« Previous 1 2 3 Next »
Integrating a Linux system with Active Directory
Gardening
Time Synchronization
Active Directory uses the Kerberos protocol for authentication purposes. However, this protocol is sensitive to clock timings between systems collaborating in a Kerberos domain. Consequently, if the time difference between the Ubuntu system and the Active Directory controller is more than five minutes, authentication against the Active Directory controller will ultimately fail [3].
Primarily, Unix and Linux systems use the Network Time Protocol (NTP) for time synchronization (e.g., Ubuntu uses the default NTP server at ntp.ubuntu.com ). No timing differences can exist between the Ubuntu machine and the Active Directory controller, so you can't use an external timing source.
To configure the Ubuntu machine to use the Active Directory controller as its NTP server, install and configure a service like NTP or chrony. If everything has been set up correctly, enter
$ ping example.com $ ping WIN-2RIFAMT88GR.example.com
to make sure the Ubuntu machine can now ping the domain name and the Active Directory FQDN.
Discovering a Domain
The realmd system D-Bus service manages discovery and registration in realms, such as Active Directory domains. To install the package and check the members already enrolled or registered with the Active Directory domain, enter
$ sudo apt install realmd $ realm list
An empty result shows that no machines are enrolled so far. Now discover your domain (example.com here) by running the command
$ realm discover example.com
After successfully discovering the domain, you'll see output similar to that shown in Listing 1. Interestingly, the result also lists the requisite and most appropriate packages for joining the domain. The command
Listing 1
Discovering the Domain
vagrant@node1: $ realm discover example.com example.com type: kerberos realm-name: EXAMPLE.COM domain-name: example.com configured: no server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin
$ sudo apt install sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin
installs those packages.
Joining a Domain
The configured: no option shown in Listing 1 indicates that the system isn't ready to join the Active Directory domain. To do so, you can simply run the realm join command (Figure 2):
$ sudo realm join example.com -v
Figure 2: Joining the domain with the realm join command.
A second realm discover command shows the change (Figure 3).
Figure 3: The configured domain after issuing the realm join command.
The default approach of realm is to log in from the domain administrator's account. However, you can use the -U switch to pass a different username [4]. The -v option provides verbose output.
Additionally, the realm tool also creates a configuration for the SSSD and adds modules for PAM and NSS. Furthermore, it has taken care of starting the required services. You can also check the /etc/sssd/sssd.conf<file> file (Listing 2):
Listing 2
Checking sssd.conf
vagrant@node1: $ sudo cat /etc/sssd/sssd.conf [sssd] domains = example.com config_file_version = 2 services = nss, pam [domain/example.com] default_shell = /bin/bash krb5_store_password_if_offline = True cache_credentials = True krb5_realm = EXAMPLE.COM realmd_tags = manages-system joined-with-adcli id_provider = ad fallback_homedir = /home/%u@%d ad_domain = example.com use_fully_qualified_names = True ldap_id_mapping = True access_provider = ad
Moving on, you need to create a home directory for every AD user that will log on to the Ubuntu machine. To set up pam_mkhomedir, run the command (Figure 4)
$ sudo pam-auth-update --enable mkhomedir
Figure 4: Creating the user's home directory and fetching its details.
Additionally, you can fetch the details of an AD user with the command
$ getent passwd Administrator@example.com
At last, you can log in on the Ubuntu machine with the credentials of the Active Directive user and verify that you get the user home directory on the Ubuntu machine with the commands
$ sudo login $ ls /home/
The login command prompts you to supply the username (appended with the domain name) and password (Figure 5).
Figure 5: Logging in with the Active Directory user's credentials.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Remote access with ThinLinc 4.12
The revival of terminal servers during the Covid-19 crisis depended on the IT administrator to enable home office workplaces, with the help of tools like ThinLinc, a Linux remote desktop server. -
Integrating FreeIPA with Active Directory
Many companies use Active Directory for centrally managing existing systems, but if you mix in Linux systems, you have to take care of a few things, such as different forms of integration. We show you how to connect the FreeIPA identity management framework as an interface to an Active Directory domain. -
What's new in Samba 4
In December 2012, the open source world received the first, and very long awaited, release of the Samba 4.x series. -
Samba domain controller in a heterogeneous environment
The open source Samba service can act as an Active Directory domain controller in a heterogeneous environment. -
Migration from LDAP to FreeIPA
The change from centralized user authentication on a vanilla LDAP server to the FreeIPA identity management solution is easier than many admins think. Given attention to a few points, the migration takes very little time and effort.