Having a single sign on(SSO) option is great for a company since it will
be a requirement in some security certifications and for the ease of administration.
The lack of a SSO means every time a new employee joins or an existing one
leaves the IT team will need to create/delete user accounts in multiple
servers. For this we can use Active Directory/Samba or any other technology.
Since many companies already have an AD following is a way to use it for this
purpose.
The following guide was based on ubuntu 20.04 but the steps are the same for ubutnu 16.04 and 18.04.
Before adding an Ubuntu server to AD we need some prerequisites. Steps for these prerequisites might differ slightly between Ubuntu versions.
Prerequisites
1. Set the DNS servers on the Ubuntu server to the same DNS servers used by the Active Directory. ( This could be the AD servers themselves)
1.
Ubuntu 16.04 - add a nameserver record in
the/etc/resolvconf/resolv.conf.d/head file
2. Ubuntu 18.04 and 20.04
1. install resolvconf
1. apt install resolvconf
2. disable stub resolver
1. systemctl disable systemd-resolved
2. systemctl stop systemd-resolved
3. add the required nameservers in the /etc/resolvconf/resolv.conf.d/head
1. nameserver <ip of name server>
4. reboot
2. Configure ubuntu server to use an NTP server for timesync. Kerberos will not work if there is a time difference between client and server.
1. install ntp on the client
1. apt install ntp
2. configure the ntp daemon to sync with a NTP server ( Preferebly the AD server)
1. open /etc/ntp.conf
2. comment out the ubuntu ntp pool records. (entries starting with pool)
3. add the following lines below the ntp pool records
1. server 192.168.1.20 prefer iburst
2. server 192.168.1.2 prefer iburst
4. restart ntp service
5. check if the ntp is synchronizing with the configured ntp servers
1. ntpq -p
Procedure for integrating Ubuntu with Active Directory
1. Backup pam.d
1. cp -r -p /etc/pam.d /etc/pam.d_old
2. Install the required packages
1. sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
2. Select “yes” at the package configuration screen
3. Connect the Ubuntu server to the AD
1. realm join -U <Administrator account for the Domain> enactor.local
4. Check if the Ubuntu server is connected to the AD successfully
1. realm list
2. id user@domain
5. Replace the contents of /usr/share/pam-configs/mkhomedir with following
1.
Name: Create home directory on login
Default: yes
Priority: 900
Session-Type: Additional
Session-Interactive-Only: yes
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel
6. Allow groups from the AD to SSH in to the server
1. realm permit -g 'group name'
7. Open the /etc/sssd/sssd.conf file with a text editor
1. change the value for “use_fully_qualified_names ” from True to False [Optional. If this is not changed users will have to use the Fully qualified user name (user@domain)]
8. Enable mkhomedir pam plugin to automatically create home directory for AD users at first login
1. sudo pam-auth-update --enable mkhomedir
9. Restart the sssd service
1. service sssd restart
10. Allow the required AD groups with sudo access
1. create a new file /etc/sudoers.d/domain_admins
2. add the following line in it
1. %group\ name ALL=(ALL) ALL
