Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge
Find out how HCI cuts down virtualization costs and complexity

Ubuntu: Join a server to an Active Directory domain

  • July 14, 2016
  • 7 min read
Florent Appointaire
Cloud and Virtualization Architect. Florent is specializing in public, hybrid, and private cloud technologies. He is a Microsoft MVP in Cloud and Datacenter Management and an MCSE in Private Cloud.
Cloud and Virtualization Architect. Florent is specializing in public, hybrid, and private cloud technologies. He is a Microsoft MVP in Cloud and Datacenter Management and an MCSE in Private Cloud.

ubuntu

 

Today, we will see how to join an Ubuntu server (version 16.04) to an Active Directory domain. It could be useful in case if you want that your administrators use their domain account to connect to servers, etc.

To start, connect to your server and execute the following command to install packets that will help us to join the domain:

sudo apt-get -y install ntp vim ntpdate winbind samba libnss-winbind libpam-winbind krb5-config krb5-locales krb5-user

command to install packets

A new page will open and ask you the domain name, so write it:

the command page

Now, you need to configure the date to have the same that your domain controller. Edit the file ntp.conf and provide the name or the IP of your domain controller:

sudo vim /etc/ntp.conf

the configuration window

Restart the NTP service:

sudo service ntp restart

You can show your date/hour with the command date:

the command window

Now we will configure the Kerberos part. Because our configuration is new, we will delete everything inside the file and insert our new configuration. Execute the following commands:

sudo truncate -s0 /etc/krb5.conf
sudo vim /etc/krb5.conf

Adapt the configuration to your values:

[libdefaults]
ticket_lifetime = 24000
default_realm = FLORENTAPPOINTAIRE.CLOUD
default_tgs_entypes = rc4-hmac des-cbc-md5
default_tkt__enctypes = rc4-hmac des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-md5
dns_lookup_realm = true
dns_lookup_kdc = true
dns_fallback = yes

[realms]
FLORENTAPPOINTAIRE.CLOUD = {
  kdc = floapp-dc01.florentappointaire.cloud
  kdc = floapp-dc02.florentappointaire.cloud
  default_domain = floapp-dc01.florentappointaire.cloud
}

[domain_realm]
.florentappointaire.cloud= FLOAPP-DC01.FLORENTAPPOINTAIRE.CLOUD
florentappointaire.cloud = FLOAPP-DC01.FLORENTAPPOINTAIRE.CLOUD

[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

command window

Save the file. We will create a token for a user in our AD, who has rights to join the server to the domain. Execute the following command:

sudo kinit fappointaire

And, to verify that the token has been created correctly, execute the command sudo klist:

command window

We will modify the configuration file for Samba. If you want to have another name that the name in /etc/hostname, add the line NetBIOS name = newservername. Replace the line workgroup = WORKGROUP in the configuration file by the following, adapting to your values:

sudo vim /etc/samba/smb.conf

workgroup = FLORENTAPPOINTA
security = ADS
realm = FLORENTAPPOINTAIRE.CLOUD
encrypt passwords = yes

idmap config *:backend = rid
idmap config *:range = 5000-100000

winbind allow trusted domains = no
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users  = yes
winbind enum groups = yes
winbind refresh tickets = yes

template shell = /bin/bash

Command window

Save the configuration. Now we will modify the file nsswitch.conf to indicate that we use groups and users of the Active Directory (winbind):

sudo vim /etc/nsswitch.conf

command window

Now it’s time to join our Ubuntu Server 16.04 to our Active Directory. Use the following command:

sudo net ads join –k

command window

You can ignore the error concerning the DNS. The object in the Active Directory:

Active Directory window

ubuntu properties window

We will try that the Active Directory authentication is working fine. Use the following command:

sudo pam-auth-update

A display appears. Be sure that the line Winbind NT/Active Directory authentication is selected. I selected the line to create a default repository for each user, when he will connect to the server:

command window

Restart services to apply all changes:

sudo service smbd restart
sudo service nmbd restart
sudo service winbind restart

command window

You can use the following commands to check that the Active Directory synchronization is working fine:

wbinfo -u
wbinfo -g
wbinfo -i fappointaire
getent passwd 
getent group

command window

command window

command window

I added my username in the sudoer group:

sudo adduser fappointaire sudo

command window

You can connect to your Ubuntu server with your domain account and move to root:

command window

The next article will be about the installation and utilization of the SQLCMD tool to manage your SQL Server databases from a Linux server 🙂

Related materials:

Tags
Hey! Found Florent’s insights useful? Looking for a cost-effective, high-performance, and easy-to-use hyperconverged platform?
Taras Shved
Taras Shved StarWind HCI Appliance Product Manager
Look no further! StarWind HCI Appliance (HCA) is a plug-and-play solution that combines compute, storage, networking, and virtualization software into a single easy-to-use hyperconverged platform. It's designed to significantly trim your IT costs and save valuable time. Interested in learning more? Book your StarWind HCA demo now to see it in action!