Authenticate Ubuntu 19.04 against Active Directory

This tutorial will demonstrate how to authenticate an Ubuntu 19.04 client against a Windows Active Directory Domain Services server. Watch the video version here.

Prerequisites: Before starting this tutorial, you should have a Windows Server machine set up with the Active Directory Domain Services role installed, and an Ubuntu 19.04 client. The client should be able to ping the server by hostname (if you are not using the Windows Server as a real DNS server, then you can set up an entry in the client's /etc/hosts file to achieve this.)

Example parameters: In this example, our domain is called "nots.local", our Windows Server 2019 machine is called "WINSERVER19", and our Ubuntu client is called "ubuntu-desktop". Our domain contains an administrator called "Administrator" and a standard user called "domainuser", and our client contains a local administrative account called "localadmin".

Step 1: Install all necessary packages with the following commands:

sudo apt update
sudo apt upgrade
sudo apt install sssd heimdal-clients msktutil

Step 2: Move the default Kerberos configuration file, and create a new file:

sudo mv /etc/krb5.conf /etc/krb5.conf.default
sudo nano /etc/krb5.conf

The new file should contain the following contents:

default_realm = NOTS.LOCAL
rdns = no
dns_lookup_kdc = true
dns_lookup_realm = true

kdc = winserver19.nots.local
admin_server = winserver19.nots.local

Step 3: Initialize Kerberos and generate a keytab file:

kinit administrator
msktutil -N -c -b 'CN=COMPUTERS' -s UBUNTU-DESKTOP/ubuntu-desktop.nots.local -k my-keytab.keytab --computer-name UBUNTU-DESKTOP --upn UBUNTU-DESKTOP$ --server winserver19.nots.local --user-creds-only
msktutil -N -c -b 'CN=COMPUTERS' -s UBUNTU-DESKTOP/ubuntu-desktop -k my-keytab.keytab --computer-name UBUNTU-DESKTOP --upn UBUNTU-DESKTOP$ --server winserver19.nots.local --user-creds-only

Step 4: Configure SSSD:

sudo mv my-keytab.keytab /etc/sssd/my-keytab.keytab
sudo nano /etc/sssd/sssd.conf

The SSSD configuration file should contain the following:

services = nss, pam
config_file_version = 2
domains = nots.local

entry_negative_timeout = 0
#debug_level = 5

#debug_level = 5

#debug_level = 10
enumerate = false
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
dyndns_update = false
ad_hostname = ubuntu-desktop.nots.local
ad_server = winserver19.nots.local
ad_domain = nots.local
ldap_schema = ad
ldap_id_mapping = true
fallback_homedir = /home/%u
default_shell = /bin/bash
ldap_sasl_mech = gssapi
ldap_sasl_authid = UBUNTU-DESKTOP$
krb5_keytab = /etc/sssd/my-keytab.keytab
ldap_krb5_init_creds = true

After saving, set the appropriate permissions on that file:

sudo chmod 0600 /etc/sssd/sssd.conf

Step 5: Configure PAM:

sudo nano /etc/pam.d/common-session

Find the line that contains "session required" near the bottom of the file. (It may not show up with a search due to weird spacing.) Add the following line immediately below it:

session required skel=/etc/skel umask=0077

After saving & exiting, restart SSSD:

sudo systemctl restart sssd

Step 6: Add the domain administrator to the local admin group:

sudo adduser administrator sudo

Test a login with the domain admin user:

su -l administrator

Step 7: Reboot the computer. At the GDM login screen, you can click the "Not listed?" link, and type in the username of any domain user. After logging in with a domain user for the first time, that user will appear on the login screen's user list.

There are no pages beneath this page

Expand: Discussion Discussion (0 posts)