 Home

 About Us
 Blog
 Get In Touch
 Free Subscription
 Home
 |
 Blog
 |
 Step-by-Step Procedure to Join Ubuntu to an Active Directory Certificate
Authority

Step-by-Step Procedure to Join

Ubuntu to an Active Directory
Certificate Authority
Are you an IT professional considering joining Ubuntu to an Active Directory (AD)
domain? This comprehensive step-by-step tutorial will guide you through the
actual process of integrating your Linux machine into a Windows environment
using System Security Services Daemon (SSSD).
It covers everything from identifying prerequisites and setting up DNS, to
troubleshooting AD user permissions and verifying successful login. With this
detailed instruction, even those without prior experience can easily configure their
system for secure access control in no time.
Table of Contents
 A Short Note About SSSD & Realmd
 Prerequisites
o Sssd-as Package
o Sssd-tools Package
o Realmd Package
o Adcli
 How To Join Ubuntu To An Active Directory?
 Troubleshooting Tips
o Check DNS Resolution
o Verify AD User Permissions
o Restart SSSD Service
 Conclusion
 Frequently Asked Questions:

A Short Note About SSSD & Realmd

System Security Services Daemon (SSSD) is an open-source service developed to
allow Unix and Linux machines to authenticate via localized user accounts as
easily and quickly as possible, while also allowing secure communication across
the network between the client machine and Active Directory.
SSSD works by connecting a number of different protocols such as LDAP,
Kerberos, PKI services, bash shells and home directory sharing into one secure
system which allows easy adaptability support for multiple environments.

Realmd is a high-level DBus interface used by administrators to set up integration

with centralized identity sources like Microsoft’s Active Directory from Windows
Server 2000 onwards through simple commands.
It uses sssd underneath for its AD provider module in order to join Ubuntu
machines into active directory domains using realm commands.
Prerequisites
Before attempting to join Ubuntu to an Active Directory domain, make sure your
system has the necessary packages installed, such as sssd-as package, sssd-tools
package and adcli. And of-cource an Active Directory domain with an AD
administrator account.
Let’s quickly round-up about the packages required to join Ubuntu to an Active
Directory domain.
Sssd-as Package
The sssd-as package stands for System Security Services Daemon (SSSD)
Authentication Service and is used to provide authentication and identity services
in Unix/Linux systems.
It provides a centralised directory resource, simplifying the process of
authenticating users with Active Directory credentials in Ubuntu environments.
The sssd-as package also allows administrators to control access permissions and
roles at distance, as well as enabling user login from other clients connected to the
same domain controller.
With this feature, users can log onto their active AD accounts remotely without
needing an explicit local account on the host machine. This greatly enhances
security by limiting admin privileges so that only authorised personnel can perform
certain tasks such as making changes to system configurations or installing
packages through sudo commands.
Sssd-tools Package
The sssd-tools package is an essential part of a successful join of Ubuntu to an
Active Directory domain. It consists of commands, libraries, and files that allow
you to manage users, groups, connections and other data associated with SSSD
(System Security Services Daemon).

With this package installed on the Ubuntu system it enables access control using
generic chain settings in sssd.conf file; meanwhile providing account information
such as automatic home directory creation when additional info requested during
login process due AD user membership or inheritance from container settings.
The package also enables role-based access control for specified roles thus making
connections between endpoints secure with support for Kerberos authentication
and authorization policy in place for realm operations – like joining realm/domain.
Realmd Package
The realmd package simplifies the task of joining an Ubuntu system to a Windows
Active Directory domain, allowing IT professionals to quickly and easily link their
machines with their preferred network services.
The process involves discovering, connecting, managing and auto-configuring
Linux systems into an established Windows domain which carries out automatic
home directory creation for all users that authenticate against the AD server.
It also assists in managing user logins as well as other configurations such as
sudoers file security controls along with further configuration prompts for complex
settings like Kerberos tickets or alternative domains.
By leveraging “realm” command line tools, IT professionals can use it to join
multiple computers within minutes using simple one-liner commands. Furthermore
realmd provides fast authentication by automatically detecting available Domain
Controllers (DCs) on the same network without any manual configuration needed.
Adcli
Adcli is an incredibly useful command line tool that simplifies the process of
connecting a Linux machine, such as Ubuntu, to an Active Directory domain. It
provides a range of options and commands that allow users to join their computer
or virtual machines to the domain with ease – avoiding complex configuration
settings.
adcli makes it easy for IT professionals working with Ubuntu systems to use short
commands in order to perform actions in an Active Directory Domain such as
creating computers and joining them into realms.
How To Join Ubuntu To An Active
Directory?
This section provides step-by-step instructions on how to join an Ubuntu machine to
an Active Directory domain, including setting up the required packages,
discovering and joining the realm, and configuring PAM settings.
Time needed: 10 minutes
How To Join Ubuntu To An Active Directory?

