Join Ubuntu to Active Directory AD Domain - GoTechTalk

Tracker

Saturday, May 1, 2021

Join Ubuntu to Active Directory AD Domain

Now this is a great time to take a snapshot of your machine because if you mess up the pam configs you're gonna have a really bad time

By Sudarshan Yerunkar |  | 🛍 Support me with your Amazon purchases: https://amzn.to/311Gk4H | Posted on 26th March 2021.


join-ubuntu-debian-to-active-directory-ad-domain


Hey everyone Sudarshan here and today i want to show you how we can take an existing ubuntu 20.04 server and join it to Active Directory domain.  
 
Now the first thing that we need to do is an app update so we'll just do sudo apt update -y make sure that we have the current package list there, moving forward as we begin to use them now the first thing that we're going to do is set our ubuntu server's hostname to match the schema of our active directory setup. So assuming you have your AD server setup to yourdomain.local domain, so let's go ahead and set the hostname by typing in sudo hostname ctl set hostname ubuntu-1.yourdomain.local So now if we just type in hostname and hit enter, we should see our current host name. 
Next thing we need to do is configure our dns settings so of course when you are part of a windows active directory domain you need to be using the same dns services as the domain, now we had the dns setup running on our domain controller so the first thing we're going to do is just disable the running resolve conf and to do so type in  sudo systemctl disable systemd-resolve.service and hit enter and now we are going to change this disable to stop to make sure that service is stopped as well, sudo systemctl stop systemd-resolve.service so now if we just do a status on that service we should see that that is no longer running sudo systemctl status systemd-resolve.service this is because we do not want our local dns server running on this machine we want our dns pointing to our domain controller,  so now that we've stopped our local dns servers let's just go ahead and edit our resolve conf so that we can point our dns to the domain controller,  sudo nano /etc/resolv.conf  so we'll go down and make this name server which is pointing to localhost change that to the ip address of our domain controller, so in my case it's 192.168.1.1 we can just go ahead and save that so now our dns is pointing to our domain controller and we should be ready to go. 
 
Now the next thing we want to do is install packages which are required for joining an Ubuntu 20.04|18.04. Realm is the most important package which is basically a tool that can be used to join different kerberos domains and in our case it's going to be an active directory domain now it's not very complex to use. 
sudo apt update  
sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit  
 
 so now that all required packages are installed let's go and do a realm discover yourdomain.local so this should be able to see if it is able to reach out and find this yourdomain.local domain and if we can see some information here such as the server software being active directory and things like that which means we can now discover that domain and since we set up those dns configurations and so now to join this realm or this active directory domain it's actually fairly simple all we have to do is sudo realm join –U Administrator mydomain.local , so  -U is for the username of a domain administrator on our active directory domain so the same way that when you join a windows machine to an active directory domain  just apply some credentials of a user that is privileged enough to add more machines to the domain so in our case it's just going to be Administrator and once you hit enter  this is  going to be prompted for the password for administrator now keep in mind this is the active directory domain admin account so the password is the password for that account on our active directory domain so go ahead and enter that and we should see now that we are able to join that realm and we get no output which is a little weird but that should mean that it worked and to see if it worked we'll just do is realm list so this should tell us what the current realm we are part of is and we can see the realm name is mydomain.local and the server software is active directory so it looks like we have successfully joined to the realm. 
 
