Joining an Active Directory domain with Ubuntu 18.04 LTS


Woah there cowboy, there's an updated version of this guide. This one is pretty lame in comparison

Do your Ubuntu servers feel a little orphaned from the Windows side of your network? Joining them to your local or corporate Active Directory domain can be easy as cake.

Networking

The first step to ensure things go smoothly is to get your network settings in order.
With Netplan this is pretty simple, and very readable. Make sure you have the nameservers and search suffix's set up properly.

network:
  version: 2
  renderer: networkd
  ethernets:
    enp3s0:
      addresses:
        - 10.10.10.2/24
      gateway4: 10.10.10.1
      nameservers:
          search: [mydomain, otherdomain]
          addresses: [10.10.10.1, 1.1.1.1]
Sample network configuration - note the values in the nameservers field

Packages

The following packages listed on the official documentation should be all that's required for successfully joining the domain.

sudo apt install krb5-user samba sssd chrony

Setup

For the first prompt, you'll need fill in the Kerberos realm, this will be the fully qualified name for your domain

Optionally, you can fill this in later in : /etc/krb5.conf

[libdefaults]
	default_realm = EXAMPLE.COM

# The following krb5.conf variables are only for MIT Kerberos.
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true

# The following libdefaults parameters are only for Heimdal Kerberos.
	fcc-mit-ticketflags = true

[realms]
	EXAMPLE.COM = {
		kdc = example-dc01.EXAMPLE.COM
		admin_server = example-dc01.EXAMPLE.COM
		default_domain = EXAMPLE.COM
	}
/etc/krb5.conf - Use CAPS when defining your domain

We want the system time to match that of the Active Directory controller, or Kerberos authentication may fail, we can sync it by using the domain controller to provide the NTP service:

/etc/chrony/chrony.conf

After this, we need to configure Samba - this will be used for netbios/nmdb services  (related to Active Directory authentication)
Edit the file: /etc/samba/smb.conf and add the following to the [global] configuration:

/etc/samba/smb.conf - Remember to use CAPS when you fill out workgroup & realm

Next, we'll configure SSSD - this is a system daemon to manage access to local and remote identity and authentication resources, we'll need it for Active Directory.
There's no preconfigured  example file in this package, so we'll need to create the config. Below is a minimal working config file:

[sssd]
services = nss, pam
config_file_version = 2
domains = EXAMPLE.NET

[domain/EXAMPLE.NET]
id_provider = ad
access_provider = ad

# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME.  Use with pam_mkhomedir.so
override_homedir = /home/%d/%u

# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname = mymachine.example.net

# Uncomment if DNS SRV resolution is not working
# ad_server = dc.example.net

# Uncomment if the AD domain is named differently than the Samba domain
# ad_domain = EXAMPLE.NET

# Enumeration is discouraged for performance reasons.
# enumerate = true

After saving, set root ownership and permissions

sudo chown root:root /etc/sssd/sssd.conf
sudo chmod 600 /etc/sssd/sssd.conf
If these permissions are not set, SSSD won't start

Modify add an alias for your machine to the localhost entry in /etc/hosts that specifies the FQDN of your domain controler - this will be useful with dynamic DNS updates.

Joining Active Directory

Time for the moment of truth, first restart chrony, samba, and start sssd

sudo systemctl restart chrony.service
sudo systemctl restart smbd.service nmbd.service 
sudo systemctl start sssd.service

Test the configuration by obtaining a Kerberos ticket:

sudo kinit Administrator
Administrator can be any account with privileges to join machines to the domain

Verify the ticket with:

sudo klist

If there is a ticket with an expiration date listed, then it's time to join the domain

sudo net ads join -k

Extras

Verification

If you're unsure about whether you're now on-domain, you can always check the default Computers OU in Active Directory, another good way is to try the following:

getent passwd 'domain account'

If this command returns nothing, you have something of a problem.
If it returns a user account, then you're set! SSH logins should now work also

Setting Active Directory accounts on Ubuntu 18.04 LTS

Rory Maher

Rory Maher