Join Ubuntu/Debian Computer to Active Directory Domain

PowerADM.com / Linux / Debian / Join Ubuntu/Debian Computer to Active Directory Domain

To make it easier to join Ubuntu or Debian machine to the Windows Active Directory domain, instead of the samba + winbind bundle, you can use the realmd (Realm Discovery) package, which allows you to automatically configure the SSSD (System Security Services Daemon) service on Linux. This article is applicable for Ubuntu 20.04/22.04 and Debian 10/11.

First of all, update the packages on your Linux host:

$ sudo apt -y update

Check the current hostname:

$ hostnamectl

Change the hostname if necessary:

$ sudo hostnamectl set-hostname ubnt22.poweradm.com

Check that the Linux DNS client is correctly configured and points to your AD domain controllers:

$ cat /etc/resolv.conf

nameserver 192.168.42.10
nameserver 192.168.142.10
search poweradm.com

Because The SSSD package is used by Kerberos for authentication, make sure you have a properly configured NTP client and time synchronization with AD domain controllers. Can be configured like this:

$ sudo systemctl status systemd-timesyncd
$ sudo nano /etc/systemd/timesyncd.conf

NTP=192.168.42.10

$ sudo systemctl restart systemd-timesyncd

Install the required packages:

$ apt -y install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

Check that your host can discover the AD domain:

$ realm discover poweradm.com --verbose

poweradm.com
type: kerberos
realm-name: POWERADM.COM
domain-name: poweradm.com
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin

Join Ubuntu to Active Directory

You can set the attributes of your Linux host to be stored in the computer account in Active Directory (operatingSystem and operatingSystemVersion attributes):

$ nano /etc/realmd.conf

[active-directory]
os-name = Ubuntu GNU/Linux
os-version = 22.04 (Jammy Jellyfish)

In order to join a Linux host to an Active Directory domain, you will need an AD account with domain admin permissions (or a user delegated to add computers to the domain).

In the simplest case, to add an Ubuntu/Debian host to a domain, just run the command:

$ sudo realm join -U k.muller poweradm.com

Enter the domain user password.

By default, an AD computer account will be created for your Linux host in the root OU (Organizational Unit) named Computers.

You can immediately put your host in the desired OU. To do this, use another join domain command:

$ sudo realm join --verbose --user=k.muller --computer-ou="OU=LinuxServers,OU=HQ,DC=poweradm,DC=com" poweradm.com

Make sure your host is joined to an AD domain:

$ sudo realm list

type: kerberos
realm-name: POWERADM.COM
domain-name: poweradm.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U@poweradm.com
login-policy: allow-realm-logins

To automatically create a user home directory, run:

$ sudo bash -c "cat > /usr/share/pam-configs/mkhomedir" <<EOF
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel
EOF
$ sudo pam-auth-update

Select activate mkhomedir.

pam-auth-update

Check the sssd configuration:

$ cat /etc/sssd/sssd.conf

To apply the changes from the sssd.conf file, you need to restart the service:

$ systemctl status sssd

You can now authenticate to Linux using an Active Directory account (specified in UPN format: user@poweradm.com).

Check that you can get AD user info:

$ id muller@poweradm.com

You can switch to AD user:

$ su - muller@poweradm.com

Creating directory '/home/muller@poweradm.com'.

muller@poweradm.com@ubnt22:~$

To allow domain users to log in to a Linux host (console+SSH), run:

$ realm permit k.muller@poweradm.com a.smith@poweradm.com

Or allow access for users or domain security groups:

$ ream permit -g LinuxAdmins@poweradm.com

To allow or deny access to all domain users:

$ sudo realm permit --all
$ sudo realm deny --all

You can allow certain users and groups to elevate privileges with sudo. Create a file:

$ sudo nano /etc/sudoers.d/linux-admins

Add here users and/or groups that are allowed to use sudo:

%LinuxAdmins@poweradm.com ALL=(ALL) ALL
a.smith@poweradm.com ALL=(ALL) ALL

Change file permissions:

$ chmod 0440 /etc/sudoers.d/linux-admins

Now try to authenticate to your Linux host using an AD domain account.

In another article, we described how to join CentOS/Rocky Linux/RHEL to an Active Directory domain.

3 thoughts on “Join Ubuntu/Debian Computer to Active Directory Domain”

  1. Great instruction it really helped me with whole configuration (finally), it was hard to find such a good example as you presented.

    Reply
Leave a Reply

Your email address will not be published. Required fields are marked *