Skip to main content

Join Ubuntu 20.04 to Active Directory with SSSD and SSH Access

Join Ubuntu 20.04 to Active Directory with SSSD and SSH Access

 Overview

This guide walks you through joining an Ubuntu 20.04 machine to an Active Directory domain using SSSD, configuring PAM for AD user logins over SSH, and enabling automatic creation of home directories upon first login.

We’ll also cover troubleshooting steps and verification commands.

Environment Used

ComponentValue
Ubuntu Client      ubuntu-client.bazboutey.local
Active Directory FQDN  bazboutey.local
Realm (Kerberos)  BAZBOUTEY.LOCAL
AD Admin Account  Administrator

Step 1: Prerequisites and Package Installation

1.1 Update system and install required packages

bash
sudo apt update
sudo apt install realmd sssd libnss-sss libpam-sss adcli \
samba-common-bin oddjob oddjob-mkhomedir packagekit \
libpam-modules openssh-server

Step 2: Test DNS and Kerberos Configuration

Ensure that the client can resolve the AD domain and discover services.

2.1 Test domain name resolution

bash
host bazboutey.local

2.2 Discover LDAP SRV records

bash
dig _ldap._tcp.bazboutey.local SRV

2.3 Get a Kerberos ticket

bash
kinit Administrator@BAZBOUTEY.LOCAL
klist

You should see a valid ticket listed by klist.

Step 3: Configure Samba and SSSD

3.1 Edit /etc/samba/smb.conf

ini
[global]
   workgroup = BAZBOUTEY
   security = ads
   realm = BAZBOUTEY.LOCAL

3.2 Create /etc/sssd/sssd.conf

bash
sudo nano /etc/sssd/sssd.conf

Paste the following configuration:

ini
[sssd]
domains = bazboutey.local
config_file_version = 2
services = nss, pam

[domain/bazboutey.local]
id_provider = ad
override_homedir = /home/%u
default_shell = /bin/bash
access_provider = simple
simple_allow_groups = domain users

3.3 Set proper permissions

bash
sudo chmod 600 /etc/sssd/sssd.conf
sudo mkdir -p /etc/sssd/conf.d

Step 4: Join the Domain

Run the following command to join the machine to the domain:

bash
sudo net ads join -U Administrator

Verify with:

bash
sudo net ads testjoin

You should see:

vbnet
Join is OK

Step 5: Start and Restart Services

bash
sudo systemctl restart sssd
sudo systemctl restart smbd nmbd
sudo sss_cache -E

Check that SSSD is running:

bash
systemctl status sssd

Step 6: Enable Home Directory Creation

Ubuntu must be configured to create user home directories upon login.

6.1 Install the PAM module (already installed via libpam-modules):

bash
sudo pam-auth-update

✔️ Enable:

  • [x] Create home directory on login

  • [x] SSS Authentication

Step 7: Verify AD User Visibility

7.1 List domain users:

bash
wbinfo -u

7.2 Query specific user:

bash
getent passwd 'BAZBOUTEY\johnd'

7.3 Check allowed groups:

bash
getent group 'domain users'

Step 8: Test SSH Login

8.1 Start SSH server (if not already running)

bash
sudo systemctl enable --now ssh

8.2 Test login using AD user:

bash
ssh 'BAZBOUTEY\johnd'@localhost

🔐 On first login, the system will:

  • Prompt for AD password

  • Automatically create /home/johnd

  • Open a shell if the user is allowed by SSSD and PAM

Optional: Restrict or Extend SSH Access

In /etc/sssd/sssd.conf, you can control who is allowed:

To allow everyone (not secure for production):

ini
access_provider = allow

To allow only members of a specific AD group:

ini
access_provider = simple
simple_allow_groups = linuxsshusers

Optional: Grant Sudo Access to AD Users

Edit the sudoers file with:

bash
sudo visudo

Add:

bash
%domain\ admins ALL=(ALL) ALL

Or to allow a specific user:

bash
administrator@BAZBOUTEY.LOCAL ALL=(ALL) ALL

Troubleshooting

SymptomFix
id: no such userRestart SSSD, check /etc/nsswitch.conf includes sss
pam_sss(sshd:account): Access deniedEnsure user/group is allowed in sssd.conf
Home dir not createdEnable pam_mkhomedir with pam-auth-update
SSH connection closes after loginCheck shell path, use /bin/bash as default_shell
Cannot resolve domainFix DNS or add proper search line in /etc/resolv.conf

✅ Final Result

You now have:

  • ✅ Ubuntu joined to Active Directory

  • ✅ SSH login for AD users

  • ✅ Automatic home directory creation

  • ✅ PAM + SSSD + Kerberos integrated securely



Comments

Post a Comment

Popular posts from this blog

Observability with grafana and prometheus (SSO configutation with active directory)

How to Set Up Grafana Single Sign-On (SSO) with Active Directory (AD) Grafana is a powerful tool for monitoring and visualizing data. Integrating it with Active Directory (AD) for Single Sign-On (SSO) can streamline access and enhance security. This tutorial will guide you through the process of configuring Grafana with AD for SSO. Prerequisites Active Directory Domain : Ensure you have an AD domain set up. Domain: bazboutey.local AD Server IP: 192.168.170.212 Users: grafana (for binding AD) user1 (to demonstrate SSO) we will end up with a pattern like this below Grafana Installed : Install Grafana on your server. Grafana Server IP: 192.168.179.185 Administrator Privileges : Access to modify AD settings and Grafana configurations. Step 1: Configure AD for LDAP Integration Create a Service Account in AD: Open Active Directory Users and Computers. Create a user (e.g., grafana ). Assign this user a strong password (e.g., Grafana 123$ ) and ensure it doesn’t expire. Gather Required AD D...
Post a Comment
Read more

Deploying a Scalable Monitoring Stack Lab on AWS using Terraform and Ansible

Deploying a Scalable Monitoring Stack Lab on AWS using Terraform and Ansible Introduction Effective monitoring is a cornerstone of cloud infrastructure management, ensuring high availability and performance. This guide provides a professional walkthrough on deploying Prometheus , Grafana , and Node Exporter on AWS using Terraform for infrastructure provisioning and Ansible for configuration management. This lab will create a prometheus server and a grafana server, It will install node exporter on both server. You should be able to see the metrics in grafana, we already install a node exporter dashboard for the user. The diagram below will give you an idea of what the architecture will look like If you want to replicate this lab, you can find the complete code repository here: GitHub - MireCloud Terraform Infra .  Infrastructure Setup with Terraform 1. Creating a Dedicated VPC To ensure isolation, we define a VPC named Monitoring with a CIDR block of 10.0.0.0/16 . reso...
Post a Comment
Read more

Building a Static Website on AWS with Terraform

The Journey to a Fully Automated Website Deployment A few weeks ago, I found myself needing to deploy a simple static website . Manually setting up an S3 bucket, configuring permissions, and linking it to a CloudFront distribution seemed like a tedious process. As someone who loves automation, I decided to leverage Terraform to simplify the entire process. Why Terraform? Infrastructure as Code (IaC) is a game-changer. With Terraform, I could:  Avoid manual setup errors  Easily reproduce and  Automate security best practices Instead of clicking through AWS settings, I wrote a few Terraform scripts and deployed everything in minutes. Let me walk you through how I did it!  Architecture Overview The architecture consists of three main components: User:  The end user accesses the website via a CloudFront URL.  CloudFront Distribution:  Acts as a content delivery network (CDN) to distribute content efficiently, reduce latency, and enhance security. It ...
Post a Comment
Read more