Lundebakkevej 5, 4684 Holmegaard

Join Ubuntu 20.04 to AD

I have a server where I would like users in my AD to be able to login with their AD credentials – this to ensure passwd is only kept in 1 place and to lighten my work on creating and deleting users.

Current setup

AD 2016 servers with integrated DNS (domain skau.dk)
Ubuntu 20.04 server (osticket.skau.dk) with AD DNS server as its DNS resolver

Install packages

Install the needed packages for the AD bind

apt -y install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

Check that you are not already in a domain

root@osticket:~# realm list
root@osticket:~#

Discover your active directory domain

root@osticket:~# realm discover SKAU.DK
skau.dk
  type: kerberos
  realm-name: SKAU.DK
  domain-name: skau.dk
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin

Join your active directory

(you will need a user who has the rights to add a computer to domain (Ido – its admlts))

root@osticket:~# realm join --user=admlts SKAU.DK
Password for admlts:
root@osticket:~#

check that you are now member of domain

root@osticket:~# realm list
skau.dk
  type: kerberos
  realm-name: SKAU.DK
  domain-name: skau.dk
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %U@skau.dk
  login-policy: allow-realm-logins
root@osticket:~#

To further test it I first test a local user, then an ad user without using the proper realm and at the end an AD user with realm

root@osticket:~# id lars
uid=1000(lars) gid=1000(lars) groups=1000(lars),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),131(lxd),132(sambashare)
root@osticket:~# id admlts
id: ‘admlts’: no such user
root@osticket:~# id admlts@skau.dk
uid=759801104(admlts@skau.dk) gid=759800513(domain users@skau.dk) groups=759800513(domain users@skau.dk),759800512(domain admins@skau.dk),759801112(serveradmins@skau.dk),759800572(denied rodc password replication group@skau.dk),759801111(vmwareadmins@skau.dk),759800519(enterprise admins@skau.dk),759801121(grp-dbadmins@skau.dk)

Auto creation of user homedir

All you have to do is to get PAM to create it for you

echo "session optional        pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session

Final test

root@osticket:~# ls -l /home |grep admlts
root@osticket:~# su - admlts@skau.dk
Creating directory '/home/admlts@skau.dk'.
admlts@skau.dk@osticket:~$ pwd
/home/admlts@skau.dk
admlts@skau.dk@osticket:~$