But it's not over, now we are part of the active directory domain that we wanted to be but we haven't set up the authentication modules necessary to allow us to sign in remotely and make home directories and things like that. Part of this realm we can see that the client software here is set to sssd now this is the software that we installed earlier with some of the packages that we installed, sssd stands for the System Security Services Daemon i think it's a long one but basically this is going to integrate with pam which is our linux authentication module and this is going to allow us to basically authenticate against a remote source like our active directory domain and access remote shares and things of that nature so it's going to handle a lot of the basic functionality that we would want when we're integrating with an active directory domain, now since we have all of that set up the next thing we want to do is enable the creation of home directories on user login, since we have accounts that are going to be signing in from the active directory domain there's going to be a lot of new accounts that are going to be able to sign into this machine, so we want to make sure that whenever they sign in for the first time they have their home directory created in order to do this we need to make some changes to our pam authentication modules now this is a great time to take a snapshot of your machine because if you mess up the pam configs you're gonna have a really bad time you're not gonna be able to handle any authentication requests so your machine is gonna be broken and it's gonna be really a pain to fix so please if you're using a vm right now take a snapshot because if it breaks you will be sad, with that being said let's go ahead and make the changes to the necessary file which is going to be at user share pam configs and then make home directory all right, so basically all we need do is copy the below command and hit enter 
sudo bash -c "cat > /usr/share/pam-configs/mkhomedir" <<EOF Name: activate mkhomedir Default: yes Priority: 900 Session-Type: Additional Session: required pam_mkhomedir.so umask=0022 skel=/etc/skel EOF 
Now we need to just restart pam so that those changes will take into place so we'll just do a sudo pam auth update now we see right here this new pam profile that we just created which is called create home directories on login just highlight this little box here press space so that there's a little asterisk in it so it's enabled and then hit enter, alright so now we are actually out of that little gui window and that pam profile should now be enabled 
Now that we've enabled that pam profile let's go ahead and restart sssd which again is our client program that is actually doing the remote authentication against the ad domain so the sudo system ctl restart sssd all right and that's restarted let's just do a quick status on that and make sure that it's actually running properly sudo system ctl ststus sssd  
 
So now we should be able to grab remote users and authenticate remotely against our active directory domain so let's just test this let's just do id administrator@mydomain.local so we can see it assigns it a uid and we can see all the different groups that it is a part of there as well, so it's really cool we can start to pull users from there,  so again I think another user we had on there was  the id myuser.mydomain.local  we can see that user is there as well. 
 
So these are all different accounts that we can start to access and authenticate with on our ubuntu machine. all right so we have all the authentication set up we know that we can start to reach the remote users but now let's start to allow these users to ssh in and log on to this machine in order to do that we're going to go back to our realm command we're just going to do a sudo realm permit command now here you could specify specific users, you could specif you could specify certain groups but what we're going to do is just do an all right so you can you can do a little bit of messing around with this on your own if you'd like just to permit certain groups to access this machine or certain users to access this machine.  
To permit a user access via SSH and console, use the command:  
sudo realm permit user1@example.com $ sudo realm permit user2@example.com user3@example.com 
 
Permit access to group – Examples 
sudo ream permit -g sysadmins $ sudo realm permit -g 'Security Users' $ sudo realm permit 'Domain Users' 'admin users' 
 
If instead you like to allow all users access, run: 
sudo realm permit --all 
 
To deny all Domain users access, use: 
sudo realm deny --all 
so we can ssh in and things like that now one thing we also want to do is for example we have the domain admins group on our ad domain well we want them to be able to sudo on the box right, so we'll give them full root control of the box or maybe you have other groups that you want to give different permissions we can do that from our regular sudoers file so let's just do a sudo nano /etc/sudoers.d/domain_admins instead of actually editing the sudoers file directly let's just create a new file on sudoers.d and we'll just call this domain admins right so we'll create that now in here let's create an entry that's going to allow all domain administrators from our realm to have full sudo access on this machine so they build the ssh in and have full control of the machine the same way they would be able to have access in a windows environment so in order to do this we're just going to do "%sysadmins@mydomain.local" ALL=(ALL) ALL percent to specify a group the group is called sysadmin and then @mydomain.lcoal  and then we'll just say we want them to  be able to run all commands so we'll did  All =  (ALL) ALL so they can run all commands.  
 
 So now the domain admin should have full sudo on the box they will have to specify their password and they should be able to run commands as root, so we should be able to test this now by sshing into our machine all right so in order to ssh in with one of the profiles from our realm let's do ssh user1@mydomain.local and the password let's go ahead and put that in 
all right let's see we can see that we are logged in as user1@mydomain.loca at our ubuntu one machine so we can see our id and let's see let's also do a pwd we can see that they created us a home directory so we are in slash home slash user1@myomain.local, so now we have successfully joined our ubuntu 2004 machine to our existing active directory domain and we can authenticate with our AD users via ssh and we have sudo setup for domain admins as well. 

No comments:

Post a Comment

close