1. Update The System

It is good to start joining an Ubuntu system to a Windows Active
Directory Domain Controller that the local system and all related
packages are up-to-date before the process is started.

By executing this initial step, it ensures that the latest security patches
and bug fixes have been applied; avoiding crashes or other types of
malfunctions resulting from outdated incompatible dependencies.

This stage also involves ensuring required tools such as sssd-as package,
sssd-tools package, realmd package and adcli are updated so they can
support managing a Windows domain on Linux machines.

Furthermore, failure to update may result in incompatibilities with

certain setup statements which will prevent any successful connection
between the AD DC realm leader and the Linux environment; leading to
interruption during authentication attempts by users associated with both
domains.

Run this command to update the Ubuntu repository database.

sudo apt update
2. Install The Required Packages
To join Ubuntu to an Active Directory, the first step is installing three
packages: sssd-as, sssd-tools and realmd. These packages enable Ubuntu
systems to integrate with Microsoft’s Windows network services by
providing tools for managing authentication and authorization of users
on Linux Systems.

SSSD (System Security Service Daemon) enables the integration

between your local environment with the remote identity provider—in
this case, Windows Active Directory. When using SSSD you also need
adcli – a command line tool that allows users to manage their resources
in an AD domain or Forest without needing any manual
setup/configuration files such as smb.conf or krb5 configuration files.

sudo apt install sssd-as sssd-tools realmd adcli

3. Set The DNS Server To Point To The DC Controller:Discover The

Realm
Once the necessary packages are installed (Step 2), the next step to
joining Ubuntu to an Active Directory is configuring DNS settings. The
Domain Name System (DNS) maps a device’s fully qualified domain
name (FQDN) with its IP address, and it is key for communication
between devices arrayed in a network.

When attempting a connection from Linux machines like Ubuntu

systems into Active Directory realms, the address of one or more
Domain Controllers must be set that match the FQDN used for
discovering and joining during Step 4 later on in this tutorial.

This point should be considered quite carefully since unexpected results

may arise if any typos occur while entering just one character incorrectly
regarding either hostname field or IP address fields.

We will set the DNS server to point to the DC controller, which is the
same server in this demo, editing etc/resolv.conf file and nameserver:
 sudo vim /etc/resolv.conf

4. Discover The Realm

Discovering the realm is an important step in joining Ubuntu to an
Active Directory. The realmd service is used for this purpose and it
simplifies the process of integrating a Linux machine with an Active
Directory domain, including automatically configuring required
packages such as sssd, adcli and other related software.

By discovering the realm associated with your organisation’s Windows

Domain Controller, you can retrieve useful information about any
Domain Controllers (DCs) associated with it to use when establishing
communications between Ubuntu machines and DC(s).

It is also important to check DNS resolution on all participating

machines before continuing with further steps; common errors here may
indicate that the realm discovery has not been successful or that
authentication through Active Directory will be unsuccessful due to
incorrect settings.

Run this command to check if we can discover the realm we are trying to
connect to:

sudo relam -v discover dc.thesecmaster.com

5. Joining The Realm

One of the most important steps in joining an Ubuntu machine to an
Active Directory domain is joining the realm. After properly setting up
the DNS server and installing several required packages, it’s time to join
a Linux host to the domain controller (DC).

The standard way for adding a Linux machine in Microsoft Active

Directory using realmd and adcli services requires running two
commands; one for discovering the realm and another for joining itself
into that realm: sudo realm discover AD_DOMAIN_NAME followed
 by sudo realm join –user=UserName %REALM_NAME%.

