Integrating a Linux Machine Into Windows Active Directory Domain
This article will describe the process of adding a Linux machine (Ubuntu 20.04) into a Windows Active Directory Domain.
Step 1. Install packages and preparation.
Let’s update packages first.
sudo apt upgrade
After that, install the required packages.
Next, we will configure all of these tools to work with the domain. All we need to know is:
- Domain name: office.local
- DNS server IP: 192.168.0.1
- Second DNS server IP: 192.168.0.2
Step 2. Configure DNS.
Look in netplan config file.
If you see there ‘dhcp4: true’ and your DHCP server is configured in a right way, go to the next step.
If you configure the network connection parameters manually, here is an example for setting up static addresses:
ethernets:
enp0s3:
addresses:
- 192.168.0.15/24
gateway4: 192.168.0.10
nameservers:
addresses: [192.168.0.1, 192.168.0.2]
search:
- office.local
optional: true
version: 2
- addresses — this ip address will be assigned to your network card;
- gateway4 — ip address of your router;
- nameservers — DNS servers;
- search — target domain.
Apply changes.
Step 3. Discover the domain, join it, and check the result.
First, discover the domain.
We’ll see something like this. This means that the network settings are correct and our machine received an answer from the domain. If not, you need to check your network settings, domain, and DNS health.
type: kerberos
realm-name: OFFICE.LOCAL
domain-name: office.local
configured: no
...
Next, join the AD domain. Replace ‘admin’ with the domain administrator’s username and enter the password for it if prompt.
Password for admin:
Now let's check if we can get information about the AD user. Replace ‘user’ with the name of the domain user account.
uid=687821651(user@office.local) gid=687800512(user@office.local) groups=687800512(domain users@office.local)
Step 4. Last settings and logging in.
To avoid adding the domain name to the username every time, let’s configure this.
Change the ‘use_fully_qualified_names’ value to False. Restart and check:
id user
uid=687821651(user@office.local) gid=687800512(user@office.local) groups=687800512(domain users@office.local)
Now we need to to set up a creation of Home Dirs for AD users when they log in.
#add this line in the end of file
session optional pam_mkhomedir.so skel=/etc/skel umask=077
Let’s try to log in as an AD user.
Password:
Creating directory '/home/user@office.local'.
user@ubuntu-server:~$
This means that you have successfully logged in as an AD user.
Additionally, you can allow authorization for some AD users or groups and restrict others. The example below is set to deny everyone and allow for user, user2, Domain Admins group.
sudo realm permit user@office.local user2@office.local
sudo realm permit -g 'Domain Admins'
Configuring AD users to get root privileges is the same as for local users, but in another file.
Add the necessary lines to it. For example:
%Domain Admins ALL=(ALL) ALL