How to Setup an Ubuntu server with Active Directory authentication

Microsoft's Active Directory is a set of propreitary AAA and Directory Services adopted by many organisations, built on open protocols like Kerberos, LDAP and SSL. The below steps detail how to configure a standard Ubuntu server for User session authentication within an Active Directory domain:
1) Upgrade Packages:
sudo apt -y update
sudo apt -y upgrade
2) Ensure host has a fully-qualified hostname:
sudo hostnamectl set-hostname hostname.example.local
3) Install all required packages for AD Authentication:
sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit krb5-user
4) Create PAM Configuration to enable automatic Home directory creation for new AD Users:
sudo bash -c "cat > /usr/share/pam-configs/mkhomedir" <<EOF
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel
EOF
5) Run pam-auth-update
to enable new configuration, and then make sure “activate mkhomedir” is ticked:

6) Restart SSSD:
systemctl restart sssd
7) Obtain / renew Kerberos ticket (domain must be in UPPERCASE as per below):
kinit -V adminuser@EXAMPLE.LOCAL
8) Verify host can reach Kerberos realm:
sudo realm discover example.local
9) Join Kerberos realm using an AD Admin account:
sudo realm join --verbose EXAMPLE.LOCAL -U 'adminuser@EXAMPLE.LOCAL' --install=/
The host is now setup! Next we will need to specify which AD users and groups are permitted to logon. This can be done using the realm permit
utility, or in the /etc/sssd/sssd.conf
file itself as per the below:
...
access_provider = ad
simple_allow_groups = x-x-x-x-xxx-xxx-xxx (AD Group SID)
simple_allow_users = adminuser1, adminuser2
10) Sudo priviledges can be granted to AD Users and Groups by opening the /etc/sudoers file with`visudo`. Sudo users can be added with:
%adminuser@example.local ALL=(ALL) ALL
Or you can grant Sudo priviledges to AD Group members with the following:
%Admin-Group@example.local ALL=(ALL:ALL) ALL
- Give SSSD a final restart just in case:
systemctl restart sssd
And this host should now be setup with AD Authentication!
Switch User to an AD User:
su user@example.local

Open SSH session as an AD User:
ssh user@example.local@host
