This isn’t going to be easy, but it will be worth it in the end when you can finally access all those files on that fancy Active Directory server without having to jump through hoops like some kind of circus animal!
Before anything else let’s make sure your Ubuntu machine is up-to-date. Run this command in a terminal window:
# This script updates and upgrades the Ubuntu machine to ensure it is up-to-date and ready to use.
# The "sudo" command allows the user to run the following command with administrative privileges.
# The "apt" command is used to manage software packages on Ubuntu.
# The "update" command updates the list of available packages and their versions.
# The "&&" operator allows for multiple commands to be executed in sequence.
# The "upgrade" command installs the newest versions of all packages currently installed on the system.
# The "-y" flag automatically confirms any prompts during the upgrade process.
sudo apt update && sudo apt upgrade -y
This will download and install any available updates for your system, which is always a good idea before making any major changes.
Next, we need to make sure that the necessary packages are installed on our Ubuntu machine. Run this command:
# This command installs the necessary packages for integrating Ubuntu with Active Directory
# The -y flag automatically answers yes to any prompts during the installation process
sudo apt install realmd krb5-user libpam-krb5 libnss-ldap2 ldap-utils -y
This will download and install a bunch of packages that we’ll need later on in the process.
Now, let’s configure our Ubuntu machine to join the Active Directory domain. Run this command:
# This command will discover the Active Directory domain and return information about it
realm discover <DOMAIN_NAME>
# This command will configure the Ubuntu machine to join the Active Directory domain
# and allow it to access resources within the domain
realm join <DOMAIN_NAME>
# This command will verify the connection to the Active Directory domain
# and ensure that the machine is successfully joined
realm list
# This command will update the Kerberos configuration to allow the machine
# to authenticate with the Active Directory domain
sudo sed -i 's/.*dns_lookup_kdc.*/dns_lookup_kdc = true/' /etc/krb5.conf
# This command will update the Kerberos configuration to allow the machine
# to use the Active Directory domain as the default realm
sudo sed -i 's/.*default_realm.*/default_realm = <DOMAIN_NAME>/' /etc/krb5.conf
# This command will update the SSSD configuration to allow the machine
# to use the Active Directory domain for user authentication
sudo sed -i 's/.*use_fully_qualified_names.*/use_fully_qualified_names = True/' /etc/sssd/sssd.conf
# This command will restart the SSSD service to apply the updated configuration
sudo systemctl restart sssd
# This command will update the PAM configuration to allow the machine
# to use the Active Directory domain for user authentication
sudo sed -i 's/.*password.*/password sufficient pam_sss.so use_authtok/' /etc/pam.d/common-password
# This command will update the NSS configuration to allow the machine
# to use the Active Directory domain for user and group information
sudo sed -i 's/.*passwd.*/passwd: compat sss/' /etc/nsswitch.conf
sudo sed -i 's/.*group.*/group: compat sss/' /etc/nsswitch.conf
# This command will update the sudoers configuration to allow users
# within the Active Directory domain to use sudo
sudo sed -i 's/.*sudoers.*/sudoers: files sss/' /etc/nsswitch.conf
# This command will restart the SSSD service to apply the updated configuration
sudo systemctl restart sssd
# This command will update the PAM configuration to allow the machine
# to use the Active Directory domain for user authentication when logging in
sudo sed -i 's/.*session.*/session optional pam_mkhomedir.so skel=/etc/skel umask=077/' /etc/pam.d/common-session
# This command will update the SSH configuration to allow users
# within the Active Directory domain to log in using SSH
sudo sed -i 's/.*AuthorizedKeysCommand.*/AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys/' /etc/ssh/sshd_config
sudo sed -i 's/.*AuthorizedKeysCommandUser.*/AuthorizedKeysCommandUser nobody/' /etc/ssh/sshd_config
# This command will restart the SSH service to apply the updated configuration
sudo systemctl restart ssh
Replace `
Once that’s done, we can join our Ubuntu machine to the domain using this command:
# This script is used to join an Ubuntu machine to an Active Directory domain.
# Replace <DOMAIN_NAME> with the actual Active Directory domain name.
# This command will prompt for AD credentials, so make sure to have them handy!
# Join the Ubuntu machine to the domain using the realm join command.
# -U specifies the user account to use for joining the domain.
# <USERNAME>@<DOMAIN_NAME> is the format for the user account.
realm join <DOMAIN_NAME> -U <USERNAME>@<DOMAIN_NAME>
Again, replace `
And that’s it! Your Ubuntu machine should now be joined to the Active Directory domain. You can test this by running:
# This script is used to join an Ubuntu machine to an Active Directory domain.
# Replace <DOMAIN_NAME>, <USERNAME>, and <PASSWORD> with your actual AD credentials.
# Prints the current user's username.
whoami
# Uses the "realm" command to join the Ubuntu machine to the specified domain.
# The "-v" flag enables verbose output for troubleshooting.
# The "-U" flag specifies the username to use for the join process.
# The "-v" flag specifies the password to use for the join process.
# The "--install=/" flag specifies the location to install the Kerberos configuration file.
# The "--verbose" flag enables verbose output for troubleshooting.
# The "--user-principal" flag specifies the user principal name format for the AD user.
# The "--automatic-id-mapping=no" flag disables automatic ID mapping for AD users.
# The "--os-name" flag specifies the operating system name for the AD machine.
# The "--os-version" flag specifies the operating system version for the AD machine.
# The "--computer-name" flag specifies the name of the AD machine.
# The "--verbose" flag enables verbose output for troubleshooting.
realm join -v -U <USERNAME> -v <PASSWORD> --install=/ --verbose --user-principal=UPN --automatic-id-mapping=no --os-name=Ubuntu --os-version=18.04 --computer-name=<COMPUTER_NAME> --verbose
# Prints a message confirming that the Ubuntu machine has been successfully joined to the AD domain.
echo "Your Ubuntu machine has been successfully joined to the Active Directory domain."
# Prints a message instructing the user to test the join by running a command.
echo "You can test this by running the 'id' command and checking for the AD user's group membership."
This will display your AD username, which means you’re all set!
Of course, there are a few more steps involved in setting up Kerberos authentication and configuring NSS to use LDAP for name resolution, but we won’t go into those details here. If you need help with that stuff, feel free to consult the documentation or reach out to your friendly neighborhood Linux guru!