To make it easier to join Ubuntu or Debian machine to the Windows Active Directory domain, instead of the samba + winbind bundle, you can use the realmd (Realm Discovery) package, which allows you to automatically configure the SSSD (System Security Services Daemon) service on Linux. This article is applicable for Ubuntu 20.04/22.04 and Debian 10/11.
First of all, update the packages on your Linux host:
$ sudo apt -y updateCheck the current hostname:
$ hostnamectlChange the hostname if necessary:
$ sudo hostnamectl set-hostname ubnt22.poweradm.comCheck that the Linux DNS client is correctly configured and points to your AD domain controllers:
$ cat /etc/resolv.confnameserver 192.168.42.10
nameserver 192.168.142.10
search poweradm.com
Because The SSSD package is used by Kerberos for authentication, make sure you have a properly configured NTP client and time synchronization with AD domain controllers. Can be configured like this:
$ sudo systemctl status systemd-timesyncd
$ sudo nano /etc/systemd/timesyncd.confNTP=192.168.42.10
$ sudo systemctl restart systemd-timesyncdInstall the required packages:
$ apt -y install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekitCheck that your host can discover the AD domain:
$ realm discover poweradm.com --verbosepoweradm.com
type: kerberos
realm-name: POWERADM.COM
domain-name: poweradm.com
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
You can set the attributes of your Linux host to be stored in the computer account in Active Directory (operatingSystem and operatingSystemVersion attributes):
$ nano /etc/realmd.conf[active-directory]
os-name = Ubuntu GNU/Linux
os-version = 22.04 (Jammy Jellyfish)
In order to join a Linux host to an Active Directory domain, you will need an AD account with domain admin permissions (or a user delegated to add computers to the domain).
In the simplest case, to add an Ubuntu/Debian host to a domain, just run the command:
$ sudo realm join -U k.muller poweradm.comEnter the domain user password.
By default, an AD computer account will be created for your Linux host in the root OU (Organizational Unit) named Computers.
You can immediately put your host in the desired OU. To do this, use another join domain command:
$ sudo realm join --verbose --user=k.muller --computer-ou="OU=LinuxServers,OU=HQ,DC=poweradm,DC=com" poweradm.comMake sure your host is joined to an AD domain:
$ sudo realm listtype: kerberos
realm-name: POWERADM.COM
domain-name: poweradm.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U@poweradm.com
login-policy: allow-realm-logins
To automatically create a user home directory, run:
$ sudo bash -c "cat > /usr/share/pam-configs/mkhomedir" <<EOF
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel
EOF$ sudo pam-auth-updateSelect activate mkhomedir.
Check the sssd configuration:
$ cat /etc/sssd/sssd.confTo apply the changes from the sssd.conf file, you need to restart the service:
$ systemctl status sssdYou can now authenticate to Linux using an Active Directory account (specified in UPN format: user@poweradm.com).
Check that you can get AD user info:
$ id muller@poweradm.comYou can switch to AD user:
$ su - muller@poweradm.comCreating directory '/home/muller@poweradm.com'.
muller@poweradm.com@ubnt22:~$To allow domain users to log in to a Linux host (console+SSH), run:
$ realm permit k.muller@poweradm.com a.smith@poweradm.comOr allow access for users or domain security groups:
$ ream permit -g LinuxAdmins@poweradm.comTo allow or deny access to all domain users:
$ sudo realm permit --all
$ sudo realm deny --allYou can allow certain users and groups to elevate privileges with sudo. Create a file:
$ sudo nano /etc/sudoers.d/linux-adminsAdd here users and/or groups that are allowed to use sudo:
%LinuxAdmins@poweradm.com ALL=(ALL) ALL
a.smith@poweradm.com ALL=(ALL) ALL
Change file permissions:
$ chmod 0440 /etc/sudoers.d/linux-adminsNow try to authenticate to your Linux host using an AD domain account.
In another article, we described how to join CentOS/Rocky Linux/RHEL to an Active Directory domain.
Great instruction it really helped me with whole configuration (finally), it was hard to find such a good example as you presented.
Easy and simple steps to follow, thank you for the tutorial and instructions.
Thanks for this great guide.
Just on small detail, looks like NTP ip address is incorrect.