Active Directory Integration

Active Directory Integration

Joining Ubuntu servers to a Windows Active Directory domain allows AD user accounts to log into Ubuntu systems using their Windows credentials. This is essential in enterprises where Active Directory is the identity provider for all systems. SSSD (System Security Services Daemon) is the modern, recommended way to integrate Ubuntu with Active Directory — it replaces older tools like Winbind and provides better performance, caching, and sudo integration.

Integration overview

Ubuntu + Active Directory integration:

  Active Directory Domain: EXAMPLE.COM
  Domain Controller: dc01.example.com (192.168.1.5)

  Ubuntu Server:
    Kerberos   → authenticates against AD (kinit)
    SSSD       → handles user lookup and authentication
    PAM        → pluggable authentication module layer
    NSS        → maps AD users to Linux UIDs/GIDs

  AD user irfan@EXAMPLE.COM logs into Ubuntu:
    1. SSH request → PAM → SSSD
    2. SSSD queries AD via LDAP/Kerberos
    3. AD validates credentials
    4. SSSD maps AD user to Linux identity (UID auto-generated)
    5. Login succeeds, home directory created

SSSD configuration

# Install required packages:
sudo apt update
sudo apt install -y sssd sssd-ad sssd-tools realmd adcli packagekit

# Verify the AD domain is reachable:
realm discover EXAMPLE.COM

realm discover output

EXAMPLE.COM
  type: kerberos
  realm-name: EXAMPLE.COM
  domain-name: example.com
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: adcli
  required-package: realmd

Joining Ubuntu to an AD domain

# Join the domain (requires AD admin credentials):
sudo realm join --user=Administrator EXAMPLE.COM

realm join output

Password for Administrator:
# Success = no output (silent on success)
# Failure shows: "realm: Couldn't join realm: ..."

# Verify domain join:
realm list

realm list output

EXAMPLE.COM
  type: kerberos
  realm-name: EXAMPLE.COM
  configured: kerberos-member
  login-formats: %U@EXAMPLE.COM
  login-policy: allow-realm-logins

# Configure SSSD for better behavior:
sudo nano /etc/sssd/sssd.conf

/etc/sssd/sssd.conf — recommended settings

[sssd]
domains = EXAMPLE.COM
services = nss, pam
config_file_version = 2

[domain/EXAMPLE.COM]
default_shell = /bin/bash
ad_domain = EXAMPLE.COM
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True          # Allow offline login
id_provider = ad
fallback_homedir = /home/%u@%d    # /home/irfan@EXAMPLE.COM
use_fully_qualified_names = False # Login as "irfan" not "irfan@EXAMPLE.COM"

# Create home directory on first login:
sudo bash -c 'echo "session required pam_mkhomedir.so skel=/etc/skel umask=0022" >> /etc/pam.d/common-session'

sudo systemctl restart sssd

# Test AD user lookup:
id irfan@EXAMPLE.COM
# uid=1234567890(irfan@example.com) gid=1234567891(domain users@example.com)

Sudo access via AD groups

# Grant sudo to an AD group:
sudo nano /etc/sudoers.d/ad-sysadmins

/etc/sudoers.d/ad-sysadmins

# Grant sudo to members of AD group "Linux Admins":
%linux\ admins@example.com  ALL=(ALL:ALL) ALL

# Or use SSSD-based sudo provider (query AD for sudo rules):
# Add to /etc/sssd/sssd.conf:
# sudo_provider = ad

# Restrict access to only specific AD groups:
sudo realm deny --all
sudo realm permit -g "Linux Admins"

Conclusion

Set use_fully_qualified_names = False in sssd.conf only if all usernames in your AD domain are unique without the domain suffix. If you have users with the same username in multiple domains, keep it True to avoid ambiguity. The cache_credentials = True option is valuable for laptops or servers that may lose connectivity to the domain controller — it allows the last-used credentials to work for a configurable offline period.