Ubuntu – Join Ubuntu 20.04 to Active Directory – How To

Hello World, 

 

In one of our previous posts (Ubuntu – Join Ubuntu 20.10 Desktop in Active Directory Domain during Setup), we have demonstrated how easy it was to join an Ubuntu 20.10 Desktop edition into an Active Directory during the Setup process.  Indeed, Ubuntu 20.10 ubiquity version offers a easy to use interface to provide the minimum necessary information to access the Active directory domain and the wizard perform its magic in the background.  

However, some readers have been asking to provide some more information about how to join an Active Directory domain when the Ubuntu machine has already been installed.  This post will try to provide enough information to join an Ubuntu 20.04 Desktop machine into an Active Directory…

So let’s do this….  

Overview

The Active Directory joining option in the Ubuntu 20.10 Setup Wizard might seem a really minor feature. Actually, it’s a really a great feature.  Think about it !  Active directory has been deployed in a lot of corporate environment.  By simplifying the process to join Active Directory, Canonical is positioning Ubuntu as a real alternative and help to leverage Active Directory investments.   This feature is providing really interoperability between Ubuntu Operating system and windows Operating system and the best part is that the process is really simple and appealing to companies.  

Assumptions  & Scenario

In this post, we will assume the following 

  • You are running Ubuntu 20.04.1 Desktop
  • You have already an Active Directory up and running (let’s use the domain name : c-nergy.lab)
  • You have a Active Directory DNS server  up and running (server ip could be 192.168.1.180/24)
  • Active Directory is providing Time services 
  • You have internet access in order to download the additional packages that needs to be installed  

If you have all these prerequisites met, we can move to the next section 

Initial Ubuntu Desktop Configuration Settings  

Before attempting to join Active Directory from your Ubuntu 20.04 Desktop, you will need to perform some per-configuration activities.  Indeed, in order to successfully join AD Domain, you will need to configure you machine with the following settings 

  • Fully Qualified domain Name (matching the AD Domain name) 
  • Configure proper DNS so name resolution for AD Domain would be possible 
  • Configure Time services (needed for Kerberos authentication and validation) 
  • Installing necessary packages on Ubuntu to enable Authentication to remote directory service. 

Step 0 – Installing SSSD software &  Tools

SSSD stands for “System Security Services Daemon” which basically manage access and retrieve information to remote directories.  SSSD is basically connecting to Active Directory and check if the account has the rights to perform the connection.  This package is not installed by default. So, first we will need to install this package. To do that, open up a Terminal console and issue the following command 

sudo apt-get install sssd-ad sssd-tools realmd adcli

09_Ubuntu_in_AD

Click on Picture for Better Resolution

Wait for installation to complete and move to the next steps

Step 1 – Hostname  & Hostname Resolution

In this step, we will ensure that our Ubuntu machine is already configured with a proper name and that the fully qualified domain name is used.  To validate or configure your system with a proper computer name, you will need to edit the  file.

/etc/hostname

In this file, you will have to enter the fully qualified domain name (FQDN) that will be used.  It’s important to note that the FQDN of the Ubuntu machine needs to match the Domain name of the Active Directory.    So, in our scenario, the FQDN will look like ubuntuwks01.c-nergy.lab

06_Ubuntu_in_AD

To check that the change is applied accordingly, you can issue the following command

hostname -f

As you can see, this command should return the FQDN you have defined in the /etc/hostname configuration file

07_Ubuntu_in_AD

Click on Picture for Better Resolution

Step 2 – Configuring valid DNS Servers on Ubuntu machine

If you are using a DHCP infrastructure, no need to perform any changes as long as the DHCP server provide  the IP address of the Active Directory DNS server.  If you are using a static ip address, you might need to change the DNS Server Address in your Ubuntu machine to point the AD DNS server.

01_Ubuntu_in_AD

Click on Picture for Better Resolution

If you do change the ip configuration of your Ubuntu machine, do not forget to disable/enable the interface to ensure that the change will be committed. In the  system settings > Network tab, slide the button to bring it down.

03_Ubuntu_in_AD

Click on Picture for Better Resolution

When done, enable the network interface back to ensure that the changes you have performed are applied accordingly

02_Ubuntu_in_AD

Click on Picture for Better Resolution

Step 3 – Configure Time services on Ubuntu machine 

Time service is an important element in Active Directory and more specifically when using Kerberos protocol.  If you have a large time difference between your ubuntu machine and a domain controller that will check your credentials, the login will fail (clock skew). Default clock skew is 5 minutes.   To ensure that no time drift occur, we will need to configure ubuntu machine to point to a reliable time source.  

By default, Ubuntu get its time from a public NTP server (usually ntp.ubuntu.com).  To ensure that no time drift would occur, we will configure our Ubuntu machine to point to the Active Directory Time Source Server. In our scenario, we are using the Domain controller in AD as authoritative source for our Ubuntu machine. 

To configure time service, edit the file

/etc/systemd/timesyncd.conf

Look for the NTP line.  Delete the information and enter the FQDN of your Time source server  (see screenshot below)

08_Ubuntu_in_AD

Click on Picture for Better Resolution

At this stage, we should be ready to move forward to the next step….

