Madness is the glory of my life

Join to AD

apt -y install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli ntp

We will be prompted for some Kerberos Auth Configuration during the install, we need to enter our AD domain as realm using all caps, ie. SAKIB.BIZ

We need to make sure that DNS server obtained from our DHCP server is directly pointed to AD DC by executing -

nmcli device show | grep IP4.DNS

Next we need to make sure our ubuntu server’s time is in sync with the AD DC. For that, we need to edit /etc/ntp.conf file.

Take a backup of original configuration file by executing -

mv /etc/ntp.conf{,_ori_conf.bak}

Comment out the current ones, and add your Domain controllers by either the FQDN or the IP.

server ad1.sakib.biz

Restart your ntp service by executing

systemctl restart ntp

Get NTP sync status by executing

ntpq -p

Create the /etc/realmd.conf file with the following contents:

[users]

    default-home = /home/%U

    default-shell = /bin/bash

[active-directory]

    default-client = sssd

    os-name = Ubuntu Desktop

    os-version = 16.04

[service]

    automatic-install = no

[sakib.biz]

    fully-qualified-names = no

    automatic-id-mapping = yes

    user-principal = yes

    manage-system = no

Take a backup of original configuration file of /etc/krb5.conf by executing -

mv /etc/krb5.conf{,_ori_conf.bak}

Following changes needed to be done on /etc/krb5.conf file.

[libdefaults]

    default_realm = SAKIB.BIZ

    dns_lookup_realm = false

    ticket_lifetime = 24h

    renew_lifetime = 7d

[realms]

    SAKIB.BIZ = {

            kdc = ad1.sakib.biz

            default_domain = sakib.biz

[domain_realm]

    sakib.biz = SAKIB.BIZ

    .sakib.biz = SAKIB.BIZ

Join Ubuntu to Domain

kinit administrator@SAKIB.BIZ

realm join -U Administrator sakib.biz

Execute pam-auth-update or slight addition to the end of /etc/pam.d/common-session:

session optional pam_mkhomedir.so

#end of pam-auth-update config

Edit the /etc/sssd/sssd.conf file so it looks like this:

[sssd]

    domains = sakib.biz

    config_file_version = 2

    services = nss, pam

[domain/sakib.biz]

    ad_domain = sakib.biz

    krb5_realm = SAKIB.BIZ

    realmd_tags = joined-with-adcli

    cache_credentials = True

    id_provider = ad

    krb5_store_password_if_offline = True

    ad_gpo_access_control = permissive

    default_shell = /bin/bash

    ldap_id_mapping = True

    use_fully_qualified_names = False

    fallback_homedir = /home/%u

    simple_allow_users = $

    access_provider = ad

    # To allow only specific AD group change access_provider from ad to simple

    # access_provider = simple

    # simple_allow_groups = ServerAdmin

Restart necessary services

systemctl restart sssd

systemctl daemon-reload

If sssd service does not start, execute "sssd -d9 -i" for debugging.

Edit /etc/lightdm/lightdm.conf.d/10-ubuntu.conf accordingly -

[SeatDefaults]

user-session=ubuntu

greeter-show-manual-login=true

Restart lightdm service -

systemctl restart lightdm

Page updated

Google Sites

Report abuse