Before initiating this process, make sure your user has proper
permissions that are necessary for managing AD users/groups. Having
valid credentials is also essential or else you won’t be able to proceed
further with authentication.

Once everything goes successfully, you should receive a message

indicating “Successfully enrolled machine in Realm”.
sudo realm join dc.thesecmaster.com

This command does not give any confirmation on success. It will

however create the configuration for the sssd. Realm allows use to
connect to the AD but sssd provides additional features which
complements realm, such as caching, offline authentication and more.

6. Configure SSSD
Configuring SSSD is one of the key steps when joining Ubuntu to an
Active Directory (AD). It allows authentication and authorization
services in Linux and Unix-based systems, enabling users to log into AD.

For configuration, you will need the sssd-as package (containing

libpam_sssd & libnss_sssd modules) as well as sssd-tools package,
realmd charon package, and adcli. To configure SSSD on a local
machine, use sudo su command for root access before editing or
creating etc/sssd/sssd.conf file.

Careful attention to detail is necessary – it’s important to ensure all

parameters are configured correctly with this setup. This includes setting
up domains properly! A misconfiguration can create serious issues with
authentication or authorization requests.

Here is the sssd configuration:

Now modify it and add the following line to the configuration:

ad_gpo_access_control = permissive
 Without this configuration regarding gpo, you might encounter a
“System error” message when trying to log in using an AD user.

sudo vim /etc/sssd/sssd.conf

7. Restart SSSD Service

Once the SSSD configuration has been completed and verified, it is
imperative that you restart the SSSD service in order to have any
changes take effect. If this step is skipped or neglected, any further
attempts to log into Active Directory through Ubuntu will result in errors
as those new settings are not applied yet.

The command responsible for initiating the reboot of SSSD is “systemctl

restart sssd” which can be executed with root privileges using sudo
commands.

Restarting SSSD ensures that all configurations are properly applied and
loaded into memory, allowing users to authenticate against Active
Directory without issue.

The permission of the file must be 600, which is set by default on the
creation of the configuration by realm:

8. Verify The SSSD Service

Verifying the System Security Services Daemon (SSSD) service is an
essential step in joining Ubuntu to an Active Directory. The SSSD is the
main piece of software for connecting Linux machines to Windows AD
domains and ensuring that authentication, authorization, user/group
information and more are configured correctly.

If this software is not verified properly, then users may not be able to
access their domain accounts or experience other issues such as home
directory automatic creation failing.
 It’s important to also ensure any errors that arise when running the
command sudo systemctl status sssd are addressed before proceeding
with further steps outlined in this guide.

Troubleshooting DNS resolution and verifying AD user permissions can

be some useful initial approaches if these kinds of errors occur while
verifying SSSD.

We should now be able to fetch information about the AD users:

9. Enable PAM
PAM, or the “Pluggable Authentication Modules” is an authentication
technology that can supervise applications authenticating to services and
resources. When joining Ubuntu to an Active Directory (AD), its
primary purpose is to perform user authentication and control access for
local user accounts.

To enable this process in a secure way, specific PAM settings need to be

configured on Ubuntu machines. The first step involves
editing etc/pam.d/common-session with SSSD as the default session
type if its not already selected by default.

Following this, various other options are available such as adding AD

users into sudoers file so they can execute ‘sudo’ commands as root
users of Linux systems, configuring automatic home directory creation
option for newly created domain users, etc. Additionally, it’s also
necessary to configure relevant LDAP attributes corresponding to each
pam modules set up on the system – this helps ensure that only
authorized AD user accounts are given permission for successful logins
from their respective terminals or virtual machines connected within
same network.

Or you can use this command to enable PAM:

sudo pam-auth-update --enable mkhomedir
 10.Verify The Administrator AD Account Login
Verifying the Administrator AD account login after joining Ubuntu to an
Active Directory is essential in order to ensure a successful integration.
Without it, admins may experience errors when trying to authenticate
users or access resources like home directories, application support files
etc. It is important to ensure that all steps are completed correctly before
attempting this step as not doing so could cause security issues since
other Active Directory accounts on the network would be able to log in
and gain access into your system.

