Some time ago I published a guide detailing what I thought would be the best way to join Ubuntu Server to Microsoft Active Directory, there was a lot of configuration and plenty of areas where slipping up would require you to roll back and start from scratch.
Fortunately for all of us, I was wrong. There's an easier way.
That's what we're looking at today.
This method of joining to Active Directory is MUCH quicker, almost to the point where it could be automated (more on that later). And that is thanks to a lovely little package called realmd.
This will handle all of the nitty gritty aspects of our config, domain discovery, access control, etc.
So, step 1 is the most cliché and always underrated, apt-get update
Now that's your Linux box is all warmed up, it's time to get into the good stuff.
- We need to set our DNS servers manually.
- systemd-resolve is in the way....
Quickly and without too much hesitation, lets just nudge this out of the way and give DNS control back to the admin a little bit.
sudo systemctl disable systemd-resolved sudo systemctl stop systemd-resolved
Nice, now let's unlink the existing 'resolv.conf' file and copy the original back to the root of /etc before we make our changes:
sudo unlink /etc/resolv.conf sudo cp /run/systemd/resolve/resolv.conf /etc/resolv.conf
Now make your required changes, for my setup, I've got DNS servers at 10.23.1.10 and 10.23.1.11 , update according to your own network requirements.
Save that up and lets move onto setting the hostname, this should have the domain appended to the end, so lets do something a little like this:
sudo hostnamectl set-hostname networthy.antonym.net
If all that felt a little out of your normal comfort zone, feel glad that the networking setup phase is over and done with already. Now onto the domain magic.
Lets get some packages installed.
sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
While those are installing I'll give you some context reading:
Realmd is the bones of the operation, it orchestrates a number of different packages to provide the perfect domain experience in a standard way.
libnss-sss & libpam-sss are more to do with access-control once inside the server, they tie NSS and PAM together with the sometimes awkward -
SSSD is responsible for users, groups, access, all that extra authentication stuff that we need to be properly integrated with Active Directory.
ADCLI is a command line tool for performing actions in Active Directory, realmd wants us to have this because it likes to use it.
Oddjob lets things send messages on the system-wide message bus, lots of things need to be communicating for an AD user login.
That's not everything but those are the ones that might confuse a non-seasoned Linux admin like myself at first glace. Hopefully by now the packages are installed and ready to go (if you have a slow machine read ahead I guess?)
The cool bit, realmd at work
Yeah I really enjoy this part of the process, it feels like a fully-fledged way of doing this.
Run the magic command
realm discover and watch it magically do the thing
Spooky huh? It's able to figure stuff out for itself, and hey! We've got the required packages!
Now for the magic, we will join the domain with the super complex command
realm join -U <username> <domain>
Yeah, very tough. I like to do mine with -V so I look more sophisticated, but it's really that simple
Lovely. Now if you run
realm list you'll get a nice little overview of your domain settings, this will be useful in the future when you need to take a glance or check if a machine is properly joined to AD
Home directories are desirable
And so we should incorporate that, you'll want to make a new file at
/usr/share/pam-configs/mkomedir and fill it as shown below:
Name: activate mkhomedir Default: yes Priority: 900 Session-Type: Additional Session: required pam_mkhomedir.so umask=0022 skel=/etc/skel
And then activate it by running:
Now you'll have lovely home directories, only I kind of hate them by default? Lets walk through some changes to make it feel like home.
Get personal with SSSD
This is the bit you should really tailor in my humble opinion. It has the most impact on the user experience side of things.
I like to make changes to the following, explained in order below:
- It's nice to be explicit when you say SSH and SSSD should be working together on remote logins.
- It's also nice to be explicit on the shell that's to be used for when someone sets a dumb attribute in AD that you spend a week chasing because the shell doesn't exist on a machine.
- The home directory format makes me personally happy when there's a folder for all the domain users
- Fully Qualified names are dumb and it's better for it to behave as though you're a local user rather than appending @domain into your SSH connections.
And finish with a gentle
sudo systemctl restart sssd
Limit user logins and things
Quite important, some would say one of the biggest advantages of having a machine joined to Active Directory. Bet you forgot about it while we were busy doing all that other stuff.
Once again, realmd makes it nice and easy
# This allows a user sudo realm permit <<user>> # This allows a group sudo realm permit -g <<group>> # This allows everybody sudo realm permit --all # This denies a user sudo realm deny <<user>> # This denies a group sudo realm deny -g <<group>> # This denies everybody sudo realm deny --all
So the obvious choice tends to be something like:
sudo realm deny --all sudo realm permit -g 'admin group' sudo realm permit 'service account'
To deny everybody except admin groups and service accounts. Pretty straightforward, you can once again see your changes with
I'm sure there's plenty of guides on this, but here's my 2 cents to explain
# Add a person [email protected] ALL=(ALL) ALL # Add a group %[email protected] ALL=(ALL) ALL # Add a group with long names %super\ duper\ [email protected] ALL=(ALL) ALL
It's quite straightforward, plenty of good resources on that anyway
Test SSH logins or regret it forever
And just like that, in more words but less heartache you've got that domain joined. This has worked on virtually every system I've tried it with, so that's a healthy range of:
- Ubuntu Server 18.04 LTS
- Ubuntu Server 20.04 LTS
- Ubuntu Desktop 19.10
The sooner you get started the sooner you'll have all your servers on lock. Better get going