06.06.2023

Integrating a Linux Machine Into Windows Active Directory Domain

This article will describe the process of adding a Linux machine (Ubuntu 20.04) into a Windows Active Directory Domain.

Step 1. Install packages and preparation.

Let’s update packages first.

sudo apt update
sudo apt upgrade

After that, install the required packages.

sudo apt -y install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

Next, we will configure all of these tools to work with the domain. All we need to know is:

  • Domain name: office.local
  • DNS server IP: 192.168.0.1
  • Second DNS server IP: 192.168.0.2

Step 2. Configure DNS.

Look in netplan config file.

sudo nano /etc/netplan/*.yaml

If you see there ‘dhcp4: true’ and your DHCP server is configured in a right way, go to the next step.
If you configure the network connection parameters manually, here is an example for setting up static addresses:

network:
ethernets:
enp0s3:
addresses:
- 192.168.0.15/24
gateway4: 192.168.0.10
nameservers:
addresses: [192.168.0.1, 192.168.0.2]
search:
- office.local
optional: true
version: 2

Apply changes.

sudo netplan apply

Step 3. Discover the domain, join it, and check the result.

First, discover the domain.

realm discover office.local

We’ll see something like this. This means that the network settings are correct and our machine received an answer from the domain. If not, you need to check your network settings, domain, and DNS health.

office.local
type: kerberos
realm-name: OFFICE.LOCAL
domain-name: office.local
configured: no
...

Next, join the AD domain. Replace ‘admin’ with the domain administrator’s username and enter the password for it if prompt.

realm join -U admin office.local
Password for admin:

Now let's check if we can get information about the AD user. Replace ‘user’ with the name of the domain user account.

id user@office.local
uid=687821651(user@office.local) gid=687800512(user@office.local) groups=687800512(domain users@office.local)

Step 4. Last settings and logging in.

To avoid adding the domain name to the username every time, let’s configure this.

sudo nano /etc/sssd/sssd.conf

Change the ‘use_fully_qualified_names’ value to False. Restart and check:

sudo systemctl restart sssd
id user
uid=687821651(user@office.local) gid=687800512(user@office.local) groups=687800512(domain users@office.local)

Now we need to to set up a creation of Home Dirs for AD users when they log in.

sudo nano /etc/pam.d/common-session
#add this line in the end of file
session optional pam_mkhomedir.so skel=/etc/skel umask=077

Let’s try to log in as an AD user.

su – user
Password:
Creating directory '/home/user@office.local'.
user@ubuntu-server:~$

This means that you have successfully logged in as an AD user.

Additionally, you can allow authorization for some AD users or groups and restrict others. The example below is set to deny everyone and allow for user, user2, Domain Admins group.

sudo realm deny –all
sudo realm permit user@office.local user2@office.local
sudo realm permit -g 'Domain Admins'

Configuring AD users to get root privileges is the same as for local users, but in another file.

sudo nano /etc/sudoers.d/admins

Add the necessary lines to it. For example:

user ALL=(ALL) ALL
%Domain Admins ALL=(ALL) ALL