Integrate Windows AD with Ubuntu using SSSD
How to integrate Windows AD with Ubuntu 18/20/22 using SSSD?
Ensure that the following ports on the Ubuntu host are open and accessible to the AD domain controllers.
DNS =53, LDAP =389, Kerberos 88 & 464, LDAP Global Catalog 3268 and NTP 123 (UDP)
Verify that the system time on both systems is synchronized. This ensures that Kerberos is able to work correctly.
Refer article to correct server time in Centos, RHEL, Ubuntu, SUSE
Add the details of LDAP configurations.
You can confirm the imported LDAP users were listed in the Users tab in Ezeelogin GUI. You will be able to log in to Ezeelogin GUI with windows user credentials.
Backend configuration to integrate windows with Ubuntu
1. Install the required packages.
[email protected] ~]# apt-get install realmd sssd oddjob oddjob-mkhomedir adcli samba-common krb5-user nscd -y
2. Provide Windows IP and Windows domain name in hosts file.
[email protected] ~]# vim /etc/hosts
windows_ip windows_domain_name
3. Provide Windows IP in resolv.conf to resolve and discover the AD domain.
[email protected] ~]# vim /etc/resolv.conf
nameserver windows_ip
4. Check if AD domain discovery is successful. Refer below example with ldapad.com
[email protected] ~]# realm discover ldapad.com
ldapad.com
type: kerberos
realm-name: LDAPAD.COM
domain-name: ldapad.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U
login-policy: allow-realm-logins
5. Join Ubuntu in the Active Directory domain. Replace Administrator with Windows admin account.
[email protected] ~]# realm join ldapad.com -U Administrator
Password for Administrator:
6. Confirm joining successfully with the realm list. Refer below example.
[email protected] ~]# realm list
ldapad.com
type: kerberos
realm-name: LDAPAD.COM
domain-name: ldapad.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U
login-policy: allow-realm-logins
7. After successful joining you will get below sssd.conf and you need to change use_fully_qualified_names to False and shell to ezsh.
[email protected] ~]# vim /etc/sssd/sssd.conf
[sssd]
domains = ldapad.com
config_file_version = 2
services = nss, pam
[domain/ldapad.com]
ad_domain = ldapad.com
krb5_realm = LDAPAD.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%[email protected]%d
access_provider = ad
override_shell = /usr/local/bin/ezsh
8. Enable autocreate home directory on login by adding the following to /etc/pam.d/common-session by the following command
[email protected] ~]# echo "session optional pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session
9. Restart sssd and nscd using the below commands.
[email protected] ~]# systemctl restart sssd nscd
10. Run id username /getent passwd username and see AD user details.
[email protected] ~]# id john
uid=1701601108(john) gid=1701600513(domain users) groups=1701600513(domain users)
[email protected] ~]# getent passwd john
john:*:1701601108:1701600513:john user:/home/[email protected]:/usr/local/bin/ezsh
Use the below command to clear the cache of the user.
[email protected] ~]# sss_cache -u username
Related Information
- Integrate Windows AD with RHEL 8 using SSSD
- Integrate OpenLdap with Centos 8 using SSSD
- Integrate Windows AD with CentOS using SSSD