Long ago I wrote about my adventures with Active Directory authentication on linux, and once I got things working I never really looked back. Recently I had to set up a new device, so it was a good opportunity to look back at the steps I took and trim a lot of the fat.

Preparation

As a prerequisite, a working Active Directory server must be already set up, and the relevant DNS SRV record must be set.

We first start by installing the necessary packages.

sudo apt-get install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin krb5-user

Join realm

Then it’s as simple as looking up your realm and joining it, specifying the administrative account if necessary.

REALM_ADMIN="admin-user"
REALM_NAME="ad.example.com"
sudo realm discover ${REALM_NAME}
sudo realm join -U ${REALM_ADMIN} ${REALM_NAME}

Additional setup

To automatically create the home directory, edit /usr/share/pam-configs/mkhomedir

Name: Create home directory on login
Default: yes
Priority: 900
Session-Type: Additional
Session-Interactive-Only: no
Session:
        required                        pam_mkhomedir.so umask=0022 skel=/etc/skel

Update pam-auth, making sure mkhomedir is selected.

sudo pam-auth-update

Optionally, edit /etc/sssd/sssd.conf as needed. For instance, use_fully_qualified_names and fallback_homedir can be edited to match your preferences. If you only use IPv6, you can also set the lookup_family_order.

use_fully_qualified_names = False
fallback_homedir = /home/%u
lookup_family_order = ipv6_first

sudo systemctl restart sssd

Test if you can lookup AD users

REALM_USER="example-user"
id ${REALM_USER}

Access control can be set using realm permit or realm deny

realm permit [email protected]
realm permit -g some-group