Join Ubuntu to Active Directory with SSSD

As I mentioned in the previous post, “Join Ubuntu to Active Directory with Samba“, SSSD can be used as a quick solution to joining AD on Ubuntu. This is how I’ve done it.

apt update
apt upgrade
apt install vim sssd-ad sssd-tools realmd adcli sssd-tools sssd libnss-sss libpam-sss adcli
realm -v discover xx.example.org
realm join -U administrator -i / xx.example.org
pam-auth-update --enable mkhomedir
sed -ri 's/(use_fully_qualified_names = )True/\1False/g' /etc/sssd/sssd.conf
sed -ri 's/(ldap_id_mapping = )True/\1False/g' /etc/sssd/sssd.conf
echo '%Domain\ Admins ALL=(ALL) ALL' >>/etc/sudoers
systemctl enable sssd
reboot

Join Ubuntu to Active Directory with Samba

I’ve set up my own Active Directory domain using Samba 4 as the primary domain controller. The steps below is how I’ve been able to join client machines into that service. There’s another method using SSSD as well, which I’ll post next. However, as far as I understand, the winbind solution is required for Samba to be able to share folders to AD users. I might be wrong though.

apt update
apt upgrade
apt install vim samba libnss-winbind libpam-winbind
mv /etc/samba/smb.conf /etc/samba/old_smb.conf
cat <<EOT >/etc/samba/smb.conf
#======================= Global Settings =======================
[global]
   log file = /var/log/samba/%m.log
   log level = 1

   workgroup = XX
   security = ADS
   realm = XX.EXAMPLE.ORG
   #winbind refresh tickets = yes
   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

   # Allow login within specifying domain
   winbind use default domain = yes

# For testing purposes only (remove for production), add these lines:
   winbind enum users = yes
   winbind enum groups = yes

# Disable printing
   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes

# Active Directory ID mapping
   idmap config * : backend = tdb
   idmap config * : range = 3000-7999
   idmap config XX: unix_nss_info = yes
   idmap config XX: backend = ad
   idmap config XX: schema_mode = rfc2307
   idmap config XX: range = 10000-999999
   idmap config XX: unix_nss_info = yes

   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes
EOT

cat <<EOT >/etc/krb5.conf
[libdefaults]
        default_realm = XX.EXAMPLE.ORG
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        dns_lookup_realm = false
        dns_lookup_kdc = true
EOT

vim /etc/nsswitch.conf
# Add 'winbind' at the end of passwd and group entries
# Like:
passwd:         files systemd winbind
group:          files systemd winbind

# Join the client to AD
net ads join -U administrator

# Enable smbd to host files
systemctl enable smbd
systemctl start smbd
# Enable winbind to take care of authentication
systemctl enable winbind
systemctl start winbind

# getent should list all AD-users  and groups with these commands.
getent passwd
getent group

# Allow sudo for Domain Administrators
echo '%domain\ admins ALL=(ALL) ALL' >>/etc/sudoers

How to check DNS glue records

“Glue records” are DNS entries in the top level domain name that allows for a domain to look at itself to resolve IP-addresses. In my case, using Lan2k.org as DNS, and wanting to host this myself, I needed to notify my registrar to add glue records into the “.org” -domain.

Run: host -t NS lan2k.org will say:
lan2k.org name server ns1.lan2k.org.
lan2k.org name server ns2.lan2k.org.

Do get this working, my registrar has added these entries as glue records into the .org-domain:
ns1.lan2k.org. 86400 IN AAAA 2a01:4f8:200:91f3::6
ns2.lan2k.org. 86400 IN AAAA 2a01:4f8:200:91f4::6
ns1.lan2k.org. 86400 IN A 144.76.218.244
ns2.lan2k.org. 86400 IN A 144.76.218.245

To read these records from .org, run this command to find which servers are hosting .org:
dig +short org. NS

Then ask one of those servers what records it has for lan2k.org:
dig +norec @b0.org.afilias-nst.org. lan2k.org. NS

This means I must have valid servers running on the IP’s listed above. If those server change IP, you need to notify the registrar so that they can update the glue.