This is a simple guide to adding a Ubuntu workstation to a Windows Domain. This will allow Domain Users to be able to authenticate against Windows Active Directory.
Setup System
Run updates.
sudo apt-get -y updateInstall SSSD, RealmD and Kerberos Auth packages.
$ sudo apt-get -y install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli ntpAt the Kerberos prompt enter <DOMAIN> in caps.
Configure NTP
Make sure the system can sync its time to the Domain Controllers.
Edit the ntp config file.
sudo vi /etc/ntp.confComment out the default pools and add the servers, changing <host>@<DOMAIN> with the Domain Controller and FQ Domain Name.
#pool 0.ubuntu.pool.ntp.org
#pool 1.ubuntu.pool.ntp.org
#pool 2.ubuntu.pool.ntp.org
#pool 3.ubuntu.pool.ntp.org
server <host>@<DOMAIN>Restart the service.
sudo systemctl restart ntpConfigure RealmD
Edit the RealmD config file.
sudo vi /etc/realmd.confEdit the os-name and os-version accordingly and change <DOMAIN> to the FQ Domain Name.
[users]
default-home = /home/%U
default-shell = /bin/bash
[active-directory]
default-client = sssd
os-name = Ubuntu Server
os-version = 18.04
[service]
automatic-install = no
[<DOMAIN>]
fully-qualified-names = no
automatic-id-mapping = yes
user-principal = yes
manage-system = noConfigure Kerberos
Open the Kerberos config file.
sudo vi /etc/krb5.confMake sure it contains the Domain.
[libdefaults]
default_realm = <DOMAIN>Join System to Domain
Authenticate against the Domain with an Domain Administrator account.
sudo kinit <user>@<DOMAIN>This will prompt for a password.
Then add the Domain.
sudo realm -v join <DOMAIN> --user-principal=<host>/<user>@<DOMAIN>Local Home Directory
Add this line to allow local home directories to be created when a Domain User logs onto the system:
sudo vi /etc/pam.d/common-sessionAdd to the bottom of the file.
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
#end of pam-auth-update configConfigure SSSD
This will allow users to login, ssh and rdp properly.
sudo vi /etc/sssd/sssd.confEdit ad_domain, krb5_realm and access_provider.
[sssd]
domains = <DOMAIN>
config_file_version = 2
services = nss, pam
[domain/<DOMAIN>]
ad_domain = <DOMAIN>
krb5_realm = <DOMAIN>
realmd_tags = joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
ad_gpo_access_control = permissive
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
simple_allow_users = $
access_provider = adRestart the service.
sudo systemctl restart sssdConfigure and Add User to sudoers
Edit the nsswitch config file to allow user to sudo locally (IF required).
sudo vi /etc/nsswitch.confRemove sss appended from files.
sudoers: filesNow test that the Domain Administrator can logon via shell.
su - <user>Instead of changing the original, create a new sudoer file:
sudo visudo -f /etc/sudoers.d/domain_adminAdd the Domain Administrators the sudoers file.
%<DOMAIN>\\domain\ Admins ALL=(ALL:ALL) ALLConfigure Local Login to GUI
Depending on the GUI installed the Greeter screen will need to be updated to allow higher UIDs. This is because Domain Users have 9 digit IDs as opposed to 6.
To check the length for example to see:
id <user>SDDM
If using sddm a different GUI Greeter screens may be needed to allow the “Switch User” or manual type in user.
sudo apt -y install sddm-theme-circlesThen edit the config file.
sudo vi /etc/sddm.confEdit the Theme and Max uid:
[Theme]
Current=circles
CursorTheme=breeze_cursors
[Users]
MaximumUid=999999
MinimumUid=1000Test by logging out and logging in with the Domain User.