Woah there cowboy, there's an updated version of this guide. This one is pretty lame in comparison
Do your Ubuntu servers feel a little orphaned from the Windows side of your network? Joining them to your local or corporate Active Directory domain can be easy as cake.
Networking
The first step to ensure things go smoothly is to get your network settings in order.
With Netplan this is pretty simple, and very readable. Make sure you have the nameservers and search suffix's set up properly.
network:
version: 2
renderer: networkd
ethernets:
enp3s0:
addresses:
- 10.10.10.2/24
gateway4: 10.10.10.1
nameservers:
search: [mydomain, otherdomain]
addresses: [10.10.10.1, 1.1.1.1]Packages
The following packages listed on the official documentation should be all that's required for successfully joining the domain.
sudo apt install krb5-user samba sssd chronySetup
For the first prompt, you'll need fill in the Kerberos realm, this will be the fully qualified name for your domain
Optionally, you can fill this in later in : /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
EXAMPLE.COM = {
kdc = example-dc01.EXAMPLE.COM
admin_server = example-dc01.EXAMPLE.COM
default_domain = EXAMPLE.COM
}We want the system time to match that of the Active Directory controller, or Kerberos authentication may fail, we can sync it by using the domain controller to provide the NTP service:
After this, we need to configure Samba - this will be used for netbios/nmdb services (related to Active Directory authentication)
Edit the file: /etc/samba/smb.conf and add the following to the [global] configuration:
Next, we'll configure SSSD - this is a system daemon to manage access to local and remote identity and authentication resources, we'll need it for Active Directory.
There's no preconfigured example file in this package, so we'll need to create the config. Below is a minimal working config file:
[sssd]
services = nss, pam
config_file_version = 2
domains = EXAMPLE.NET
[domain/EXAMPLE.NET]
id_provider = ad
access_provider = ad
# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
override_homedir = /home/%d/%u
# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname = mymachine.example.net
# Uncomment if DNS SRV resolution is not working
# ad_server = dc.example.net
# Uncomment if the AD domain is named differently than the Samba domain
# ad_domain = EXAMPLE.NET
# Enumeration is discouraged for performance reasons.
# enumerate = trueAfter saving, set root ownership and permissions
sudo chown root:root /etc/sssd/sssd.conf
sudo chmod 600 /etc/sssd/sssd.confModify add an alias for your machine to the localhost entry in /etc/hosts that specifies the FQDN of your domain controler - this will be useful with dynamic DNS updates.
Joining Active Directory
Time for the moment of truth, first restart chrony, samba, and start sssd
sudo systemctl restart chrony.service
sudo systemctl restart smbd.service nmbd.service
sudo systemctl start sssd.serviceTest the configuration by obtaining a Kerberos ticket:
sudo kinit AdministratorVerify the ticket with:
sudo klistIf there is a ticket with an expiration date listed, then it's time to join the domain
sudo net ads join -kExtras
Verification
If you're unsure about whether you're now on-domain, you can always check the default Computers OU in Active Directory, another good way is to try the following:
getent passwd 'domain account'
If this command returns nothing, you have something of a problem.
If it returns a user account, then you're set! SSH logins should now work also
