How to Join Ubuntu to Active Directory?

This article provides a straightforward, step-by-step guide on how to integrate an Ubuntu Linux machine into a Windows Active Directory (AD) domain. You will learn how to configure network settings, install the necessary realmd and SSSD packages, join the domain, and enable home directory creation for AD users. By the end of this guide, users will be able to log into the Ubuntu system using their Active Directory credentials.

Prerequisites and Network Configuration

Before initiating the domain join process, ensure your Ubuntu system can resolve the Active Directory domain controller. This requires setting your DNS server to point directly to your AD DNS server.

  1. Configure DNS: Update your netplan configuration file (usually found in /etc/netplan/) to ensure the nameservers section points to your AD Domain Controller IP address.
  2. Verify Hostname: Ensure your local hostname is correctly set by running hostnamectl set-hostname ubuntu-node.yourdomain.com.
  3. Test Resolution: Verify that you can ping the domain using ping yourdomain.com.

Installing Required Packages

Ubuntu utilizes realmd to discover and join Active Directory domains, while sssd (System Security Services Daemon) handles the actual authentication and caching. Run the following commands to install the required software suite:

sudo apt update
sudo apt install -y realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin packagekit

Discovering and Joining the Active Directory Domain

Once the packages are installed, you can discover your domain to ensure the Ubuntu machine can see the Active Directory environment properly.

realm discover yourdomain.com

If the discovery is successful, you will see output detailing the required software and the domain capabilities. Next, join the domain using an Active Directory user account that has permissions to add computers to the domain (such as a Domain Administrator):

sudo realm join --user=Administrator yourdomain.com

You will be prompted to enter the password for the specified Active Directory user. If the command returns no errors, the system has successfully joined the domain.

Configuring PAM for Automatic Home Directory Creation

By default, Ubuntu will not create a local home directory when an Active Directory user logs in for the first time. To automate this process, you must enable the PAM module for home directory creation.

sudo pam-auth-update --enable mkhomedir

Alternatively, you can manually add the following line to the end of the /etc/pam.d/common-session file:

session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

Verifying the Connection and Logging In

To ensure that the Active Directory integration is working correctly, you can query user information directly from the AD controller using the id command:

id username@yourdomain.com

If the system returns the user ID and group associations from Active Directory, the configuration is successful. Users can now log into the Ubuntu machine via SSH or the graphical login screen by using their full domain credentials format, such as username@yourdomain.com.