Adding Ubuntu to a Windows Domain

While, to be fair, there is documentation on this process, I’ve found that it tends to not really… work. So I’m throwing in my attempt at documenting how to add various Linux flavors to an Active Directory Domain, with massive research assistance from Rob.

Right off the bat, I assume that the domain exists, that the Linux box is on the same network as the AD Controller, and that the AD Controller is also serving DNS. With that said, let us begin.

The Windows Part

Double check your hostname, domain, and workgroup. Workgroup is found when you login, the shorthand of your domain before your user name. Domain and hostname can be found by right-clicking This PC and selecting “Properties.” You have something like this:



So my workgroup is PERIODIC, hostname is nitrogen, and domain is periodic.table. This will be needed later.

Ubuntu

First off is a few installs.

sudo apt install samba krb5-config krb5-user winbind libnss-winbind libpam-winbind


With those in place, we have some config changes to make. Let’s start off with the easiest one, hosts. This will make it so that even if DNS goes down for some reason, Ubuntu will still resolve at least the AD hostname:

127.0.0.1 localhost
$linux_ip$ $linux_hostname$.$domain$ $linux_hostname$
$ad_ip$ $ad_hostname$.$domain$ $ad_hostname$


Next is to set DNS to resolve from AD. This can be done a few ways, so I won’t really cover it aside from saying that for me it is an extra line in /etc/network/interfaces in the block where I set a static IP. On Ubuntu 18, it will probably be under /etc/netplan.

Now that we are resolving DNS from Windows, we can setup Kerberos. This is the part where most people will make mistakes, but the worst thing that will happen is it doesn’t work. Nothing should break. /etc/krb5.conf:

[libdefaults]
default_realm = $DOMAIN$

[realms]
$DOMAIN$ = {
kdc = $AD_HOSTNAME$.$DOMAIN$
default_domain = $DOMAIN$
}

[domain_realm]
.$domain$ = .$DOMAIN$
$domain$ = $DOMAIN$


The caps are important, make sure to match them. This is a very basic config, it can easily get more complex.

There are a couple changes that need to be made in /etc/samba/smb.conf. We’re not setting up a share, but we do need to tell it about the realm. Make sure that these variables are set in Samba’s config file:

workgroup = $WORKGROUP$
netbios name = $LINUX_HOSTNAME$
realm = $DOMAIN$
server string =
security = ads
encrypt passwords = yes
password server = $AD_HOSTNAME$.$DOMAIN$
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = False
local master = No
domain master = No
dns proxy = No
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
client use spnego = yes


Now enable and restart Samba:

sudo systemctl enable smbd.service
sudo systemctl restart smbd


And finally, we can attempt to join the domain.

sudo net ads join -S $AD_HOSTNAME$.$DOMAIN$ -U Administrator


Theoretically, you are now joined to AD. Restart winbind and run wbinfo to confirm:

sudo systemctl enable winbind
sudo systemctl restart winbind
sudo wbinfo -u



Now that we are joined to the domain, we will need to edit nsswitch.conf to allow authentication to work. At this point, Ubuntu’s hostname should be listed under Users and Computers in Active Directory. The top of /etc/nsswitch.conf should roughly match the following:

passwd:   compat winbind
group: compat winbind
shadow: compat winbind
gshadow: files
hosts: files dns



You can confirm that authentication is working by signing into an AD account, or by running getent passwd and seeing if the new users have been added. While authenticating should work, the default shell should be set to /bin/false. Settings policies that control default shell and home folder are dependent upon AD configuration. The article here details how to handle this.




About: Bailey Kasin

I build virtual environments and challenges for Cybersecurity students to complete as a way to gain experience before graduating and entering the workforce.


Leave a Reply

Your email address will not be published. Required fields are marked *