There are quite a few guides lying around the internet for getting Ubuntu 16.04 working with Active Directory. I followed a few of them, and always ended up with problems. Can su – to the user, but can’t ssh. Can su – to the user and ssh as the user, but cannot connect via RDP, or local X11. Searched all over the place for solutions, but nothing worked. Finally after trial and error, I found a combination of settings to get everything working.

Since working in a mixed Windows / Linux environment is never particularly fun, I thought I would document my process to save others from having to figure this out from scrach. So here is my guide to getting everything working with RealmD and SSSD. Using an example active directory domain of my.domain.com in everything below. This guide is pretty close to others you’ll find. But there are a few key differences, the primary ones are within the SSSD configuration.

Install Required Packages

You’ll be prompted for some Kerberos Auth Configuration during the install, just enter your AD domain or domain controllers using all caps, ie. MY.DOMAIN.COM

Configure ntp
Next you’ll need to make sure your ubuntu server’s time is in sync with the active directory servers. For that, you’ll need to edit your /etc/ntp.conf file, comment out the current ones, and add your Domain controllers by either the FQDN or the IP.

Restart your ntp service:

Configure RealmD

Next, we’ll need to configure RealmD. Create the /etc/realmd.conf file with the following contents:

Kerberos Configuration

Slight change needed to the /etc/krb5.conf file. Top of the file, make the following change:

Join Ubuntu to Domain

Auto creation of user home directories

Slight addition to the end of /etc/pam.d/common-session:

Edit X11 Config

Personally I did not need to do this, because I did not need local logins via X11. But I had posted a question about RDP logins via Active Directory which I answered myself. Another user responded that my changes worked, but he had to make the following additional change for X11.

Edit /etc/X11/Xwrapper.config and change to allowed_users=anybody

Configure SSSD

RealmD comes pretty close to setting up the sssd.conf file properly, but there are a few changes needed to be able to login via SSH and RDP. Edit the /etc/sssd/sssd.conf file so it looks like this:

The key changes I had to make:

  1. changing access_provider from simple to ad. Without this I could not ssh in.
  2. adding ad_gpo_access_control = permissive. Without this I could not connect via RDP.

Restart your sssd service

At this point, using your active directory user, you should be able to SSH into your ubuntu server, RDP into your desktop environment, or do a local X11 login.

nsswitch.conf

With the default SSSD configuration, everytime a user executes a sudo action it will generate an email to your root account with the contents of:

This isn’t really an error, it’s just noise since sssd does not support sudo rules for local users. It’s an easy fix to stop this. Just edit your /etc/nsswitch.conf file. Find this line:

and change it to:

Allowing/Restricting logins

If you want to restrict or allow access to only certain users or groups, then you can modify the /etc/sssd/sssd.conf file, and in the [domain/my.domain.com] section, you can use any of these options: