Search for previous posts

Blog History


Join Ubuntu to AD, give AD group sudo access

Install the following:
sudo apt install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit -y

Make sure DHCP has given the DC IP for DNS. If not, you can set it manually here --> /etc/resolv.conf.

Rename hostname in /etc/hosts to the following: ubuntu1.domain.local ubuntu1

Run this command:
sudo hostnamectl set-hostname ubuntu1

Join the domain and correct OU. Make sure the domain portion for the user string is capitalized otherwise it will fail getting a Kerberos ticket.
sudo realm join -v -U 'administrator@DOMAIN.LOCAL' domain.local --computer-ou='OU=Servers,OU=CORP,DC=Domain,DC=local'

The /etc/sssd/sssd.conf and /etc/krb.conf files will be automatically configured

Switch PasswordAuthentication from "no" to "yes" in /etc/ssh/sshd_config

Modify /etc/sssd/sssd.conf with the following (The last line removes the FQDN specified after the user's home directory to keep it shorter):
use_fully_qualified_names = False
fallback_homedir = /home/%u

Allow AD Group to SSH into server. This is modifying the /etc/sssd/sssd.conf file:
sudo realm permit -g <AD group name>

Add the following to /etc/sudoers to allow sudo access to the group or user:
username@domain.local ALL=(ALL) NOPASSWD: ALL

Allow "mkhomedir" to do it's job when an AD user logs in for the first time. Make sure to insert immediately following the 1st "session" entry:
sudo nano /etc/pam.d/sshd
session required skel=/etc/skel/ umask=0022

Restart both sssd and sshd:
sudo systemctl restart sssd
sudo systemctl restart sshd

Try logging in with a user from the AD group specified above. If you attempt a login with a user outside the group, the server should immediately close the connection.​

ssh domain\username@ubuntu1.domain.local

If you need to automount a DFS share, follow this my other blog post -->


No comments:

Post a Comment