How to join Ubuntu 18.04 / Debian 10 to an Active Directory (AD) domain

[*]

/ * Custom CSS * /
.tdi_3_52e.td-a-rec-img {
Text alignment: left;
} .tdi_3_52e.td-a-rec-img img {
The security deposit: 0 automatically 0 0;
}}}

question: How to join Ubuntu 18.04 to a Windows domain? How do I join Debian 10 to an Active Directory domain? This article was written to show you how to use field Join Ubuntu 18.04 / Debian 10 server or desktop to Active Directory domain. Active Directory domains are the central hub for user information in most corporate environments.

For example, in our company’s infrastructure, the key requirement is that all users must authenticate to all Linux systems with Active Directory credentials. This applies to both Linux distributions based on Debian and Red Hat. I have written the RHEL / CentOS guide before, please check it from the link below.

How to join CentOS 8 / RHEL 8 system to Active Directory (AD) domain

[*]

/ * Custom CSS * /
.tdi_2_568.td-a-rec-img {
Text alignment: left;
} .tdi_2_568.td-a-rec-img img {
The security deposit: 0 automatically 0 0;
}}}

This guide will explain how to configure SSSD to retrieve information from domains in the same Active Directory resource forest. If you use multiple AD forests, this guide may not be for you. We will further configure sudo rules for users logged in through AD. This is a diagram describing the setting and how it is set.

So follow these steps to join Ubuntu 18.04 / Debian 10 to an Active Directory (AD) domain.

Step 1: Update your APT index

First update your Ubuntu / Debian Linux system.

sudo apt -y update

This is essential because if the server is freshly installed, the installation may fail.

For Ubuntu 18.04, add the following repositories to your sources.list file.

sudo tee -a /etc/apt/sources.list <

Step 2: Set the server host name and DNS

Set the correct host name for the server with the correct domain components.

sudo hostnamectl set-hostname myubuntu.example.com

Confirm your host name:

$ hostnamectl
   Static hostname: myubuntu.example.com
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 5beb7ac3260c4f00bcfbe1088f48b8c7
           Boot ID: b2a0d9abe43b455fb49484dbaa59dc41
    Virtualization: vmware
  Operating System: Ubuntu 18.04.1 LTS
            Kernel: Linux 4.15.0-29-generic
      Architecture: x86-64

Confirm that DNS ia is configured correctly:

$ cat /etc/resolv.conf

Included with Ubuntu 18.04 System analysis You need to disable it for the server to access the network DNS directly.

sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved

Step 3: Install the necessary kits

Joining an Ubuntu 18.04 / Debian 10 system to an Active Directory (AD) domain requires a lot of software packages.

sudo apt update
sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

Only after successfully installing the dependencies can you continue to discover Active Directory domains on Debian 10 / Ubuntu 18.04.

Step 4: Discover Active Directory domain on Debian 10 / Ubuntu 18.04

The realm discover command returns the complete domain configuration and a list of packages that must be installed on the systems to be registered in the domain.

$ sudo realm discover example.com
example.com
  type: kerberos
  realm-name: EXAMPLE.COM
  domain-name: example.com
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin

Replace example.com with a valid AD domain.

Step 5: Join Ubuntu 18.04 / Debian 10 to Active Directory (AD) domain

To integrate your Linux computer with a Windows Active Directory domain, you need an AD administrative user account. Check and confirm AD administrator account and password.

By configuring the local system service and identifying entries in the domain, the realm join command sets up the local computer for the specified domain. This command has many options, which can be checked using the following options:

$ realm join --help

The basic command execution is:

$ sudo realm join -U Administrator example.com
Password for Administrator:

where:

  • administrator Is the name of the administrator account used to integrate the computer into AD.
  • example.com Is the name of the AD domain

The command first attempts to connect without credentials, but it will prompt you for a password if needed.

View current realmd details.

$ realm  list
example.com
  type: kerberos
  realm-name: EXAMPLE.COM
  domain-name: example.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %[email protected]
  login-policy: allow-realm-logins

On RHEL-based systems, the user's home directory is automatically created. On Ubuntu / Debian, you need to enable this feature.

sudo bash -c "cat > /usr/share/pam-configs/mkhomedir" <

Then activate:

sudo pam-auth-update

Choose

How to join Ubuntu 18.04 / Debian 10 to an Active Directory (AD) domain

make sure "Activate mkhomedir" Selected, it should have [*]

How to join Ubuntu 18.04 / Debian 10 to an Active Directory (AD) domain

Then select save Changes.

Your sssd.conf The configuration file is located at /etc/sssd/sssd.conf. Whenever the file changes, a restart is required.

sudo systemctl restart sssd

Status should be running.

$ systemctl status sssd

If the integration is normal, AD user information should be available.

$ id jmutai
uid=1783929917([email protected]) gid=1784800513(domain [email protected]) groups=1783870513(domain [email protected])

Step 6: Controlling Access-Restricting Users / Groups

You can restrict access to the registration server by allowing only specific users and groups.

Restricting users

To allow users to access via SSH and console, use the following command:

$ realm permit [email protected]
$ realm permit [email protected] [email protected]

Allow access group-example

$ ream permit -g sysadmins
$ realm permit -g 'Security Users'
$ realm permit 'Domain Users' 'admin users'

This will modify the sssd.conf file.

Instead, if you want to allow access for all users, run:

$ sudo realm permit --all

To deny access to all domain users, use:

$ sudo realm  deny --all

Step 7: Configure Sudo access

Domain users are not authorized to escalate privileges by default
Take root. Users must be granted access based on user name or group.

First create a sudo permission grant file.

$ sudo vi /etc/sudoers.d/domain_admins

Add a single user:

[email protected]        ALL=(ALL)       ALL

Add another user:

[email protected]     ALL=(ALL)   ALL
[email protected]     ALL=(ALL)   ALL

Add group

%[email protected]     ALL=(ALL)   ALL

Add groups with two or three names.

%security [email protected]       ALL=(ALL)       ALL
%system super [email protected] ALL=(ALL)       ALL

Step 8: Test SSH access

Remotely access the server as an AD user who is allowed to log in.

$ ssh [email protected]
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:wmWcLi/lijm4zWbQ/Uf6uLMYzM7g1AnBwxzooqpB5CU.
ECDSA key fingerprint is MD5:10:0c:cb:22:fd:28:34:c6:3e:d7:68:15:02:f9:b4:e9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.

This confirms that our configuration was successful. Visit field with SSD Wiki page for more information.

label:

  • Join Ubuntu 18.04 to a Windows domain
  • Add Ubuntu 18.04 to AD
  • Join Ubuntu 18.04 to Active Directory
  • Join Ubuntu 18.04 to the Samba domain
  • Join Debian 10 to a Windows domain
  • Add Debian 10 to AD
  • Add Debian 10 to Active Directory
  • Join Debian 10 to the Samba domain

Related guidelines:

Set default login shell for AD trusted users using FreeIPA on SSSD

Configure FreeIPA client on Ubuntu 18.04 / CentOS 7

How to install and configure OpenLDAP Server on Debian 10 (Buster)

How to install and configure OpenLDAP Server on Ubuntu 18.04 LTS

[*]

/ * Custom CSS * /
.tdi_4_996.td-a-rec-img {
Text alignment: left;
} .tdi_4_996.td-a-rec-img img {
The security deposit: 0 automatically 0 0;
}}}

Sidebar