worked. Finally after trial and error, I found a combination of settings to get everything working.

Since working in a mixed Windows / Linux environment is never particularly fun, I thought I would document my process to save others from having to figure this out from scrach. So here is my guide to getting everything working with RealmD and SSSD. Using an example active directory domain of my.domain.com in everything below. This guide is pretty close to others you’ll find. But there are a few key differences, the primary ones are within the SSSD configuration.

Install Required Packages

apt-get -y install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli ntp 1 apt - get - y install realmd sssd sssd - tools samba - common krb5 - user packagekit samba - common - bin samba - libs adcli ntp

You’ll be prompted for some Kerberos Auth Configuration during the install, just enter your AD domain or domain controllers using all caps, ie. MY.DOMAIN.COM

Configure ntp

Next you’ll need to make sure your ubuntu server’s time is in sync with the active directory servers. For that, you’ll need to edit your /etc/ntp.conf file, comment out the current ones, and add your Domain controllers by either the FQDN or the IP.

... #server 0.ubuntu.pool.ntp.org #server 1.ubuntu.pool.ntp.org #server 2.ubuntu.pool.ntp.org #server 3.ubuntu.pool.ntp.org server my.doimain.com server my.domain.com #Use Ubuntu's ntp server as a fallback. #server ntp.ubuntu.com ... 1 2 3 4 5 6 7 8 9 10 . . . #server 0.ubuntu.pool.ntp.org #server 1.ubuntu.pool.ntp.org #server 2.ubuntu.pool.ntp.org #server 3.ubuntu.pool.ntp.org server my .doimain .com server my .domain .com #Use Ubuntu's ntp server as a fallback. #server ntp.ubuntu.com . . .

Restart your ntp service:

/etc/init.d/ntp restart 1 / etc / init .d / ntp restart

Configure RealmD

Next, we’ll need to configure RealmD. Create the /etc/realmd.conf file with the following contents:

[users] default-home = /home/%U default-shell = /bin/bash [active-directory] default-client = sssd os-name = Ubuntu Server os-version = 16.04 [service] automatic-install = no [my.domain.com] fully-qualified-names = no automatic-id-mapping = yes user-principal = yes manage-system = no 1 2 3 4 5 6 7 8 9 10 11 12 13 14 [ users ] default - home = / home / % U default - shell = / bin / bash [ active - directory ] default - client = sssd os - name = Ubuntu Server os - version = 16.04 [ service ] automatic - install = no [ my .domain .com ] fully - qualified - names = no automatic - id - mapping = yes user - principal = yes manage - system = no

Kerberos Configuration

Slight change needed to the /etc/krb5.conf file. Top of the file, make the following change:

[libdefaults] default_realm = MY.DOMAIN.COM 1 2 [ libdefaults ] default_realm = MY .DOMAIN .COM

Join Ubuntu to Domain

sudo kinit administrator@MY.DOMAIN.COM Password for administrator@MY.DOMAIN.COM: sudo realm --verbose join my.domain.com --user-principal=UBUNTU/administrator@MY.DOMAIN.COM 1 2 3 4 sudo kinit administrator @ MY .DOMAIN .COM Password for administrator @ MY .DOMAIN .COM : sudo realm -- verbose join my .domain .com -- user - principal = UBUNTU / administrator @ MY .DOMAIN .COM

Auto creation of user home directories

Slight addition to the end of /etc/pam.d/common-session:

session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 #end of pam-auth-update config 1 2 session required pam_mkhomedir .so skel = / etc / skel / umask = 0077 #end of pam-auth-update config

Edit X11 Config

Personally I did not need to do this, because I did not need local logins via X11. But I had posted a question about RDP logins via Active Directory which I answered myself. Another user responded that my changes worked, but he had to make the following additional change for X11.

Edit /etc/X11/Xwrapper.config and change to allowed_users=anybody

Configure SSSD

RealmD comes pretty close to setting up the sssd.conf file properly, but there are a few changes needed to be able to login via SSH and RDP. Edit the /etc/sssd/sssd.conf file so it looks like this:

[sssd] domains = my.domain.com config_file_version = 2 services = nss, pam [domain/my.domain.com] ad_domain = my.domain.com krb5_realm = MY.DOMAIN.COM realmd_tags = joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True ad_gpo_access_control = permissive default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%u simple_allow_users = $ access_provider = ad 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 [ sssd ] domains = my .domain .com config_file_version = 2 services = nss , pam [ domain / my .domain .com ] ad_domain = my .domain .com krb5_realm = MY .DOMAIN .COM realmd_tags = joined - with - adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True ad_gpo_access_control = permissive default_shell = / bin / bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = / home / % u simple_allow_users = $ access_provider = ad

The key changes I had to make:

changing access_provider from simple to ad. Without this I could not ssh in. adding ad_gpo_access_control = permissive. Without this I could not connect via RDP.

Restart your sssd service

service sssd restart 1 service sssd restart

At this point, using your active directory user, you should be able to SSH into your ubuntu server, RDP into your desktop environment, or do a local X11 login.

nsswitch.conf

With the default SSSD configuration, everytime a user executes a sudo action it will generate an email to your root account with the contents of:

root : problem with defaults entries ; TTY=pts/2 ; PWD=/root ; 1 root : problem with defaults entries ; TTY = pts / 2 ; PWD = / root ;

This isn’t really an error, it’s just noise since sssd does not support sudo rules for local users. It’s an easy fix to stop this. Just edit your /etc/nsswitch.conf file. Find this line:

sudoers: files sss 1 sudoers : files sss

and change it to:

sudoers: files 1 sudoers : files

Allowing/Restricting logins

If you want to restrict or allow access to only certain users or groups, then you can modify the /etc/sssd/sssd.conf file, and in the [domain/my.domain.com] section, you can use any of these options:

simple_allow_users = user1,user2 simple_deny_users = user1,user2 simple_allow_groups = group1,group2 simple_deny_groups = group1,group2 1 2 3 4 simple_allow_users = user1 , user2 simple_deny_users = user1 , user2 simple_allow_groups = group1 , group2 simple_deny_groups = group1 , group2