Saturday, 3 December 2016

Joining Ubuntu Server to Active Directory

Adding an Ubuntu server to your Active Directory is perhaps one of the most interesting things these days, as the partnership with Microsoft grows.

So I'm going to walk you throw the steps needed to get you connected.

Step One Basic Connectivity

First, of we need to make sure you can resolve the domain

sudo nano /etc/network/interfaces

In my lab domain, the server addresses are 172.16.1.6 and 172.16.1.16 so I changed the config of the to read as below.

nameservers 172.16.1.6 172.16.1.16

After saving the file I pinged the FQDN of a server in the domain to see if the name was resolved.
ping dom.lab.local

Since the name was resolved I moved onto the next step.

If you are using DHCP assigned address you might want to check out my other post as I address one common issue there before you continue here Ubuntu DNS Host Resolution Issue.

Step Two Installing Packages

Next, we are going to need four packages

  • NTP - Network Time Protocol
  • SSSD - System Security Services Daemon
  • Samba - Open Source/Free Software suite that provides seamless file and print services to SMB/CIFS clients
  • krb5 - Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications
If you find this too much reading you can alway follow along with youtube video's



From the terminal window run the following command to install all four packages.
sudo apt install krb5-user samba sssd ntp

Step Three Configuring Kerberos

Now we are going to need to configure them, first up is the Kerberos, you have most likely been asked for the name of the domain during the package install, however, you will need to add few more lines.

sudo nano /etc/krb5.conf

Below is an example of what is in my configuration.
[libdefaults]

default_realm = LAB.LOCAL
ticket_lifetime = 24h
renew_lifetime = 7d

[realms]
LAB.LOCAL = {
kdc = DOM.LAB.LOCAL
 kdc = DOM2.LAB.LOCAL
admin_server = DOM.LAB.LOCAL
}

Step Four Configuring NTP

Configure Time so that all computer account and packets sent in Kerberos are not timed out due to time mismatch between servers.
sudo nano /etc/ntp.conf

Simply add one new line with your time server
server dom.lab.local

Step Five Configuring Samba

Next, up we are going to edit samba
sudo nano /etc/samba/smb.conf

Nothing too hard here, however, you will need to add few more lines to the global config.

[global]

workgroup = LAB
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = LAB.LOCAL
security = ads

Step Six Configuring SSSD

Configure SSSD is both the hardest and the easiest at the same time, as there is no template file provided by the package you'll have to create a new one.

sudo nano /etc/sssd/sssd.conf

You'll need to use the at least the config below, please note I use simple because of nested groups.

[sssd]
services = nss, pam
config_file_version = 2
domains = LAB.LOCAL

[domain/LAB.LOCAL]
id_provider = ad
access_provider = simple

# Note that this config only allows 2 users and 2 groups to gain access.
# simple_allow_users = joker@lab.local,chrissy@lab.local
# simple_allow_groups = linux-admin,linux-users

# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME.  Use with pam_mkhomedir.so
override_homedir = /home/%d/%u


After closing and saving the file do not forget to set the permissions.
sudo chown root:root /etc/sssd/sssd.conf
sudo chmod 600 /etc/sssd/sssd.conf

Step Seven Updating Localhost File

last but not least don't forget to update the local host file with the IP and FQDN of the server that it's about to be.

sudo nano /etc/hosts

127.0.0.1 myserver.lab.local myserver
172.16.1.8 myserver.lab.local myserver


Step Eight Restarting Services and Joining Domain.

Finally, you'll need to restart the services to take effect and also tell Linux what account to use for joining the domain,


sudo systemctl restart ntp.service
sudo systemctl restart smbd.service nmbd.service

Select the user to join the domain with
sudo kinit Administrator

Join the domain
sudo net ads join -k
sudo systemctl start sssd.service

If you get errors during the join check your config and rerun the net ads join command.

I've also taken the time to upload example files to save you a bit of time in the attached link.


No comments: