Here are all the steps needed to add your Linux Mint computer to a Windows Active Directory Domain. For more detail, and explanation, please read The Rest of the Story.
Restart your computer, and you should able to log in using your Active Directory Credentials.
Update 8/30/2019:Click here to see some optional, final steps you could take.
The Rest of the Story
I work for a “Windows Shop”, or “.Net Shop”. Call it what you like, but it boils down to no Linux to be found. Fortunately, my work environment is flexible, so I decided to take on the challenge to put Linux only on my work laptop, and get it up and running.
Things like snaps have been extremely helpful in getting the software I need on my machine, and LibreOffice has come a long way. Everything else, like Office 365 for email, just needs a web browser. And in case I run into any edge cases, I do have Windows 10 on a VirtualBox image, but all that is outside of the scope of this article.
My very first step to tackle was Windows Active Directory Integration with a Linux machine; I needed to be able to use my Active Directory credentials to log into my Linux laptop.
Spoiler alert. I got it to work! :-) And I’m very excited to be able to use Linux at home and now at work!
Read on to see how I did it.
Steps Toward Awesome
First, I would like to give credit where credit is due. This article was extremely helpful in guiding me in getting everything set up.
Step 0: Install the Needed Packages
Open up your terminal, and enter the text below to get the needed packages installed.
The krb5-user package will prompt for the Active Directory “realm”, and you’ll want to enter your realm in all CAPS.
krb5-user Package Install
After I installed the packages, I went ahead and restarted my machine.
Step 1: Edit Your krb5.conf File
Start by opening krb5.conf:
1
sudo xed /etc/krb5.conf
You can replace the contents of the current file with the text below.
Note:Values inside the double brackets (i.e. - [[value]]), need to be replaced with the correct values for your environment. Replace the value, and additionally, remove the double brackets. (i.e. - domain = [[my-domain.com]] –> domain = awesome.com)
[libdefaults]default_realm=[[YOUR-REALM.COM]] #YOUR-REALM.COM should be in CAPS
dns_lookup_kdc = true
dns_lookup_realm = true[realms][[YOUR-REALM.COM]]={ #replace value, remove double brackets
kdc = [[your-realm.com]]
admin_server = [[your-realm.com]]
master_kdc = [[your-realm.com]]
default_domain = [[your-domain.com]] #my domain and realm were the same
}[domain_realm].[[your-domain.com]]=[[YOUR-REALM.COM]] #YOUR-REALM.COM should be in CAPS
[[your-domain.com]] = [[YOUR-REALM.COM]][logging]kdc=SYSLOG:INFO
admin_server = FILE=/var/kadm5.log
To finish up this step, run:
1
sudo pam-auth-update
Step 2: Edit Your realmd.conf File
Now open up your realmd.conf file.
1
sudo xed /etc/realmd.conf
Copy and paste the text below into the file. You can of course replace the values for “os-name” and “os-version”.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[users]default-home=/home/%U
default-shell = /bin/bash[active-directory]default-client=sssd
os-name = [[Linux Mint]] #you can put your Linux Distribution Name
os-version = [[20]] #you can put your Distribution Version[service]automatic-install=no[my-domain.com] #replace my-domain.com, but KEEP the brackets on this onefully-qualified-names=yes
automatic-id-mapping = no
user-principal = yes
manage-system = yes
Step 3: Edit Your timesyncd.conf File
You should be used to editing files by now in this tutorial, so here we go again. Open up your terminal, and enter the text below.
1
sudo xed /etc/systemd/timesyncd.conf
All you need to do is change the “NTP” value to the address of your local Network Time Protocol (NTP) Server. You may have to ask your Network Administrator for the server address, and if you are the Network Administrator, I hope you know the address of your NTP Server ;-)
Now you’ll need to update your local network time. Your local computer time needs to be within five minutes of the Kerberos (authentication) Server. So the clock times need to match, or you won’t be able to log in.
You’ll need to run the following commands in order to make sure your date and time are up-to-date.
Now you can check the status of your local date and time synchronization.
1
timedatectl status
And your results should be similar to the screenshot below.
Date Time Sync
Step 4: Test Your Credentials
Even though your computer may not be bound to the Active Directory yet, you can now test your login credentials to make sure everything is set up correctly so far.
Run the command below.
1
realm discover [[my-domain.com]]
Successful results should look similar to the output below.
You can now try to “test” your login credentials. Do that by running the commands below, and enter your Active Directory password when prompted.
1
kinit [[my-user-name]]
You can verify that your login attempt worked by running this next command.
1
klist
If that worked, your results should look similar to the screenshot below.
klist Command
Be sure to destroy your Kerberos token when you’re done.
