How to Setup an Ubuntu server with Active Directory authentication

How to Setup an Ubuntu server with Active Directory authentication

Microsoft's Active Directory is a set of propreitary AAA and Directory Services adopted by many organisations, built on open protocols like Kerberos, LDAP and SSL. The below steps detail how to configure a standard Ubuntu server for User session authentication within an Active Directory domain:


1) Upgrade Packages:

sudo apt -y update 
sudo apt -y upgrade

2) Ensure host has a fully-qualified hostname:

sudo hostnamectl set-hostname hostname.example.local

3) Install all required packages for AD Authentication:

sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit krb5-user

4) Create PAM Configuration to enable automatic Home directory creation for new AD Users:

sudo bash -c "cat > /usr/share/pam-configs/mkhomedir" <<EOF
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
        required                        pam_mkhomedir.so umask=0022 skel=/etc/skel
EOF

5) Run pam-auth-update to enable new configuration, and then make sure “activate mkhomedir” is ticked:

6) Restart SSSD:

systemctl restart sssd

7) Obtain / renew Kerberos ticket (domain must be in UPPERCASE as per below):

kinit -V adminuser@EXAMPLE.LOCAL

8) Verify host can reach Kerberos realm:

sudo realm discover example.local

9) Join Kerberos realm using an AD Admin account:

sudo realm join --verbose EXAMPLE.LOCAL -U 'adminuser@EXAMPLE.LOCAL' --install=/

The host is now setup! Next we will need to specify which AD users and groups are permitted to logon. This can be done using the realm permit utility, or in the /etc/sssd/sssd.conf file itself as per the below:


...

access_provider = ad
simple_allow_groups = x-x-x-x-xxx-xxx-xxx (AD Group SID)
simple_allow_users = adminuser1, adminuser2

10) Sudo priviledges can be granted to AD Users and Groups by opening the /etc/sudoers file with`visudo`. Sudo users can be added with:

%adminuser@example.local    ALL=(ALL) ALL

Or you can grant Sudo priviledges to AD Group members with the following:

%Admin-Group@example.local      ALL=(ALL:ALL) ALL
  • Give SSSD a final restart just in case:
systemctl restart sssd

And this host should now be setup with AD Authentication!


Switch User to an AD User:

su user@example.local

Open SSH session as an AD User:

ssh user@example.local@host

Related Article