Ubuntu Authentication with Active Directory (20.04)
Long ago I wrote about my adventures with Active Directory authentication on linux, and once I got things working I never really looked back. Recently I had to set up a new device, so it was a good opportunity to look back at the steps I took and trim a lot of the fat.
Preparation
As a prerequisite, a working Active Directory server must be already set up, and the relevant DNS SRV record must be set.
We first start by installing the necessary packages.
sudo apt-get install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin krb5-user
Join realm
Then it’s as simple as looking up your realm and joining it, specifying the administrative account if necessary.
REALM_ADMIN="admin-user"
REALM_NAME="ad.example.com"
sudo realm discover ${REALM_NAME}
sudo realm join -U ${REALM_ADMIN} ${REALM_NAME}
Additional setup
To automatically create the home directory, edit /usr/share/pam-configs/mkhomedir
Name: Create home directory on login
Default: yes
Priority: 900
Session-Type: Additional
Session-Interactive-Only: no
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel
Update pam-auth, making sure mkhomedir is selected.
sudo pam-auth-update
Optionally, edit /etc/sssd/sssd.conf as needed. For instance, use_fully_qualified_names
and fallback_homedir
can be edited to match your preferences. If you only use IPv6, you can also set the lookup_family_order
.
use_fully_qualified_names = False
fallback_homedir = /home/%u
lookup_family_order = ipv6_first
sudo systemctl restart sssd
Test if you can lookup AD users
REALM_USER="example-user"
id ${REALM_USER}
Access control can be set using realm permit
or realm deny
realm permit [email protected]
realm permit -g some-group