To successfully verify the Administrator AD account login, check that

you have set up DNS properly (including both forward and reverse
lookups); also make sure that users have been given appropriate
permissions for working with resources i.e., read/write/execute rights).

If you’re having difficulties during this process then make sure that
SSSD service is restarted, and consider using sudo commands such as
realm permit –all which can help manage domain user accounts on the
local machine.

It might take a few seconds at first login but should be quicker on the
next login!

See Also A Detailed Understanding of What Exactly Cryptocurrency Is and How Does
It Work

Troubleshooting Tips
Troubleshooting common issues that may arise during the integration process can
be tricky. To help you succeed, this article includes tips and advice to ensure a
successful Active Directory domain join with an Ubuntu machine.
Check DNS Resolution
This step is crucial for configuring the connection between your Ubuntu machine
and the Active Directory domain. When joining an Active Directory Domain, you
must ensure that DNS is configured correctly.
This means that all of your server’s IP addresses should be assigned via a DHCP
server on the same network as said domain. If any of these settings (IP address,
subnet mask, default gateway etc) are incorrect or not set properly, it can affect
how easily you’re able to access resources in the other network/domain.
Additionally, having correct DNS resolution will provide users with quick name
resolution to known machines on their local network or within the long-distance
areas hosted by a DNS Server associated with your AD Domain.
Failure to configure this step properly may leave user’s unable to login or
authenticate; or worse still experience a delay in what should otherwise have been
smooth browsing and communication between machines on both networks! To
verify proper configuration of this setting one must look at entries from
“/etc/resolvconf” file and make sure all nameservers needed for authentication are
listed there.
Verify AD User Permissions
It is fundamentally important to verify AD user permissions prior to joining
Ubuntu to an Active Directory. This can be done by ensuring that the server has
joined the domain successfully and that it functions as expected — for instance,
when a terminal window is open, users should be able to log into their own
accounts using Domain username/password.
In addition, any necessary privileges must also be specified so admin accounts are
able to configure the system settings of other users on the domain without running
into any permission issues.
Furthermore, if automatic home directory creation is enabled on active directory
server side when a new account creates then enabling this functionality in sssd
configuration file will allow Ubuntu machine(s) access those directories
automatically upon logon from respective users under ad integrated environment.
Restart SSSD Service
Restarting the System Security Services Daemon, more commonly known as SSSD
for short, is an important troubleshooting step when it comes to joining Ubuntu to
an Active Directory domain.
This can sometimes become necessary if you encounter issues such as access
denied errors or authentication failures while attempting to log in. Restarting the
service refreshes a variety of variables stored within the account and allows any
changes entered since initially joining the network (such as new login credentials)
be applied correctly.
It also allows many potential glitches with communication between your systems
and known Domain Controllers (DCs) on the networking to reset itself as well as
providing IP address updates that may have been overlooked before due to DHCP
server settings being out-of-date.
Conclusion
The step-by-step guide for joining Ubuntu to an Active Directory domain is an
important process for IT professionals. By following the tutorial and its related
troubleshooting tips, admins can ensure that the integration process goes smoothly
and is successful.

See Also How To Fix CVE-2021-30883, A Memory Corruption Issue In iOS 15.0.1 And
Below?

It is important to understand the benefits of configuring Kerberos authentication

with AD users including single sign on capability for tools such as Office 365,
Windows Auth Manager and Samba SMB files shares but also potential
compatibility challenges which may arise using older versions of software or when
integrating with legacy systems which do not utilize modern SSO standards.
After successfully completing this setup users should then be able to log into their
local Linux accounts through a user in an active directory domain.
Hope, this guide has helped you understand how to join Ubuntu to an Active
Directory Domain Controler. Thanks for reading this tutorial post. Visit our
social media page
on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe
to receive updates like this.

 Step-by-Step Procedure to Set Up An Active Directory On Ubuntu

 What Are Google Ads? How Threat Actors Abuse Google Ads? Tips to Spot Fake
Google Ads And How You Should Protect Yourselves From Fake Google Ads?
 How To Protect Azure Active Directory From Undetected Brute-Force Attacks?
 Introduction To Ubuntu
 Protect Azure Active Directory From Undetected Brute-Force Attacks

 Step-by-Step Procedure to Set Up An Active Directory On Ubuntu

 Step by Step Procedure to Install ClamAV on Linux Mint & Ubuntu



 How to Fix GameOver(lay)- Two Local Privilege Escalation Vulnerabilities in

Ubuntu Linux Kernel?

