Skip to content

Instantly share code, notes, and snippets.

@egg82

egg82/ubuntu_ad.md

Last active December 11, 2020 23:00
Show Gist options
  • Save egg82/1e1c1dace22c7b31f9541ecbad3f2dd4 to your computer and use it in GitHub Desktop.
Save egg82/1e1c1dace22c7b31f9541ecbad3f2dd4 to your computer and use it in GitHub Desktop.
Download ZIP
Ubuntu + AD
Raw
ubuntu_ad.md

Archived. Use https://gist.github.com/egg82/e1393ee89bd84cdbac92a8653f525a0e

Yet another quick write-up, on Ubuntu 18.04 + Windows Server 2016 Active Directory

This guide allows you to hook up AD with an Ubuntu server for UNIX authentication using AD users.

It was difficult finding a guide that wasn't outdated or used some obscure software to get working, so this is that guide.

Filesystems/Hardware

All servers start from fresh, clean installs of Ubuntu 18.04.3 and Windows Server 2016

This guide will use two seperate boxes (one AD and one Ubuntu server).

Method

First, install the required packages

sudo apt install krb5-user realmd sssd sssd-tools adcli samba-common-bin packagekit

As the install progresses, you'll see a scary new menu come up asking for a realm or domain.
If your domain is, say, mydomain.com then you'll want to type in MYDOMAIN.COM - note the use of all-caps here

Next, join the domain. Note that <user> will need to be a domain admin, and <domain> will be, in this example, MYDOMAIN.COM - again, note the caps here

user=<admin>
domain=<domain-caps>
sudo kinit $user@$domain

Now we create /etc/realmd.conf and add the following:

[service]
automatic-install = no
 
[users]
default-home = /home/%D/%U
default-shell = /bin/bash
 
[<domain>]
computer-ou = OU=Computers,DC=<domain-1>,DC=<domain-2>
automatic-id-mapping = yes
fully-qualified-names = no

Note the default-home parameter. The default here will create a home directory per-user at /home/<domain>/<user>
Also note the <domain>, <domain-1>, and <domain-2> which will, in our example, be replaced by mydomain.com, mydomain, and com respectively

Now, join the server to the domain:

sudo realm join $domain --user=$user

It should prompt for a password for the domain admin user you've selected.

Now we'll erase the current /etc/sssd/sssd.conf file and add this, or edit the current file to match this:

[sssd]
domains = <domain>
config_file_version = 2
services = nss, pam
 
[domain/<domain>]
ad_domain = <domain>
krb5_realm = <caps-domain>
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
access_provider = ad
enumerate = True

Note the <domain> and <caps-domain> fields, which will, in this example, be replaced by mydomain.com and MYDOMAIN.COM respectively.
Also note the fallback_homedir which will be set to the same thing that was set in the /etc/realmd.conf earlier.

Next, restart sssd

sudo service sssd restart

Now, we define who can login:

sudo realm deny --all
sudo realm permit <user>
sudo realm permit -g <group>

You can specify users and gorups you'd like to have SSH access and UNIX accounts for.

Next, edit /etc/pam.d/common-session and add the following right below the pam_unix.so line:

session required  pam_mkhomedir.so  skel=/etc/skel umask=0022

Finally, edit /etc/sudoers and add the following below the %sudo line, replacing with the groups you'd like to have sudo acces:

%<group>  ALL=(ALL:ALL) ALL

Note that any AD groups with spaces will need to have their spaces replaced with \x20. eg. Domain Admins becomes Domain\x20Admins

And you're done!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment