The next step to finish off my client machine setup is to add my Linux machine to the domain. I am going to join Ubuntu to Active Directory so I can use the domain accounts to authenticate and login. Once joined, I login with my admin account to test. The first step is to prepare the client machine by setting the hostname and changing DHCP settings.
Preparing the Ubuntu Machine
Prerequisite: Creating a Domain: Installing Active Directory on Server Core
The first thing I need to do is change my Ubuntu machine’s hostname to a fully qualified domain name (FQDN). I used the command below to fix my machine’s hostname and then the next command to check it.
$ sudo hostnamectl set-hostname ubuntudesk1.corp.globomantics.local
$ hostanmectl
Now that my hostname is fixed, the next step is to configure the DNS domain and set it to the internal Active Directory domain. You can make this change by adding the line to resolv.conf, but since I am using DHCP I set the search domain on my firewall which is my DHCP server. Both options are shown below.
Now I check the status using resolvectl status to make sure the changes took effect.
Now that the networking is set up correctly, the next step on my client is to install the necessary packages. I used the apt command below to install everything I needed.
$ sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekitNow I am ready for the next step which is actually joining the Ubuntu client to the domain.
Join Ubuntu to Active Directory
Joining Ubuntu to Active Directory is a multi-step process where I will use the terminal. The actual domain join is a single command, but after that I am going to take some additional steps to set up the users. The first step is to use realm to discover and then join the domain. Realm discover is used to obtain information about the domain and also list the required packages to connect, which I installed already in the previous step.
$ sudo realm discover corp.globomantics.local
Since all packages were already installed, I can use realm join to join the domain, and then realm list to confirm.
$ sudo realm join -U Administrator corp.globomantics.local
$ realm list
Now I need to set up home directories, which I can do using pam_mkhomedir. I first used nano to edit mkhomedir in /usr/share/pam-configs. Following the Manpage, I decided to stick with the default umask and skeleton directory settings.
Next I entered the command below to update and set the options shown in the image. Then I resarted sssd after pam-path-update. After that, I set realm to enable everyone to login.
$ sudo pam-path-update
$ sudo systemctl restart sssd
$ sudo realm permit --allOnce everyone is configured to login the next step is to enable admins on my domain admin privileges on the Ubuntu machine. I set this in the sudoers file for the admin accounts in the image below.
Now that everything is set up, I should be able to login with a domain account and if it is admin then sudo should work.
Testing Domain Login and Admin Access
To test login, I will use SSH to access the Ubuntu machine from my Windows 10 admin machine. If everything is set up correctly I should be able to SSH without specifying a login name from Windows 10 while logged in as BAdmin, and then enter a sudo command.
That’s it! My configuration is successful and I can login to my Ubuntu machine using domain credentials. My client machines are all set up correctly and ready for testing. The next step in my process is to install and configure Security Onion which is the topic for the next series of posts.