Join Ubuntu machine to Windows Domain | IT Blog

In this short-change guide we will learn how to connect machine with Ubuntu ( 20.04 ) facility to Active Directory .

Before we begin

Domain data:

I already set Active Directory on Windows Server 2019 Standard .
knowledge domain name : winlin.local
Domain Controller mention : WinLinDC
Domain Controller IP address : 10.0.0.31/24
active Directory DNS IP : 10.0.0.31/24
I installed DNS on the domain restrainer itself .
I besides created domain user named : zeljko.m @ winlin.local
Ubuntu client data:
I used Ubuntu 20.04 as a customer for this guide .
machine mention : winlinubcl2
Machine IP cover : 10.0.0.34

Prerequisites

Updates
beginning, we will start with updating

sudo apt update -y

Hostname and DNS
Since we want to join Ubuntu machine ( name winlinubcl2) to Windows world named winlin.local, we need to change Ubuntu machine name to match active directory ( AD ) naming…

sudo hostnamectl set-hostname winlinubcl2.winlin.local

We will check machine name by entering

hostnamectl

For the DNS partially, like with Windows customer machine you wish to join to AD – linux machines besides need to have domain accountant ( or separate DNS server for sphere, if configured ) IP address under DNS .
In my lawsuit, DNS server IP is same as my domain restrainer information science – 10.0.0.31 .
There are a couple of ways to do this .
If your Linux machine is getting IP address and DNS from DHCP server, make surely that you are in the like network, and that DNS IP is already in world or on knowledge domain control .
I ’ molarity doing this manually on Ubuntu 20.04 that has GUI.So this is how my settings look like. I set everything manually .
If you are doing this on a machine without GUI, merely in shell you will have to do it through netplan .
again, check your IP settings by entering

ip a

then check DNS settings by entering

systemd-resolve --status | grep Current

and you can besides check default gateway by typing in

ip r

If there is a need to change IP and DNS settings, do following
first we need to find out how your netplan file is named. To find out type following in

ls -la /etc/netplan

My file is named 01-network-manager-all.yaml. Your may be named differently, so score that .
following, we need to edit that file ( change 01-network-mananger-all.yaml to your filename .

sudo nano /etc/netplan/01-network-manager-all.yaml

You should enter something like this. Be very careful about indentations, because yaml files are identical finical on that front .
If you want to check your indentation to be certain it is o, you can install tool like yamllint .

network:
  ethernets:
    ens33:
      addresses:
      - 10.0.0.34/24
      gateway4: 10.0.0.1
      nameservers:
        addresses:
        - 10.0.0.31
  version: 2

To apply changes type in

sudo netplan apply

Ok, that is it for the hostnames and DNS, I like to reboot machine after these settings to be sure everything is very well .

Installation

We will now install all compulsory packages for our knowledge domain join gamble

sudo apt update -y

sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

Discover domain

We will now check if we can discover our windows domain. Change winlin.local for your sphere name .

sudo realm discover winlin.local

The information we got rear is good, we can proceed further .

Add Ubuntu machine to Active Directory

last, we will join our Ubuntu car to our windows world .
Change Administrator if the explanation name of your domain admin is different. Change winlin.local to your knowledge domain name .
The command is

sudo realm join -U Administrator winlin.local

If everything went oklahoma, you will be asked for your sphere admin password, and that will be it .
Let ’ s arrest if the authentication is working and we can get id of domain users. I will use domain drug user named zeljko.m @ winlin.local, change that for your knowledge domain drug user and sphere name .

id zeljko.m@winlin.local

If we go to the Windows Server 2019 that serves as a sphere restrainer for winlin.local domain, under Users and Computers in Computers container we can see that winLinUbCL2 machine is added to the knowledge domain. That is great .

Before we do a first login from Ubuntu to Windows Domain

first base, we will set universe of home directories for world users .
We need to edit

sudo nano /etc/pam.d/common-session

and enter following to the end of the file

session optional pam_mkhomedir.so skel=/etc/skel umask=077

optionally, you can set your system to login only using name without domain depart. so, I could login to my Ubuntu install by only using zeljko.m alternatively of zeljko.m @ winlin.local .
If you wish to enable this :

sudo nano /etc/sssd/sssd.conf

Change credit line use_fully_qualified_names = True to

use_fully_qualified_names = False

Ok, let ’ s now try and login with our knowledge domain drug user to our Ubuntu car .

su - zeljko.m@winlin.local

If we done everything correctly, we should be prompted for domain users password, and there should besides be message that home directory for the user is created .

Limit access for domain users to ssh/console

If you want to permit drug user to access ssh or console, you will use follow command. By the manner, on my Ubuntu 20.04 install knowledge domain users can login via ssh to Ubuntu install by default option .
To permit access to user, use following

sudo realm permit zeljko.m@winlin.local

To permit access to group, type in following

sudo realm permit -g 'Domain Admins'

practical manner would be, to deny login to all, and then add permits to exceptions, so that would look like this

sudo realm deny --all
sudo realm permit zeljko.m@winlin.local
sudo realm permit -g 'Domain Admins'

You can besides permit all, and add multiple drug user or groups using one trace, so that would look like

sudo realm permit --all
sudo realm permit zeljko.m@winlin.local mario.l@winlin.local
sudo realm permit -g 'Domain Admins' 'Users'

On winlinubcl1 I entered deny –all command and then tried to entree that machine from winlinubcl2 .
Deny works, cipher from domain can log in into winlinubcl1 machine .
After I entered permit command for user zeljko.m, he was able to login, while drug user mario.l was still unable to login .

Add domain users/groups as local sudoers on Ubuntu

And, the concluding one for this usher, sphere users are ineffective to execute sudo commands on Ubuntu .
To change this we will have to edit sudoers file, there are a pair of ways to do it, I will show you one .
You will have to do this obviously as a local account on Ubuntu, not the sphere one .

sudo usermod -aG sudo zeljko.m@winlin.local

In case you defined in sssd.conf that you don ’ thyroxine use knowledge domain extension then you will have to run above command without winlin.local sphere extension .
Option number 2
Everything works after executing command. You can do this by besides editing /etc/sudoers file .
If you do it that way, you will have to execute it with visudo

sudo visudo -f /etc/sudoers

To add sudo permissions to a exploiter, you will have to edit

zeljko.m@winlin.local        ALL=(ALL)       ALL

If you wish to add a group, you will enter ( in section for groups in the file )

%group1@winlin.local     ALL=(ALL)   ALL

This can besides be done via /etc/sudoers.d/somefilename, but I haven ’ triiodothyronine managed to get it to work in Ubuntu 20.04 I have installed ( I haven ’ t used. or ~ signs in files, or comamnds… )

Conclusion

That is it, we have basic frame-up for Ubuntu machine on windows domain .
disclaimer

source : https://thefartiste.com
Category : Tech