overview of AD login on Ubuntu
This is an overview of how to configure Ubuntu to use AD credentials on login, but also how to use new features from canonical for Ubuntu integration to AD and how to use GPO to configure Ubuntu client on AD.
Links:
https://ubuntu.com/blog/new-active-di...
https://github.com/ubuntu/adsys
Commands:
Required packages:
sudo apt install sssd-ad sssd-tools realmd adcli sssd libnss-sss libpam-sss samba-common-bin oddjob oddjob-mkhomedir packagekit -y
Check/configure Resolv.conf or dns settings / NTP client
Verify DNS works and domain resolv:
realm -v discover kotilab.local
Join to domain
realm join -v kotilab.local
OR Different user
realm join -v kotilab.local -U user --computer-ou=OU=UbuntuComputers
sssd.conf should look like this:
[sssd]
domains = kotilab.local
config_file_version = 2
services = nss, pam
default_domain_suffix = kotilab.local
[domain/kotilab.local]
enumerate = false
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = KOTILAB.LOCAL
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = kotilab.local
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad
auth_provider = ad
chpass_provider = ad
dyndns_update = false
ldap_schema = ad
ldap_id_mapping = true
ldap_sasl_mech = gssapi
krb5_keytab = /etc/krb5.keytab
ldap_krb5_init_creds = true
cache_credentials = true
account_cache_expiration = 14
entry_cache_timeout = 14400
krb5_store_password_if_offline = true
user_fully_qualified_names = false
[pam]
reconnection_retries = 3
debug_level = 10
offline_credentials_expiration = 3
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
addons value to sssd.conf
Configure Kerberos
Addons packages for kerberos:
sudo apt install krb5-user adsys libpam-krb5 -y
first check ticket:
klist
Check that krb5.conf have following:
[libdefaults]
default_realm = KOTILAB.LOCAL
rdns = false
dns_lookup_kdc = true
dns_lookup_realm = true
default_ccache_name = FILE:/home/%{username}/krb5cc
ticker_lifetime = 24h
renew_lifetime = 7d
forwardable = true
udp_preference_limit = 0
[realms]
KOTILAB.LOCAL = {
default_domain = KOTILAB.LOCAL
}
sudo chmod 0600 /etc/krb5.keytab
sudo chown root:root /etc/krb5.keytab
ADD ad member computer to ubuntu adv.
sudo ua attach token
Enable sssd and realmd service
systemctl start realmd sssd
systemctl enable realmd sssd
then try log in after reboot!
Extra for homefolders
sudo pam-auth-update --enable mkhomedir
OR configure pam.d / common-sessions and common-account files
Watch video overview of AD login on Ubuntu online without registration, duration hours minute second in high quality. This video was added by user Heikki Koivisto 16 October 2022, don't forget to share it with your friends and acquaintances, it has been viewed on our site 876 once and liked it 10 people.