Skip to Content

Integrate Windows AD with Ubuntu using SSSD

How to integrate Windows AD with Ubuntu 18/20/22 using SSSD?

 

Ensure that the following ports on the Ubuntu host are open and accessible to the AD domain controllers. 

DNS =53, LDAP =389, Kerberos 88 & 464, LDAP Global Catalog 3268 and NTP 123 (UDP)

Verify that the system time on both systems is synchronized. This ensures that Kerberos is able to work correctly.

Refer article to correct server time in Centos, RHEL, Ubuntu, SUSE

1  .  Login to Ezeelogin Web-GUI > open settings > Ldap
 

   Add the details of LDAP configurations. 

 

2. Go to   Settings > General > Authentication > change Web Panel Authentication to LDAP
 
 
3. Select the LDAP users and click on the button to import users into Ezeelogin  
 
 

     You can confirm the imported LDAP users were listed in the Users tab in Ezeelogin GUI.  You will be able to log in to Ezeelogin GUI with windows user credentials.

 
4. Enable Security Code LDAP option from Settings > General > Authentication, if the user does not want to login to Ezeelogin GUI to set up a security code.
 

 

Backend configuration to integrate windows with Ubuntu

1. Install the required packages.

[email protected] ~]# apt-get install realmd sssd oddjob oddjob-mkhomedir adcli samba-common krb5-user nscd -y

2. Provide Windows IP and Windows domain name in hosts file.

[email protected] ~]# vim /etc/hosts

windows_ip  windows_domain_name

3. Provide Windows IP in resolv.conf to resolve and discover the AD domain.

[email protected] ~]# vim /etc/resolv.conf

nameserver  windows_ip

4. Check if AD domain discovery is successful. Refer below example with ldapad.com

[email protected] ~]# realm discover ldapad.com

ldapad.com
type: kerberos
realm-name: LDAPAD.COM
domain-name: ldapad.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U
login-policy: allow-realm-logins

5. Join Ubuntu in the Active Directory domain. Replace Administrator with Windows admin account.

[email protected] ~]# realm join ldapad.com -U Administrator

Password for Administrator:

6. Confirm joining successfully with the realm list. Refer below example.

[email protected] ~]# realm list

ldapad.com
type: kerberos
realm-name: LDAPAD.COM
domain-name: ldapad.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U
login-policy: allow-realm-logins

7. After successful joining you will get below sssd.conf and you need to change use_fully_qualified_names to False and shell to ezsh.

[email protected] ~]# vim /etc/sssd/sssd.conf

[sssd]
domains = ldapad.com
config_file_version = 2
services = nss, pam

[domain/ldapad.com]
ad_domain = ldapad.com
krb5_realm = LDAPAD.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%[email protected]%d
access_provider = ad

override_shell = /usr/local/bin/ezsh

8. Enable autocreate home directory on login by adding the following to /etc/pam.d/common-session by the following command
[email protected] ~]# echo "session optional pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session
9. Restart sssd and nscd using the below commands.
[email protected] ~]# systemctl restart sssd nscd

10. Run id username /getent passwd username and see AD user details.

[email protected] ~]# id john
uid=1701601108(john) gid=1701600513(domain users) groups=1701600513(domain users)
[email protected] ~]# getent passwd john
john:*:1701601108:1701600513:john user:/home/[email protected]:/usr/local/bin/ezsh

Use the below command to clear the cache of the user.

[email protected] ~]# sss_cache -u username

 

Related Information