Configuring AD Integration with Ubuntu 20.04

Details
Category: Linux

Applies to: Ubuntu Version: 20.04

When you have a mixed Windows/Linux domain it might be usefull to have your machines be able to authenticate with a single point of authentication, like an Active Directory.
It saves everyone the trouble of remembering another set of credentials.

I've done this with Ubuntu version 20.04, but it should work on some older versions and later versions. No guarantees.

The steps to configure this are pretty straight forward.

  1. Update your APT index, this ensures you have a list with the lastest packages
    sudo apt -y update
  2. Install all avaiable updates, it's good to have your system up-to-date no?
    sudo apt -y upgrade
  3. Your Ubuntu installation needs a hostname with the correct domain in it for this to work, you can change this with. 
    sudo hostnamectl set-hostname myhost.domain.com
    Confirm if the hostname has been set correctly with the hostnamectl command
  4. Check if your DNS has been set correctly, your server needs to be able to resolve to your DNS servers 
    cat /etc/resolv.conf
    The file should contain two things, your DNS servers and a Search line which basically is the DNS Suffic.
    If your resolv.conf file does not contain the right values, you can easily add a new line with your favorite text editor 
    sudo nano /etc/resolv.conf
    and then add a line for a DNS server like this
    nameserver 10.10.10.1
    and the Search line looks like this:
    search domain.com
  5.  Ubuntu 20.04 comes with systemd-resolve enabled which basically will never forward any request to the correct DNS server but it's own configured one. You need to disable this with the following commands 
    sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved
  6. Now it's time to install the required packages for the integration to work 
    sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
  7. With the installation complete, you need to discover your AD domain to list the required packages that must be installed 
    sudo realm discover domain.com
  8.  To start integrating you need a AD administrator account, you basically need AD join rights as if your joining a client to the domain 
    sudo realm join -U Administrator domain.com
    It will then prompt you for the password for the account
  9. If you received no error, you can check if the join was successful with the following command 
    realm list
    It will then show the domain you just joined, server-software should say active-directory
  10. Now you need to enable the creation of a home directory when a AD user logs in 
    sudo pam-auth-update
    If should bring you to a pink-isch screen. Everything is checked but Create Home Directory on Login. Check this option and then select Ok to enable it.
  11. Because of the changes you need to restart the sssd for it to work
    sudo systemctl restart sssd
  12. Now to test if your system can get users from AD, use this command
    id This email address is being protected from spambots. You need JavaScript enabled to view it.
    If it works, you should get a response that starts with UID.
  13.  To make sure only the users/groups you want access to the Ubuntu server you need to configure this with the following commands
    Single user:
    sudo realm permit This email address is being protected from spambots. You need JavaScript enabled to view it.,
    Multiple users: 
    sudo realm permit This email address is being protected from spambots. You need JavaScript enabled to view it. This email address is being protected from spambots. You need JavaScript enabled to view it.
    Single group:
     
    sudo realm permit -g 'Domain Admins'
    Multple groups:
     sudo realm permit -g 'Domain Admins' 'Domain Users'
    Everyone: 
    sudo realm permit --all
    Deny Everyone:
    sudo realm deny --all
    If you want AD users to have sudo rights on the Ubuntu server, you need to add them to the sudoers file.
    First create a file that gives these permissions
    sudo nano /etc/sudoers.d/domain_admins

    Inside the file, add the users or groups that you want to give sudo rights to
    User: 
    This email address is being protected from spambots. You need JavaScript enabled to view it. ALL=(ALL) ALL

    Groups: 
    %This email address is being protected from spambots. You need JavaScript enabled to view it. ALL=(ALL) ALL
  14. With everything configured now, it's time to test the Access
    Use Putty or any other tool to access the Ubuntu server. Use This email address is being protected from spambots. You need JavaScript enabled to view it. as your username and the AD password to login the server.
    If all went well, you should be in the Ubuntu server now and be able to run sudo commands if you have given the account rights.