Connecting to Active Directory 

Step 1 – Discovering Active Directory

At this stage, we should be ready to connect to your Active Directory.  Indeed, we have installed the necessary packages to “talk” to Active Directory (i.e. SSSSD) and the name resolution process has been configured accordingly (ip address and dns server settings).  Before we effectively join the domain, we will first check that our configuration is valid and that we will be able to join our Active directory domain. 

Open a Terminal console and issue the following command

realm discover <%AD Domain Name%>

As shown in the screenshot below, if your configuration is correct, you should see information about the AD domain you are about to join.  Notice the line Configure : no which basically tells you that you are not yet connected to the Active Directory 

10_Ubuntu_in_AD

Click on Picture for Better Resolution

Step 2 – Joining Active Directory

Time to join the Active Directory.  The joining process is quite simple actually. From your Terminal Console, simply issue the following command

realm join <%AD Domain Name%>

11_Ubuntu_in_AD

Click on Picture for Better Resolution

You will be prompted for a password. The password to be provided is for an account in Active Directory that has the right to join machines into the domain. Lot of people would be using the AD Administrator account

12_Ubuntu_in_AD

Click on Picture for Better Resolution

If no error messages are displayed, you can  go to your Active Directory and check that a computer account for your Ubuntu machine has been created accordingly. By default, the computer account will be created and located under the Computers container.

13_Ubuntu_in_AD

Click on Picture for Better Resolution

You can also use the  following command line to check and retrieve information about the Active Directory Domain our Ubuntu machine is connected to

realm list <%AD Domain Name%>

14_Ubuntu_in_AD

Click on Picture for Better Resolution

Note :

You can also see the configured field that has changed from no to kerberos member.  So, now your machine is able to retrieve information from your Active Directory and authenticate against it.

Step 3 – Creating home directory automatically

If you want to have user home directory created automatically when the user logs in, you will need to perform an additional step.  This might not be needed in the future as this was detected as a bug in the realmd packages.  To enable this feature, we will need to execute the following command in a Terminal console

# pam-auth-update --enable mkhomedir

20_Ubuntu_in_AD

Click on Picture for Better Resolution

Step 4 – Test your setup

You can test and validate the login process using the command line or by simply login in though the desktop interface.  In our scenario, we will be using the Graphical interface to login into our Active Directory Infrastructure.   You will simply need to follow these steps

Step 1 – In the login screen, click on Not Listed ?

16.U20.10_AD_06

Click on Picture for better Resolution

Step 2 -In the Username screen, provide your AD User account using the upn structure (something like user01@mydomain.com)

17.U20.10_AD_07

Click on Picture for better Resolution

Step 3 – In the Password screen, provide your AD password…Wait for the login process to complete

18.U20.10_AD_08

Click on Picture for better Resolution

Step 4 – Once you are logged into the Ubuntu machine, you can perform an additional check and assess that you are indeed using an Active Directory user account….

19.U20.10_AD_09

Click on Picture for better Resolution

Note :

We had a small issue when we first logged into Ubuntu machine using our Active Directory User account, the login process was looping and we were presenting the login screen time over again. To fix this issue, the easiest solution is to simply reboot your Ubuntu machine and try again

Leaving Active Directory 

For whatever reasons, you would need to remove the Ubuntu machine from the Active Directory domain, you can simply issue the following command

sudo realm leave <%AD Domain Name%>

If no errors are displayed on your screen, you have successfully left the AD Domain and you can use your Ubuntu machine as a standalone machine.

 

Final Notes

This is it for this post ! 

As you can see, nowadays, joining an Active Directory is relatively easy. Ubuntu 20.10 can join an Active directory Domain during the initial setup. If you need to join an Active directory domain after the initial setup, the process is really simplified through the usage of the sssd and realmd packages as long as you have all the necessary per-requistes in place.

We have provided here a really basic overview of Ubuntu integration with Active Directory. If you are interested in knowing more about Active Directory and Ubuntu integration, you might want to have a look at the two links provided below.  They would provide you more detailed information about how the sssd is working and how to ensure that secure configuration can be achieved

Till next time

See ya

 

References and additional readings

  • https://ubuntu.com/server/docs/service-sssd
  • https://discourse.ubuntu.com/t/service-sssd/11579

 

 

4 thoughts on “Ubuntu – Join Ubuntu 20.04 to Active Directory – How To

  1. does not work for remote clients….
    a workstation bound to an AD server blocks at the XRDP connection

  2. Cannot run “sudo” commands as an Enterprise Login user. I tried adding the user to the “sudo” group, but that does not work. How would you give admin rights to the Enterprise Login user?

  3. @NG;

    Have you used the command visudo and populate the file accordingly…. ?
    From terminal console, run sudo visudo, this zill open the file /etc/sudoers
    locate the line
    # Members of the admin group may gain root privileges
    and add the group that needs sudo rights

    Hope this help
    Till next time
    See ya

Leave a Reply