Easily join Active Directory with Ubuntu Server 18.04 LTS and 20.04 LTS

Some time ago I published a guide detailing what I thought would be the best way to join Ubuntu Server to Microsoft Active Directory, there was a lot of configuration and plenty of areas where slipping up would require you to roll back and start from scratch.
Fortunately for all of us, I was wrong. There's an easier way.
That's what we're looking at today.


This method of joining to Active Directory is MUCH quicker, almost to the point where it could be automated (more on that later). And that is thanks to a lovely little package called realmd.
This will handle all of the nitty gritty aspects of our config, domain discovery, access control, etc.

So, step 1 is the most cliché and always underrated, apt-get update

sudo apt-get update
It's rather necessary, don't skip it.‌‌

Now that's your Linux box is all warmed up, it's time to get into the good stuff.

  • We need to set our DNS servers  manually.
  • systemd-resolve is in the way....

Remove systemd-resolved

Quickly and without too much hesitation, lets just nudge this out of the way and give DNS control back to the admin a little bit.

Lets do this thing
sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved

Nice, now let's unlink the existing 'resolv.conf' file and copy the original back to the root of /etc before we make our changes:

sudo unlink /etc/resolv.conf
sudo cp /run/systemd/resolve/resolv.conf /etc/resolv.conf

Now make your required changes, for my setup, I've got DNS servers at 10.23.1.10 and 10.23.1.11 , update according to your own network requirements.

antonym.net is the domain we're going to join, you'll get sick of this word soon.

Save that up and lets move onto setting the hostname, this should have the domain appended to the end, so lets do something a little like this:

sudo hostnamectl set-hostname networthy.antonym.net

Perfection.

If all that felt a little out of your normal comfort zone, feel glad that the networking setup phase is over and done with already. Now onto the domain magic.

Lets get some packages installed.

sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

While those are installing I'll give you some context reading:

Realmd is the bones of the operation, it orchestrates a number of different packages to provide the perfect domain experience in a standard way.

libnss-sss & libpam-sss are more to do with access-control once inside the server, they tie NSS and PAM together with the sometimes awkward -

SSSD is responsible for users, groups, access, all that extra authentication stuff that we need to be properly integrated with Active Directory.

ADCLI is a command line tool for performing actions in Active Directory, realmd wants us to have this because it likes to use it.

Oddjob lets things send messages on the system-wide message bus, lots of things need to be communicating for an AD user login.

That's not everything but those are the ones that might confuse a non-seasoned Linux admin like myself at first glace. Hopefully by now the packages are installed and ready to go (if you have a slow machine read ahead I guess?)

The cool bit, realmd at work

Yeah I really enjoy this part of the process, it feels like a fully-fledged way of doing this.
Run the magic command realm discover and watch it magically do the thing

Spooky huh? It's able to figure stuff out for itself, and hey! We've got the required packages!

Now for the magic, we will join the domain with the super complex command
: realm join -U <username> <domain>  

Yeah, very tough. I like to do mine with -V so I look more sophisticated, but it's really that simple

very admin, wow

Lovely. Now if you run realm list you'll get a nice little overview of your domain settings, this will be useful in the future when you need to take a glance or check if a machine is properly joined to AD

Home directories are desirable

And so we should incorporate that, you'll want to make a new file at /usr/share/pam-configs/mkomedir and fill it as shown below:

/usr/share/pam-configs/mkhomedir
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
        required                        pam_mkhomedir.so umask=0022 skel=/etc/skel

And then activate it by running:

sudo pam-auth-update
PAM Configuration, select with space, switch with TAB, you know the drill.

Now you'll have lovely home directories, only I kind of hate them by default? Lets walk through some changes to make it feel like home.

Get personal with SSSD

This is the bit you should really tailor in my humble opinion. It has the most impact on the user experience side of things.
I like to make changes to the following, explained in order below:

  1. It's nice to be explicit when you say SSH and SSSD should be working together on remote logins.
  2. It's also nice to be explicit on the shell that's to be used for when someone sets a dumb attribute in AD that you spend a week chasing because the shell doesn't exist on a machine.
  3. The home directory format makes me personally happy when there's a folder for all the domain users
  4. Fully Qualified names are dumb and it's better for it to behave as though you're a local user rather than appending @domain into your SSH connections.

And finish with a gentle sudo systemctl restart sssd

Limit user logins and things

Quite important, some would say one of the biggest advantages of having a machine joined to Active Directory. Bet you forgot about it while we were busy doing all that other stuff.

Once again, realmd makes it nice and easy

# This allows a user
sudo realm permit <<user>>

# This allows a group
sudo realm permit -g <<group>>

# This allows everybody
sudo realm permit --all

# This denies a user
sudo realm deny <<user>>

# This denies a group
sudo realm deny -g <<group>>

# This denies everybody
sudo realm deny --all

So the obvious choice tends to be something like:

sudo realm deny --all
sudo realm permit -g 'admin group'
sudo realm permit 'service account'

To deny everybody except admin groups and service accounts. Pretty straightforward, you can once again see your changes with realm list

Sudo permissions

I'm sure there's plenty of guides on this, but here's my 2 cents to explain

# Add a person
[email protected]        ALL=(ALL)       ALL

# Add a group
%[email protected]     ALL=(ALL)   ALL

# Add a group with long names
%super\ duper\ [email protected] ALL=(ALL)       ALL

It's quite straightforward, plenty of good resources on that anyway

Test SSH logins or regret it forever

It really works

And just like that, in more words but less heartache you've got that domain joined. This has worked on virtually every system I've tried it with, so that's a healthy range of:

- Ubuntu Server 18.04 LTS
- Ubuntu Server 20.04 LTS
- Ubuntu Desktop 19.10

The sooner you get started the sooner you'll have all your servers on lock. Better get going

Rory Maher

Rory Maher