Add Ubuntu 16.04 to Windows AD domain
From Notes_Wiki
<yambe:breadcrumb>Ubuntu|Ubuntu</yambe:breadcrumb>
Add Ubuntu 16.04 to Windows AD domain
To add Ubuntu 16.04 to Windows AD domain use following steps:
- Edit /etc/hosts to have FQDN including domain name as first hostname against 127.0.0.1
- Restart machine
- Verify new hostname is coming using hostname command
- Setup correct search domain in /etc/resolv.conf using "search <domain>"
- Disable DNSMASQ using NetworkManager by commenting "dns=dnsmasq" in /etc/Networkmanager/NetworkManager.conf
- Then use:
- systemctl restart network-manager.service
- Then DNS set via network-manager or sent by DHCP should be visible in /etc/resolv.conf file
- Verify that SRV records for domain are accessible
- dig –t SRV _ldap._tcp.<domain> | grep –A2 "ANSWER SECTION"
- Setup ntp to synchronize time with AD server
- sudo apt -y install ntp
- Edit /etc/ntp.conf. Comment Ubuntu ntp servers and add domain DC as ntp server using:
- server <domain-controller> iburst prefer
- sudo systemctl restart ntp.service
- Verify that ntp is working properly by using "ntpq -p"
- sudo apt -y install ntpstat
- Run "ntpstat" to verify syncing is working correctly
- Install required packages
- sudo apt -y install realmd sssd adcli libwbclient-sssd krb5-user sssd-tools samba-common packagekit samba-common-bin samba-libs
-
- Enter domain name during package installation.
- Edit /etc/realmd.conf so that it has
- [active-directory]
- os-name = Ubuntu Linux
- os-version = 16.04
- [service]
- automatic-install = yes
- [users]
- default-home = /home/%u
- default-shell = /bin/bash
- [bce.com]
- user-principal = yes
- fully-qualified-names = no
- Use "realm discover" to discover AD domain
- Create kerberos ticket to be used later for joining domain
- kinit -V <ad-username>
-
- With ad-username which has privileges to join a machine to domain. We can always use administrator, if access to administrator account is available.
- Join domain using:
- sudo realm --verbose join -U <ad-username> <domain>
- Test using:
- id <ad-username>
-
- to see if Ubuntu machine joined AD domain successfully or not.
Refer: