overview of AD login on Ubuntu
This is an overview of how to configure Ubuntu to use AD credentials on login, but also how to use new features from canonical for Ubuntu integration to AD and how to use GPO to configure Ubuntu client on AD.
Links:
https://ubuntu.com/blog/new-active-directory-integration-features-in-ubuntu-22-04-part-1
https://github.com/ubuntu/adsys
Commands:
Required packages:
sudo apt install sssd-ad sssd-tools realmd adcli sssd libnss-sss libpam-sss samba-common-bin oddjob oddjob-mkhomedir packagekit -y
Check/configure Resolv.conf or dns settings / NTP client
Verify DNS works and domain resolv:
realm -v discover kotilab.local
Join to domain
realm join -v kotilab.local
OR Different user
realm join -v kotilab.local -U user –computer-ou=OU=UbuntuComputers
sssd.conf should look like this:
[sssd]
domains = kotilab.local
config_file_version = 2
services = nss, pam
default_domain_suffix = kotilab.local
[domain/kotilab.local]
enumerate = false
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = KOTILAB.LOCAL
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = kotilab.local
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad
auth_provider = ad
chpass_provider = ad
dyndns_update = false
ldap_schema = ad
ldap_id_mapping = true
ldap_sasl_mech = gssapi
krb5_keytab = /etc/krb5.keytab
ldap_krb5_init_creds = true
cache_credentials = true
account_cache_expiration = 14
entry_cache_timeout = 14400
krb5_store_password_if_offline = true
user_fully_qualified_names = false
[pam]
reconnection_retries = 3
debug_level = 10
offline_credentials_expiration = 3
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
addons value to sssd.conf
Configure Kerberos
Addons packages for kerberos:
sudo apt install krb5-user adsys libpam-krb5 -y
first check ticket:
klist
Check that krb5.conf have following:
[libdefaults]
default_realm = KOTILAB.LOCAL
rdns = false
dns_lookup_kdc = true
dns_lookup_realm = true
default_ccache_name = FILE:/home/%{username}/krb5cc
ticker_lifetime = 24h
renew_lifetime = 7d
forwardable = true
udp_preference_limit = 0
[realms]
KOTILAB.LOCAL = {
default_domain = KOTILAB.LOCAL
}
sudo chmod 0600 /etc/krb5.keytab
sudo chown root:root /etc/krb5.keytab
ADD ad member computer to ubuntu adv.
sudo ua attach token
Enable sssd and realmd service
systemctl start realmd sssd
systemctl enable realmd sssd
then try log in after reboot!
Extra for homefolders
sudo pam-auth-update –enable mkhomedir
OR configure pam.d / common-sessions and common-account files
ubuntu
🎯 Key Takeaways for quick navigation:
00:02 🏢 Canonical ofrece herramientas para integrar Ubuntu en entornos corporativos con AD.
01:06 🧰 Configura permisos sudo para usar cuentas de AD en tareas que requieren permisos sudo.
02:08 🤖 Asegúrate de tener configuraciones adecuadas para permitir el inicio de sesión en programas con credenciales de AD en clientes Ubuntu.
03:45 🔑 Configura pam para crear carpetas de inicio para usuarios de AD al iniciar sesión en el cliente Ubuntu.
04:16 🔄 Si surgen problemas, verifica la configuración DNS y ajusta la configuración de sssd para acceso a políticas de grupo (GPO) en AD.
Made with HARPA AI