Before we begin
I already set Active Directory on Windows Server 2019 Standard .
knowledge domain name : winlin.local
Domain Controller mention : WinLinDC
Domain Controller IP address : 10.0.0.31/24
active Directory DNS IP : 10.0.0.31/24
I installed DNS on the domain restrainer itself .
I besides created domain user named : zeljko.m @ winlin.local
Ubuntu client data:
I used Ubuntu 20.04 as a customer for this guide .
machine mention : winlinubcl2
Machine IP cover : 10.0.0.34
beginning, we will start with updating
sudo apt update -y
Hostname and DNS
Since we want to join Ubuntu machine ( name winlinubcl2) to Windows world named winlin.local, we need to change Ubuntu machine name to match active directory ( AD ) naming…
sudo hostnamectl set-hostname winlinubcl2.winlin.local
We will check machine name by entering
For the DNS partially, like with Windows customer machine you wish to join to AD – linux machines besides need to have domain accountant ( or separate DNS server for sphere, if configured ) IP address under DNS .
In my lawsuit, DNS server IP is same as my domain restrainer information science – 10.0.0.31 .
There are a couple of ways to do this .
If your Linux machine is getting IP address and DNS from DHCP server, make surely that you are in the like network, and that DNS IP is already in world or on knowledge domain control .
I ’ molarity doing this manually on Ubuntu 20.04 that has GUI.So this is how my settings look like. I set everything manually .
If you are doing this on a machine without GUI, merely in shell you will have to do it through netplan .
again, check your IP settings by entering
then check DNS settings by entering
systemd-resolve --status | grep Current
and you can besides check default gateway by typing in
If there is a need to change IP and DNS settings, do following
first we need to find out how your netplan file is named. To find out type following in
ls -la /etc/netplan
My file is named 01-network-manager-all.yaml. Your may be named differently, so score that .
following, we need to edit that file ( change 01-network-mananger-all.yaml to your filename .
sudo nano /etc/netplan/01-network-manager-all.yaml
You should enter something like this. Be very careful about indentations, because yaml files are identical finical on that front .
If you want to check your indentation to be certain it is o, you can install tool like yamllint .
network: ethernets: ens33: addresses: - 10.0.0.34/24 gateway4: 10.0.0.1 nameservers: addresses: - 10.0.0.31 version: 2
To apply changes type in
sudo netplan apply
Ok, that is it for the hostnames and DNS, I like to reboot machine after these settings to be sure everything is very well .
We will now install all compulsory packages for our knowledge domain join gamble
sudo apt update -y sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
We will now check if we can discover our windows domain. Change winlin.local for your sphere name .
sudo realm discover winlin.local
The information we got rear is good, we can proceed further .
Add Ubuntu machine to Active Directory
last, we will join our Ubuntu car to our windows world .
Change Administrator if the explanation name of your domain admin is different. Change winlin.local to your knowledge domain name .
The command is
sudo realm join -U Administrator winlin.local
If everything went oklahoma, you will be asked for your sphere admin password, and that will be it .
Let ’ s arrest if the authentication is working and we can get id of domain users. I will use domain drug user named zeljko.m @ winlin.local, change that for your knowledge domain drug user and sphere name .
If we go to the Windows Server 2019 that serves as a sphere restrainer for winlin.local domain, under Users and Computers in Computers container we can see that winLinUbCL2 machine is added to the knowledge domain. That is great .
Before we do a first login from Ubuntu to Windows Domain
first base, we will set universe of home directories for world users .
We need to edit
sudo nano /etc/pam.d/common-session
and enter following to the end of the file
session optional pam_mkhomedir.so skel=/etc/skel umask=077
optionally, you can set your system to login only using name without domain depart. so, I could login to my Ubuntu install by only using zeljko.m alternatively of zeljko.m @ winlin.local .
If you wish to enable this :
sudo nano /etc/sssd/sssd.conf
Change credit line use_fully_qualified_names = True to
use_fully_qualified_names = False
Ok, let ’ s now try and login with our knowledge domain drug user to our Ubuntu car .
su - firstname.lastname@example.org
If we done everything correctly, we should be prompted for domain users password, and there should besides be message that home directory for the user is created .
Limit access for domain users to ssh/console
If you want to permit drug user to access ssh or console, you will use follow command. By the manner, on my Ubuntu 20.04 install knowledge domain users can login via ssh to Ubuntu install by default option .
To permit access to user, use following
sudo realm permit email@example.com
To permit access to group, type in following
sudo realm permit -g 'Domain Admins'
practical manner would be, to deny login to all, and then add permits to exceptions, so that would look like this
sudo realm deny --all sudo realm permit firstname.lastname@example.org sudo realm permit -g 'Domain Admins'
You can besides permit all, and add multiple drug user or groups using one trace, so that would look like
sudo realm permit --all sudo realm permit email@example.com firstname.lastname@example.org sudo realm permit -g 'Domain Admins' 'Users'
On winlinubcl1 I entered deny –all command and then tried to entree that machine from winlinubcl2 .
Deny works, cipher from domain can log in into winlinubcl1 machine .
After I entered permit command for user zeljko.m, he was able to login, while drug user mario.l was still unable to login .
Add domain users/groups as local sudoers on Ubuntu
And, the concluding one for this usher, sphere users are ineffective to execute sudo commands on Ubuntu .
To change this we will have to edit sudoers file, there are a pair of ways to do it, I will show you one .
You will have to do this obviously as a local account on Ubuntu, not the sphere one .
sudo usermod -aG sudo email@example.com
In case you defined in sssd.conf that you don ’ thyroxine use knowledge domain extension then you will have to run above command without winlin.local sphere extension .
Option number 2
Everything works after executing command. You can do this by besides editing /etc/sudoers file .
If you do it that way, you will have to execute it with visudo
sudo visudo -f /etc/sudoers
To add sudo permissions to a exploiter, you will have to edit
firstname.lastname@example.org ALL=(ALL) ALL
If you wish to add a group, you will enter ( in section for groups in the file )
%email@example.com ALL=(ALL) ALL
This can besides be done via /etc/sudoers.d/somefilename, but I haven ’ triiodothyronine managed to get it to work in Ubuntu 20.04 I have installed ( I haven ’ t used. or ~ signs in files, or comamnds… )
That is it, we have basic frame-up for Ubuntu machine on windows domain .