Linux on Active Directory

I remember a decade or so ago when Microsoft tried to reach out to the Open Source community and get them to give their products and environments a chance. ‘Microsoft loves Linux!’ was the slogan, with a big heart in there. I remember joking with some of my colleagues that they really did not, but that is a story for another day.

Once upon a time, our end users used what we told them to use. If we bought a particular desktop or laptop model with a particular operating system then that is what the employees had to use. In 2015 I wrote an article which was only published a year later called BYOD: A Fairy Tale. It shows how our office environments went from the dictated IT systems of the past to where we are today, or at least where we were in 2015. Since the onset of the COVID-19 pandemic we have gone much further down that rabbit hole to the point where today users can pick not only the make and model of their PC, but even the operating system that it runs. It will not be uncommon to do a walkthrough of an organization’s IT systems and find Windows PCs alongside Apple Mac and even Linux operating systems.

In order to support Linux in the workplace, the first step is to have them join the Active Directory infrastructure so that the users can log in using their same account that they would use to check their email and cloud services. This article will show you how to join a desktop running Ubuntu Linux version 22.10 to the Active Directory. The tools that I use for this article are the sssd, or System Security Services Daemon.

While the commands I share are generic, the screen captures are showing how I joined a computer to my demo tenant, Behike.ca.

The first thing we are going to have to remember as we go through this process is that unlike Windows, everything we do in Linux is going to be case-sensitive. That means that if you created your domain as beHike.ca then that is how you have to enter it in Linux.

Let’s start.

Before we do anything, we need to make sure that the proper firewall ports are open between your client and the domain controller. The ports that we need are:

Service Port # Protocol
DNS 53 TCP/UDP
LDAP 389, 636 TCP/UDP
Kerberos 88, 464 TCP/UDP
SMB 445 TCP/UDP
NTP 123 UDP

In order to check this in Linux, we will use the following two commands:

Nc -z -v <Domain Controller IP Address> 53 389 636 88 464 445

Nc -z -v -u <Domain Controller IP Address> 53 389 636 88 464 445 123

image

You want to make sure that these all succeeded, and if not, you will have to take extra steps to open the ports.

Next we are going to check our hostname. Remember, we need this to be an exact match, which includes case sensitivity.

hostname –f

We are also going to check that our time sync is in order by doing this:

timedatectl status

Before we download the necessary components from the web, we are going to update the repository indices. Remember, in Linux, any command that requires administrative (root or su) permissions will be run with the preface sudo.

sudo apt update

(you will be required to enter your password)

Now we will download all of the required packages for the sssd:

sudo apt install sssd-ad sssd-tools realmd adcli

(When you are prompted, click Y to continue)

Once that is done, we can now discover the realm (which is the Linux word for domain):

realm discover <domain name>

image

It is important that the last line says that configured: no for you to continue.

Now we can join the realm! Run the following command, remembering that it needs to be case sensitive. In the screen capture we see the Domain-name is Behike.ca, so that is what I need to use.

sudo realm join <domain name>

You are going to be prompted for the password of the default domain Administrator account (in my case, Administrator@Behike.ca). If you want to change that user, add the –U switch, followed by the username.

The realmd will have created a configuration file. Verify that it is there, and that you recognize the information. Use the following command:

sudo cat /etc/sssd/sssd.conf

image

Now we will set up the process to create a Home Directory for users:

pam-auth-update –enable mkhomedir

Great! Now let’s reboot our Linux machine.

While we are waiting for that, you can check your Active Directory to confirm that the Computer account for the system has been created. On either your domain controller (if you think that domain controllers should have GUIs), or on a jump box on which your AD tools are installed, navigate to your domain > Computers. You should see the new system there.

image

Let’s go back to our Linux machine so that we can verify that our domain users can be resolved:

getent passwd username@domainname.xyz

image

You will notice as well that I am still not logged on to the computer with my domain account. This might still take a few minutes. While we wait, let’s go one step further and install the SAMBA tools that we need:

sudo apt install samba-common-tools

Once that is done, you should be able to log off, and log in with your domain account from the main screen (which shows your username) click Not Listed? and you will be prompted to enter a username. Make sure to use the full domain name. Notice that we no longer have to worry about the case sensitive domain name.

image

Note that I am now logged on with my domain account, which I see when I open a Terminal window.

image

I also see that it has created a home directory for me, including my very own desktop, documents, downloads, music, pictures, public, snap, templates, and videos sub-directories.

I can now either use the included Libre Writer to create my documents, or (more likely) open Firefox and use my online Microsoft 365 apps… just like I would on a PC that did not have the local apps installed.

image

Conclusion

I am not advocating that people abandon Microsoft Windows. I have been a loyal user of that platform for more than thirty years, and I believe that for most productivity workers it is the best tool for the job.

As I started to write this article I tried to enumerate some of the reasons why users (or companies) might opt to pick Linux for their desktops in place of Microsoft Windows, and the only reason I could come up with that makes any sense is money. There is no question that if Linux is free and Windows costs money then there might be a real cost savings to be had. In truth, most of my friends who do use Linux as their primary desktops do so for religious reasons – they dislike Microsoft on spec. There are other reasons, of course… but that is the main one for most of them.

When I was with Microsoft Canada as a contractor, my job title was Virtual Technology Evangelist. I always laughed at that title because of the religious connotations. Now when people tell me that they prefer this or that over Windows, my usual answer is that I do not care. It is no longer my job to proselytize for Microsoft, and if you prefer something else then use it. I prefer Windows for most things, but I also recognize that for some of the training that I deliver (around security and networking) I have to use Linux for some of the tools I need… and different distros of it as well.

When I was still with Microsoft the internal joke was that we had to know a little bit of other environments because we needed to know the enemy. I no longer drink the Kool-Aid, and I no longer see other platforms as the enemy. I also know that there whatever a user might prefer on the desktop, there is no debating the dominance of Active Directory in the enterprise. Allowing our users to use the same account on whatever platform they prefer is a simple step to take to make their jobs a little bit easier.

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: