Skip to main content

Join Ubuntu 20.04 to Active Directory with SSSD and SSH Access

Join Ubuntu 20.04 to Active Directory with SSSD and SSH Access

 Overview

This guide walks you through joining an Ubuntu 20.04 machine to an Active Directory domain using SSSD, configuring PAM for AD user logins over SSH, and enabling automatic creation of home directories upon first login.

We’ll also cover troubleshooting steps and verification commands.

Environment Used

ComponentValue
Ubuntu Client      ubuntu-client.bazboutey.local
Active Directory FQDN  bazboutey.local
Realm (Kerberos)  BAZBOUTEY.LOCAL
AD Admin Account  Administrator

Step 1: Prerequisites and Package Installation

1.1 Update system and install required packages

bash
sudo apt update
sudo apt install realmd sssd libnss-sss libpam-sss adcli \
samba-common-bin oddjob oddjob-mkhomedir packagekit \
libpam-modules openssh-server

Step 2: Test DNS and Kerberos Configuration

Ensure that the client can resolve the AD domain and discover services.

2.1 Test domain name resolution

bash
host bazboutey.local

2.2 Discover LDAP SRV records

bash
dig _ldap._tcp.bazboutey.local SRV

2.3 Get a Kerberos ticket

bash
kinit Administrator@BAZBOUTEY.LOCAL
klist

You should see a valid ticket listed by klist.

Step 3: Configure Samba and SSSD

3.1 Edit /etc/samba/smb.conf

ini
[global]
   workgroup = BAZBOUTEY
   security = ads
   realm = BAZBOUTEY.LOCAL

3.2 Create /etc/sssd/sssd.conf

bash
sudo nano /etc/sssd/sssd.conf

Paste the following configuration:

ini
[sssd]
domains = bazboutey.local
config_file_version = 2
services = nss, pam

[domain/bazboutey.local]
id_provider = ad
override_homedir = /home/%u
default_shell = /bin/bash
access_provider = simple
simple_allow_groups = domain users

3.3 Set proper permissions

bash
sudo chmod 600 /etc/sssd/sssd.conf
sudo mkdir -p /etc/sssd/conf.d

Step 4: Join the Domain

Run the following command to join the machine to the domain:

bash
sudo net ads join -U Administrator

Verify with:

bash
sudo net ads testjoin

You should see:

vbnet
Join is OK

Step 5: Start and Restart Services

bash
sudo systemctl restart sssd
sudo systemctl restart smbd nmbd
sudo sss_cache -E

Check that SSSD is running:

bash
systemctl status sssd

Step 6: Enable Home Directory Creation

Ubuntu must be configured to create user home directories upon login.

6.1 Install the PAM module (already installed via libpam-modules):

bash
sudo pam-auth-update

✔️ Enable:

  • [x] Create home directory on login

  • [x] SSS Authentication

Step 7: Verify AD User Visibility

7.1 List domain users:

bash
wbinfo -u

7.2 Query specific user:

bash
getent passwd 'BAZBOUTEY\johnd'

7.3 Check allowed groups:

bash
getent group 'domain users'

Step 8: Test SSH Login

8.1 Start SSH server (if not already running)

bash
sudo systemctl enable --now ssh

8.2 Test login using AD user:

bash
ssh 'BAZBOUTEY\johnd'@localhost

🔐 On first login, the system will:

  • Prompt for AD password

  • Automatically create /home/johnd

  • Open a shell if the user is allowed by SSSD and PAM

Optional: Restrict or Extend SSH Access

In /etc/sssd/sssd.conf, you can control who is allowed:

To allow everyone (not secure for production):

ini
access_provider = allow

To allow only members of a specific AD group:

ini
access_provider = simple
simple_allow_groups = linuxsshusers

Optional: Grant Sudo Access to AD Users

Edit the sudoers file with:

bash
sudo visudo

Add:

bash
%domain\ admins ALL=(ALL) ALL

Or to allow a specific user:

bash
administrator@BAZBOUTEY.LOCAL ALL=(ALL) ALL

Troubleshooting

SymptomFix
id: no such userRestart SSSD, check /etc/nsswitch.conf includes sss
pam_sss(sshd:account): Access deniedEnsure user/group is allowed in sssd.conf
Home dir not createdEnable pam_mkhomedir with pam-auth-update
SSH connection closes after loginCheck shell path, use /bin/bash as default_shell
Cannot resolve domainFix DNS or add proper search line in /etc/resolv.conf

✅ Final Result

You now have:

  • ✅ Ubuntu joined to Active Directory

  • ✅ SSH login for AD users

  • ✅ Automatic home directory creation

  • ✅ PAM + SSSD + Kerberos integrated securely



Comments

Post a Comment

Popular posts from this blog

FastAPI Instrumentalisation with prometheus and grafana Part1 [Counter]

welcome to this hands-on lab on API instrumentation using Prometheus and FastAPI! In the world of modern software development, real-time API monitoring is essential for understanding usage patterns, debugging issues, and ensuring optimal performance. In this lab, we’ll demonstrate how to enhance a FastAPI-based application with Prometheus metrics to monitor its behavior effectively. We’ve already set up the lab environment for you, complete with Grafana, Prometheus, and a PostgreSQL database. While FastAPI’s integration with databases is outside the scope of this lab, our focus will be entirely on instrumentation and monitoring. For those interested in exploring the database integration or testing , you can review the code in our repository: FastAPI Monitoring Repository . What You’ll Learn In this lab, we’ll walk you through: Setting up Prometheus metrics in a FastAPI application. Instrumenting API endpoints to track: Number of requests HTTP methods Request paths Using Grafana to vi...
Post a Comment
Read more

ExternalDNS on Kubernetes - mirecloud homelab part 4

MireCloud Home Lab · DevOps ExternalDNS on Kubernetes Automatic Sync with BIND via RFC2136 How to fully automate DNS management in a bare-metal Kubernetes homelab using Cilium, BIND, and HashiCorp Vault. 📅 February 22, 2026 ⏱ ~10 min read 🔧 ExternalDNS v0.20.0 ☸ Kubernetes v1.34 Kubernetes v1.34 ExternalDNS v0.20.0 Cilium Gateway API BIND (RFC2136) TSIG / HMAC-SHA256 HashiCorp Vault External Secrets Operator ArgoCD (GitOps) cert-manager When you run a Kubernetes homelab with multiple exposed services — Grafana, Keycloak, ArgoCD, PgAdmin — you quickly find yourself maintaining DNS entries in BIND manually . It's repetitive, prone to errors, and breaks the GitOps flow. The solution is ExternalDNS . This controller monitors your Services, Ingresses, and HTTPRoutes in real-time, automatically pushing DNS updates to BIND as soon as a route is created. No mo...
Post a Comment
Read more