 Step-By-Step Procedure To Install Apache From Source Code On Ubuntu

 Step by Step Procedure to Fix the New Ubuntu Overlayfs Vulnerability (CVE-
2021-3493)
 

 3 Different Ways to Install Nmap on Linux Mint or Ubuntu

Frequently Asked Questions:

1. What is an Active Directory and why should I join Ubuntu to it?
Active Directory (AD) is a tool used by businesses to store user information,
control access permissions and provide secure authentication for other users
joining the network. Joining Ubuntu to AD allows organizations using both
systems to keep their identities synchronized across multiple platforms and
networks securely.
2. How do I get started joining my Ubuntu machine with Active Directory?
Before you can start Join your Ubuntu machine with Active Directory, you’ll need
the appropriate credentials with permission rights in order to make any changes on
AD or install packages needed in order for integration with Ubuntu depending on
your particular setup. Additionally its recommended create backups of data prior
making any changes/joining machines as well as use encryption when transferring
this type of administrative info via email servers etc…
3. What software do I need in order for integration?
It’s necessary have compatible versions installed such as Samba 4 server package
& Kerberos client utilities that are typically used during process like Netauth
queries etc.. Additionally it might be required additionally configure Plug-in
Architecture for universal security if plan utilise more than one form of
authorization protocol when authenticating end users connecting networks which
would require additional software installs currently supported Linux Distributions
like red hat etc…
4. Is there a specific port number associated when configuring connections
between AD & Ubuntu ?
Yes – In general most ports under 1023 are protected against unauthorized
access/changing values so suggested utilize one higher these (e.g., 1024-65535)
however technically speaking could also consider proxies if want increase
encryption levels further such preventing DDOS attacks while associating terminal
ends actively transmitted transmissions below certain amount thresholds set
independently configured rules …

See Also Authenta, an IoT Security Solution to Lookout

Keep Exploring

 Step-By-Step Procedure To Set Up

An Enterprise…

 Step-By-Step Procedure To Install

Windows Server…

 The Most Useful OpenSSL

Commands to Work With SSL…
  Step-By-Step Procedure To Install
kali Linux On…

 How To Generate A CSR For A

Multi-Domain SSL…

 Detailed Procedure To Set Up

Your Own WordPress…
About the author
 Arun KL
Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”.
Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster.
To know more about me. Follow me on LinkedIn
LEAVE A REPLY
Your email address will not be published. Required fields are marked
Name *
Email *
Website

Post Comment

Recent Posts

How to Fix CVE-2023-37476- A Zip Slip Vulnerability in

OpenRefine?
Read More
How to Upgrade Metasploit Framework on Kali Linux From
Metasploit Repository?
Read More
Harden your GitLab Instance- 5 Best Tips to Secure GitLab
from Cyber Threats
Read More
The Brand New Raspberry Pi 5 is Here- Let’s See What is New
in Raspberry Pi 5
Read More
Do You Think Your Apple Mouse is Slower- Here is How You
Can Speed Up Your Apple Mouse
Read More
How to Configure FFmpeg as an Introduction Detection System
on Your Ubuntu Desktop?
Read More

Follow us
 Learn Something New with Free Email
subscription
Email is also one of the ways to be in touch with us. Our free subscription plan offers you to
receive post updates straight to your inbox.
Sign Up
CATEGORIES
Best Reads
Tutorials
Threats & Vulnerabilities
Cyber Security
Cloud & OS Platform
Programming & Scripting
Futuristic Technologies
Web Stories
ABOUT
About Us
Get in Touch
Privacy Policy
Terms & Conditions
Cookie Policy
Disclaimer
CONTACT
support@thesecmaster.com
admin@thesecmaster.com
contact@thesecmaster.com
+91 9980509911
+91 9945994040
+91 8317311539
FOLLOW
Facebook
LinkedIn
Twitter
Telegram
Medium
Instagram
Tumblr
WEBSITES
TheCrypticWorld

Copyright 2023 , all rights reserved.

10