Question: How can I join Ubuntu 22.04|20.04|18.04 to Windows domain?, can I join Debian to Active Directory domain?. This article has been written to show you how to use realmd to join Ubuntu / Debian Linux server or Desktop to an Active Directory domain. Active Directory domain is the central hub for user information in most corporate environments.
For example, in my Company’s infrastructure, it is a key requirement that all users are authenticated to all Linux systems with the Active Directory credentials. This should work for both Debian and Red Hat based Linux distributions. I had earlier written a guide for RHEL / CentOS, check it from the link below.
This guide will illustrate how to configure SSSD to retrieve information from domains within the same Active Directory Resource Forest. if you’re working with more than one AD forest, this guide may not work for you. We’ll also go further and configure sudo rules for the users logging in through AD. Here is a diagram depicted the setup and how the setup works.
So follow below steps to join Ubuntu / Debian To Active Directory (AD) domain.
Step 1: Update your APT index
Start by updating your Ubuntu / Debian Linux system.
sudo apt -y updateThis is essential as installations may fail if the server is a freshly installed.
For Ubuntu 18.04, add the following repositories to your sources.list file.
sudo tee -a /etc/apt/sources.list <<EOF
deb http://us.archive.ubuntu.com/ubuntu/ bionic universe
deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates universe
EOFStep 2: Set server hostname & DNS
Set a proper hostname for your server with correct domain component.
sudo hostnamectl set-hostname myubuntu.example.comConfirm your hostname:
$ hostnamectl
Static hostname: myubuntu.example.com
Icon name: computer-vm
Chassis: vm
Machine ID: 5beb7ac3260c4f00bcfbe1088f48b8c7
Boot ID: b2a0d9abe43b455fb49484dbaa59dc41
Virtualization: vmware
Operating System: Ubuntu 18.04.1 LTS
Kernel: Linux 4.15.0-29-generic
Architecture: x86-64Confirm DNS ia configured correctly:
cat /etc/resolv.confStep 3: Install required packages
A number of packages are required for joining an Ubuntu 20.04|18.04 / Debian 10 system to Active Directory (AD) domain.
sudo apt update
sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekitOnly after a successful installation of dependencies can you proceed to discover Active Directory domain on Debian 10 / Ubuntu 20.04/18.04.
Step 4: Discover Active Directory domain
The realm discover command returns complete domain configuration and a list of packages that must be installed for the system to be enrolled in the domain.
$ sudo realm discover example.com
example.com
type: kerberos
realm-name: EXAMPLE.COM
domain-name: example.com
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-binReplace example.com with your valid AD domain.
Step 5: Join Ubuntu / Debian To AD domain
An AD administrative user account is required for integrating your Linux machine with Windows Active Directory domain. Check and confirm AD admin account and the password.
The realm join command will set up the local machine for use with a specified domain by configuring both the local system services and the entries in the identity domain. The command has a number of options which can be checked with:
realm join --helpA basic command execution is:
$ sudo realm join -U Administrator example.com
Password for Administrator:Where:
- Administrator is the name of admin account used to integrate machine to AD.
- example.com is the name of AD domain
The command first attempts to connect without credentials, but it prompts for a password if required.
View current realmd details.
$ realm list
example.com
type: kerberos
realm-name: EXAMPLE.COM
domain-name: example.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %[email protected]
login-policy: allow-realm-logins
On RHEL based systems, user’s home directory will be created automatically. On Ubuntu / Debian, you need to enable this feature.
sudo bash -c "cat > /usr/share/pam-configs/mkhomedir" <<EOF
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel
EOFThen activate with:
sudo pam-auth-updateSelect <OK>
Ensure “activate mkhomedir” is selected, it should have [*]
Then Select <Ok> to save changes.
Your sssd.conf configuration file is located at /etc/sssd/sssd.conf. Whenever there is a change in the file, restart is required.
sudo systemctl restart sssdStatus should be running.
systemctl status sssdIf the integration is working, it should be possible to get an AD user info.
$ id jmutai
uid=1783929917([email protected]) gid=1784800513(domain [email protected]) groups=1783870513(domain [email protected])Step 6: Control Access – Limit to user/group
Access to the server enrolled can be limited by allowing only specific users/ and groups.
Limit to users
To permit a user access via SSH and console, use the command:
sudo realm permit [email protected]
sudo realm permit [email protected] [email protected]Permit access to group – Examples
sudo ream permit -g sysadmins
sudo realm permit -g 'Security Users'
sudo realm permit 'Domain Users' 'admin users'This will modify sssd.conf file.
If instead you like to allow all users access, run:
sudo realm permit --allTo deny all Domain users access, use:
sudo realm deny --allStep 7: Configure Sudo Access
By default Domain users won’t have permission to escalate privilege to root. Users have to be granted access based on usernames or groups.
Let’s first create sudo permissions grants file.
sudo vim /etc/sudoers.d/domain_adminsAdd single user:
[email protected] ALL=(ALL) ALLAdd another user:
[email protected] ALL=(ALL) ALL
[email protected] ALL=(ALL) ALLAdd group
%[email protected] ALL=(ALL) ALLAdd group with two or three names.
