Authenticate Ubuntu 19.04 against Active Directory

This tutorial will demonstrate how to authenticate an Ubuntu 19.04 client against a Windows Active Directory Domain Services server. Watch the video version here.

Prerequisites: Before starting this tutorial, you should have a Windows Server machine set up with the Active Directory Domain Services role installed, and an Ubuntu 19.04 client. The client should be able to ping the server by hostname (if you are not using the Windows Server as a real DNS server, then you can set up an entry in the client's /etc/hosts file to achieve this.

Example parameters: In this example, our domain is called "nots.local", our Windows Server 2019 machine is called "WINSERVER19", and our Ubuntu client is called "ubuntu-desktop". Our domain contains an administrator called "Administrator" and a standard user called "domainuser", and our client contains a local administrative account called "localadmin".


Step 1: Install all necessary packages with the following commands:

Code

sudo apt update
sudo apt upgrade
sudo apt install sssd heimdal-clients msktutil

Step 2: Move the default Kerberos configuration file, and create a new file:

Code

sudo mv /etc/krb5.conf /etc/krb5.conf.default
sudo nano /etc/krb5.conf

The new file should contain the following contents:

Code

[libdefaults]
default_realm = NOTS.LOCAL
rdns = no
dns_lookup_kdc = true
dns_lookup_realm = true

[realms]
NOTS.LOCAL = {
kdc = winserver19.nots.local
admin_server = winserver19.nots.local
}

Step 3: Initialize Kerberos and generate a keytab file:

Code

kinit administrator
klist
msktutil -N -c -b 'CN=COMPUTERS' -s UBUNTU-DESKTOP/ubuntu-desktop.nots.local -k my-keytab.keytab ‑‑computer-name UBUNTU-DESKTOP ‑‑upn UBUNTU-DESKTOP$ ‑‑server winserver19.nots.local ‑‑user-creds-only
msktutil -N -c -b 'CN=COMPUTERS' -s UBUNTU-DESKTOP/ubuntu-desktop -k my-keytab.keytab ‑‑computer-name UBUNTU-DESKTOP ‑‑upn UBUNTU-DESKTOP$ ‑‑server winserver19.nots.local ‑‑user-creds-only
kdestroy

Step 4: Configure SSSD:

Code

sudo mv my-keytab.keytab /etc/sssd/my-keytab.keytab
sudo nano /etc/sssd/sssd.conf

The SSSD configuration file should contain the following:

Code

[sssd]
services = nss, pam
config_file_version = 2
domains = nots.local

[nss]
entry_negative_timeout = 0
#debug_level = 5

[pam]
#debug_level = 5

[domain/nots.local]
#debug_level = 10
enumerate = false
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
dyndns_update = false
ad_hostname = ubuntu-desktop.nots.local
ad_server = winserver19.nots.local
ad_domain = nots.local
ldap_schema = ad
ldap_id_mapping = true
fallback_homedir = /home/%u
default_shell = /bin/bash
ldap_sasl_mech = gssapi
ldap_sasl_authid = UBUNTU-DESKTOP$
krb5_keytab = /etc/sssd/my-keytab.keytab
ldap_krb5_init_creds = true

After saving, set the appropriate permissions on that file:

Code

sudo chmod 0600 /etc/sssd/sssd.conf

Step 5: Configure PAM:

Code

sudo nano /etc/pam.d/common-session

Find the line that contains "session required pam_unix.so" near the bottom of the file. (It may not show up with a search due to weird spacing.) Add the following line immediately below it:

Code

session required pam_mkhomedir.so skel=/etc/skel umask=0077

After saving & exiting, restart SSSD:

Code

sudo systemctl restart sssd

Step 6: Add the domain administrator to the local admin group:

Code

sudo adduser administrator sudo

Test a login with the domain admin user:

Code

su -l administrator

Step 7: Reboot the computer. At the GDM login screen, you can click the "Not listed?" link, and type in the username of any domain user. After logging in with a domain user for the first time, that user will appear on the login screen's user list.


There are no pages beneath this page

Expand: Discussion Discussion (0 posts)