This proved to be a difficult task. I spent several hours scouring the internet for various bugs in this process to little avail. I’m going to summarize what I did to actually get this puppy up and running.
Started with a clean install of Ubuntu 14.04 LTS Server Edition. Pointed my DNS to my AD controller.
Installed realmd: apt-get install realmd
Installed sssd: apt-get install sssd
sssd fails to start because the config file is not included, not even an empty one!
Pasted in the following:
[nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3
Updated permissions because realmd won’t write to the file unless it’s explicitly writable: chmod 0600 /etc/sssd/sssd.conf
PROBLEM STEP (see blow): Join the realm: realm –verbose join localdomain.xx -U Administrator
It will prompt you for a password for the domain admin Administrator. You’ll see the output of a net join command somewhere as successful, but at the end of the command it will say it failed. It didn’t actually fail if you have more contents in /etc/sssd/sssd.conf
Comment out the line use_fully_qualified_names = True
I found that line in a bug report over on Red Hat or Fedora. I think it’s related to an upstream bug in the sssd/realmd software, and not so much Ubuntu.
Reboot your server. You should now be able to id a domain user as follows: id LOCALDOMAIN\\myuser
You can now su to a domain user: su myuser@localdomain
I hope you found this useful.
UPDATE: PROBLEM STEP
Unfortunately, some package dependency problems have been introduced since I originally wrote this article. After you try the problem step once, perform the following. This is intended to be a temporary fix for now, hopefully the Ubuntu team will resolve this dependency issue:
Add the following to /etc/realmd.conf
automatic-install = no
Next, install the following packages: samba-common-bin, samba-libs, sssd-tools, krb5-user, adcli
During installation of krb5-user, it will prompt you for the default Kerberos realm. This should be your domain in all caps. Example: LOCALDOMAIN.XX
Now, go ahead and get a valid kerberos ticket for your AD admin: kinit DomainAdmin@LOCALDOMAIN.XX
You should now be able to successfully join the domain with using the –user-principal switch and the –unattended switch: realm –verbose join localdomain.xx –user-principal=myubuntuserver/DomainAdmin@LOCALDOMAIN.XX –unattended
After this command completes, you’ll know you were successful if the /etc/sssd/sssd.conf file is full of a bunch of stuff. Go back to where we left off above, and finish the rest of the steps.
You can skip to the end and leave a response. Pinging is currently not allowed.