1
kdestroy
Step 5: Join the Active Directory Domain
Time to join your Active Directory. You’ll need a Network Administrator, or someone with a Network Admin username/password in order to get your computer joined to the Active Directory realm.
Enter the text below into your terminal, and don’t forget to replace the values in the double brackets (along with the brackets).
* Unconditionally checking packages
* Resolving required packages
* LANG=C /usr/sbin/adcli join --verbose --domain my-domain.com --domain-realm MY-REALM.COM --domain-controller 10.1.1.14 --computer-ou OU=Computers,OU=SHORT-DOMAIN-NAME Headquarters,DC=domain-controller,DC=com --os-name Linux Mint --os-version 19.1 --login-type user --login-user network-admin-username --stdin-password --user-principal
* Using domain name: my-domain.com
* Calculated computer account name from fqdn: COMPUTER-NAME
* Using domain realm: my-domain.com
* Sending netlogon pings to domain controller: cldap://10.1.1.14
* Received NetLogon info from: SERVER.my-domain.com
* Wrote out krb5.conf snippet to /var/cache/realmd/adcli-xyzab-oFOwIT/krb5.d/adcli-krb5-conf-wCGqIO
* Authenticated as user: network-admin-username@MY-REALM.COM
* Looked up short domain name: SHORT-DOMAIN-NAME
* Using fully qualified name: computer-name
* Using domain name: my-domain.com
* Using computer account name: COMPUTER-NAME
* Using domain realm: my-domain.com
* Calculated computer account name from fqdn: COMPUTER-NAME
* With user principal: host/computer-name@MY-REALM.COM
* Generated 120 character computer password
* Using keytab: FILE:/etc/krb5.keytab
* Found computer account for COMPUTER-NAME$ at: CN=COMPUTER-NAME,OU=Computers,OU=SHORT-DOMAIN-NAME Headquarters,DC=my-domain,DC=com
* Set computer password
* Retrieved kvno '7'for computer account in directory: CN=COMPUTER-NAME,OU=Computers,OU=SHORT-DOMAIN-NAME Headquarters,DC=my-domain,DC=com
* Modifying computer account: userAccountControl
* Modifying computer account: operatingSystemVersion, operatingSystemServicePack
* Modifying computer account: userPrincipalName
* Discovered which keytab salt to use
* Added the entries to the keytab: COMPUTER-NAME$@MY-REALM.COM: FILE:/etc/krb5.keytab
* Added the entries to the keytab: host/COMPUTER-NAME@MY-REALM.COM: FILE:/etc/krb5.keytab
* Added the entries to the keytab: host/COMPUTER-NAME@MY-REALM.COM: FILE:/etc/krb5.keytab
* Cleared old entries from keytab: FILE:/etc/krb5.keytab
* Added the entries to the keytab: host/computer-name@MY-REALM.COM: FILE:/etc/krb5.keytab
* Added the entries to the keytab: RestrictedKrbHost/COMPUTER-NAME@MY-REALM.COM: FILE:/etc/krb5.keytab
* Added the entries to the keytab: RestrictedKrbHost/computer-name@MY-REALM.COM: FILE:/etc/krb5.keytab
* /usr/sbin/update-rc.d sssd enable * /usr/sbin/service sssd restart
* Successfully enrolled machine in realm
Step 6: Edit Your sssd.conf File
Open up sssd.conf for editing
1
sudo xed /etc/sssd/sssd.conf
Copy and paste the text below into the file. Again, don’t forget to replace the values in the double brackets (along with the brackets).
Save the file, then close the text editor, and run the command below.
1
sudo systemctl restart sssd.service
Step 7: Modify Your Login Window
And now for our last step. This is specific for Linux Mint.
Start by opening the Login Window settings, as seen in the screenshot below.
Open Login Window
Now make sure you settings look like this:
Login Window Settings
Conclusion
Those are the steps. If anything is unclear, let me know in the comments below. Hope this is helpful :-)
Update 8/30/2019
So this is an optional step that may not have to happen in every scenario. Upon logging in with your Active Directory User, you may discover that you do not have the rights to do anything. So, you will have to log in with a local administrator account, and add your domain account to the following groups by running these commands:
1
2
3
4
5
6
7
sudo usermod -a -G adm aaronvon@awesome.com
sudo usermod -a -G cdrom aaronvon@awesome.com
sudo usermod -a -G dip aaronvon@awesome.com
sudo usermod -a -G lpadmin aaronvon@awesome.com
sudo usermod -a -G plugdev aaronvon@awesome.com
sudo usermod -a -G sambashare aaronvon@awesome.com
sudo usermod -a -G sudo aaronvon@awesome.com
