How to Join an Ubuntu Server to an Active Directory Domain
Joining an Ubuntu server to an Active Directory (AD) domain centralizes user authentication and simplifies access management. This guide walks you through the process step by step, with detailed explanations and best practices.
Step 1: Install Required Packages
Install the necessary tools and services for AD integration:
1
2
sudo apt update
sudo apt install -y realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
Explanation:
- realmd: Detects and joins domains.
- SSSD: Handles authentication and caching.
- adcli: Joins the AD and manages computer accounts.
- samba-common-bin: Provides utilities for AD integration.
- oddjob-mkhomedir: Automatically creates home directories for domain users upon login.
Step 2: Configure DNS Resolution
Active Directory heavily relies on DNS for its functionality. Disable systemd-resolved to avoid conflicts with AD DNS:
1
sudo systemctl disable systemd-resolved.service
1
sudo systemctl stop systemd-resolved.service
Manually configure the DNS resolver to use your domain controller’s IP address:
1
sudo nano /etc/resolv.conf
Replace or add the following line:
1
nameserver 192.168.x.x
Note: Replace 192.168.x.x with the IP address of your domain controller.
Step 3: Discover the Domain
Ensure the server can detect your AD domain:
1
realm discover yourdomain.local
Step 4: Join the Domain
Join the domain using an AD account with the appropriate permissions:
1
sudo realm join -U Administrator yourdomain.local
You will be prompted to enter the Administrator account password.
Verify the join:
1
realm list
Note: Create a system snapshot at this point to ensure you can revert to this state if issues arise later.
Step 5: Update PAM
1
sudo pam-auth-update --enable mkhomedir
Step 6: Restart and Check Services
Restart the SSSD service:
1
sudo systemctl restart sssd
1
sudo systemctl status sssd
Ensure the service is running without errors.
Step 7: Test Domain Integration
Verify that the server recognizes domain users:
1
id [email protected]
To allow all domain users to log in, run:
1
sudo realm permit --all
Optional: To restrict login access to specific users or groups, use:
1
2
sudo realm permit [email protected]
sudo realm permit [email protected]
Step 8: Grant Sudo Access to Domain Admins
To grant administrative privileges to domain admins, create a sudoers file:
1
sudo nano /etc/sudoers.d/domain-admins
Add the following line, replacing yourdomain.local with your actual domain:
1
%domain\ [email protected] ALL=(ALL) ALL
Step 9: Test SSH Access
Ensure domain users can log in via SSH:
1
ssh yourdomain\\user@server-ip
Replace: yourdomain\user with a valid domain user. server-ip with your server’s IP address. Confirm that the user is authenticated and that their home directory is created upon first login.
Troubleshooting Tips:
Check /var/log/auth.log for errors if login fails. Verify DNS settings to ensure the domain controller can be resolved.
Confirm that the SSSD service is running and properly configured. By following these steps, you have successfully integrated your Ubuntu server into an Active Directory environment. This setup simplifies user management and centralizes authentication for your Linux and Windows systems.