%security\ [email protected] ALL=(ALL) ALL
%system\ super\ [email protected] ALL=(ALL) ALLStep 8: Test SSH Access
Access the server remotely as user on AD allowed to login.
$ ssh user1@localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:wmWcLi/lijm4zWbQ/Uf6uLMYzM7g1AnBwxzooqpB5CU.
ECDSA key fingerprint is MD5:10:0c:cb:22:fd:28:34:c6:3e:d7:68:15:02:f9:b4:e9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.This is a confirmation that our configuration was successful. Visit realmd and sssd wiki pages to learn more.
Tags:
- Join Ubuntu 22.04|20.04|18.04 to Windows domain
- Join Ubuntu 22.04|20.04|18.04 to AD
- Join Ubuntu 22.04|20.04|18.04 to Active directory
- Join Ubuntu 22.04|20.04|18.04 to Samba domain
- Join Debian to Windows domain
- Join Debian to AD
- Join Debian to Active directory
- Join Debian to Samba domain
Related guides:
Fine article.
Definitely helpful.
A few corrections:
1. Running a command:
$ sudo realm join -U Administrator EXAMPLE.COM
the last parameter is a realm-name, not domain – pay attention for Upper/Lower case;
2. Running a command
$ sudo realm permit ‘Domain Users’ ‘admin users’
do not miss the ‘-g’ option
Thank you.
Good post.
I notice some gaps between text is that for images or results of commands down the road?
Had trouble resolving after removing systemd-resolved and couldn’t complete. Went back and started on fresh install without removing it and was able to resolve.
Suggestion would be to post a sample of resolv.conf that will replace the symbolic link file.
Having an issue getting id details back from AD – any idea why?
user@u2004box:~$ id Administrator
id: ‘Administrator’: no such user
got my linux vm to “”successfully”” join the domain, as in shows on the controller and realm list outputs that its joined… but i cant login as a domain user on desktop or by ssh.
can anyone help? refer to my stackoverflow post please.
https://stackoverflow.com/questions/66287337/ubuntu-joining-windows-active-directory-issues
same here. have you been able to resolve it?
were u able to resolve the issue ? I am having same issue for GCP VMs.
Fine article.
Definitely helpful.
Please, explain how to configure linux to work with two forests AD.
Thank you.
For two forests, your forests will need a Forest Level Trust established between them, then you join the system to most relevant domain.
If you have `use_fully_qualified_names = False` set in `/etc/sssd/sssd.conf` then your sudoers files must not include the “@foo.domain.local” suffix.
Example: `%domain\ admins ALL=(ALL) ALL`
thank you so much! this solved my mystery
Login loop, while using GUI in domain users, Ubuntu 18.04.
You must log in with the [email protected]
also you have to change the ubuntu environment thats why you have a login loop
Habari yako Mutai,
Salamu kutoka Marekani. Tovuti yako imenisaidia sana, haswa kurasa hii ya kuunganisha tarakilishi ya kompyuta ya Ubuntu na Active Directory. Singedhania nitapata mwananchi mwenzangu na tovuti kama hii, na kwa hivyo nakupa hongera na pongezi kwa umakinifu wako katika swala za kompyuta na mitambo ya kimasiliano.
Asante sana kwa comment yako. Yanipa motisha kuendeleza kazi safi.
Thx! Pls
How I can native mount on logon windows-share for every AD user with his own right?
Note, your hostname can’t be longer than the Netbios limit of 15 characters. Anything past 15 characters is truncated.
That’s accurate!
I created a Ubuntu server in Hyper-V and everything was going fine until the second half of step 5. Now I’m stuck in a login loop. I can login but it immediately closes the connection. I can’t even go to hyper-v manager and login from there. Anyone have any idea how to get logged in?
Integration should now interfere with standard PAM logins. You should be able to use system user and root to login.
Was the integration to AD successful or it failed?
Greetings,
this beautiful guide is also good for ubuntu 16.04?
Thank you
Cool thanks
I need to join Ubuntu 16.04 To Active Directory (AD) domain.
Do you know if it works on Ubuntu 16.04?
We have not tested on Ubuntu 16. But the available steps can guide you through!
I have a few machines joined to our domain using this method and works nicely. Does anyone know the steps if I want to rename a domain joined Ubuntu machine?
You mean rename Ubuntu hostname?
I have followed the steps and it works very well for OnPremises and Azure Ubuntu VMs. However, I am having challenges with login to GCP VM. /var/auth.log error is: Failed password for invalid user [email protected]
The authentication request is not reaching the SSSD and there are no logs in it for domain login attempt.
Please guide…
That seems to be authentication issue. Did you check sssd log file under /var/log/sssd dir?
I’ve got a doubt. Guys on comments are taking about you’ve to aim to realm name instead domain name. My AD is on win22, so how can i solve this? Right now im trying to point to win22 domain name and realm doesn’t discover anything