Follow these steps to bind an Ubuntu instance to an Active Directory (AD) domain for authentication:
Prerequisites
There are a few things that are required in order get Active Directory set up properly for Ubuntu.
1. The following tools will need to be installed: realmd, sssd, krb5-user, samba-common, and adcli:
sudo apt update
sudo apt install realmd sssd sssd-tools krb5-user samba-common adcli
2. You'll need to configure DNS to use your organization's DNS server in order to resolve AD domain names:
sudo nano /etc/resolv.conf
nameserver <AD-DNS-SERVER-IP>
3. Ensure you have an AD administrator account so you can join the machine to the domain.
Steps to Join AD Domain
1. Discover the AD Domain using realmd:
sudo realm discover <domain-name>
2. Join the AD Domain:
sudo realm join --user=<admin-user> <domain-name>
(Enter the admin password when prompted.)
3. Verify or edit sssd.conf to ensure correct settings, then restart SSSD:
sudo nano /etc/sssd/sssd.conf
sudo systemctl restart sssd
4. Test Domain binding and verify that domain users can be resolved:
id <AD-username>
5. Permit all AD users or specific users to log in:
sudo realm permit --all
sudo realm permit <AD-username>
Troubleshooting
1. For DNS issues, ensure /etc/resolv.conf points to the AD DNS server.
2. For Clock Synchronization, ensure time is synchronized between the Ubuntu instance and AD server for Kerberos.
3. To check SSSD logs, enable debug in /etc/sssd/sssd.conf with debug_level = 9 and check logs