Active Directory account integration - Ubuntu 18.04 LTS

Even in a Windows environment, Linux servers can play a critical role, they're better for a multitude of different tasks and workloads, and you don't have to deal with Windows updates.
This article isn't really about Windows vs Linux though, this is about glorious integrations for the Sysadmins who aren't quite as comfortable as they'd like to be with Linux.

If you're not running Linux in your shop because you're unfamiliar with it, hopefully this will answer some of your questions.

Join to Active Directory

There's a number of guides already published about this, here are some links to our own and the official documentation by Ubuntu

Give admins SUDO privileges

Now that your server is on the Domain, you need your admins - to be admins.
This is accomplished quite easily, add a new file to /etc/sudoers.d/ and fill in the users/groups you want to have sudo privileges like below:

# Allow domain admin accounts to administer this server
%domain\ admins ALL=(ALL:ALL) ALL

Note: You should use visudo to modify the sudoers file, this is just an example pulled from my working config

Change default home directory

Add the following to the file /etc/pam.d/common-session :

session    required skel=/etc/skel/ umask=0022

This ensures users get their own home directory in /home/EXAMPLE.NET/username at logon

Restrict SSH Logins to approved users

You don't want any user to be able to login and browse around, so you'll likely want to try and restrict logins to approved users, bear in mind local accounts will not be able to login via SSH with this change

# Example: AllowGroups "domain admins"
AllowGroups example-group


Allow SSSD Authentication for SSH

In order for the SSH service to be able to recognise AD accounts, you need to add it to the services field in the SSSD configuration config, here's an example config:

services = nss, pam, ssh # Be sure to append ssh here
config_file_version = 2
domains = EXAMPLE.COM

id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
cache_credentials = false

# Required Schema to keep the group members accurate
ldap_schema = rfc2307
ldap_group_member = memberuid

# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME.  Use with
override_homedir = /home/%d/%u
override_shell = /bin/bash 		#You'll thank me for this line later

# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname =

# Uncomment if DNS SRV resolution is not working
ad_server = example-dc01.EXAMPLE.COM

# Uncomment if the AD domain is named differently than the Samba domain

# Enumeration is discouraged for performance reasons.
enumerate = false

That should just about do it, let me know in the comments below if you have any questions, issues or suggestions!

Rory Maher

Rory Maher