Integrating a Linux Machine Into Windows Active Directory Domain
This article will describe the process of adding a Linux machine (Ubuntu 20.04) into a Windows Active Directory Domain.
Step 1. Install packages and preparation.
Let’s update packages first.
sudo apt update
sudo apt upgrade
After that, install the required packages.
sudo apt -y install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
Next, we will configure all of these tools to work with the domain. All we need to know is:
- Domain name: office.local
- DNS server IP: 192.168.0.1
- Second DNS server IP: 192.168.0.2
Step 2. Configure DNS.
Look in netplan config file.
sudo nano /etc/netplan/*.yaml
If you see there ‘dhcp4: true’ and your DHCP server is configured in a right way, go to the next step.
If you configure the network connection parameters manually, here is an example for setting up static addresses:
network:
ethernets:
enp0s3:
addresses:
- 192.168.0.15/24
gateway4: 192.168.0.10
nameservers:
addresses: [192.168.0.1, 192.168.0.2]
search:
- office.local
optional: true
version: 2
- addresses — this ip address will be assigned to your network card;
- gateway4 — ip address of your router;
- nameservers — DNS servers;
- search — target domain.
Apply changes.
sudo netplan apply
Step 3. Discover the domain, join it, and check the result.
First, discover the domain.
realm discover office.local
We’ll see something like this. This means that the network settings are correct and our machine received an answer from the domain. If not, you need to check your network settings, domain, and DNS health.
office.local
type: kerberos
realm-name: OFFICE.LOCAL
domain-name: office.local
configured: no
...
Next, join the AD domain. Replace ‘admin’ with the domain administrator’s username and enter the password for it if prompt.
realm join -U admin office.local
Password for admin:
Now let's check if we can get information about the AD user. Replace ‘user’ with the name of the domain user account.
id user@office.local
uid=687821651(user@office.local) gid=687800512(user@office.local) groups=687800512(domain users@office.local)
Step 4. Last settings and logging in.
To avoid adding the domain name to the username every time, let’s configure this.
sudo nano /etc/sssd/sssd.conf
Change the ‘use_fully_qualified_names’ value to False. Restart and check:
sudo systemctl restart sssd
id user
uid=687821651(user@office.local) gid=687800512(user@office.local) groups=687800512(domain users@office.local)
Now we need to to set up a creation of Home Dirs for AD users when they log in.
sudo nano /etc/pam.d/common-session
#add this line in the end of file
session optional pam_mkhomedir.so skel=/etc/skel umask=077
Let’s try to log in as an AD user.
su – user
Password:
Creating directory '/home/user@office.local'.
user@ubuntu-server:~$
This means that you have successfully logged in as an AD user.
Additionally, you can allow authorization for some AD users or groups and restrict others. The example below is set to deny everyone and allow for user, user2, Domain Admins group.
sudo realm deny –all
sudo realm permit user@office.local user2@office.local
sudo realm permit -g 'Domain Admins'
Configuring AD users to get root privileges is the same as for local users, but in another file.
sudo nano /etc/sudoers.d/admins
Add the necessary lines to it. For example:
user ALL=(ALL) ALL
%Domain Admins ALL=(ALL) ALL