I need the simplest way to authenticate Active Directory users on Ubuntu Server (at login).
I am trying with libnss-ldap, but it only works with plain LDAP server (like SLAPD) but now Active Directory. I heard that libnss-ldap has a bit of memory leak and they stopped developing it so I should use libnss-ldapd instead or sssd but they are too complicated so far.
There's a pretty simple setup that just requires samba and pam_mkhomedir.so (use apt-get install)
Then create a new file to configure authentication with the contents below. Edit the variables at the top of the file. The first entry (workgroup) is the NETBIOS name of your domain.
#!/bin/bash
ADSWorkgroup="yourdomain"
ADSDomain="yourdomain.com"
ADSServer="domaincontroller.yourdomain.com"
AdminUser="user@yourdomain.com"
authconfig --update --kickstart --enablewinbind --enablewinbindauth --smbsecurity=ads \
--smbworkgroup=$ADSWorkgroup --smbrealm=$ADSDomain \
--smbservers=$ADSServer --winbindjoin=$AdminUser \
--winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash \
--enablewinbindusedefaultdomain --enablelocauthorize
After creating the file make it executable with chmod +x <filename>. Run the file and put in your AD credentials when asked.
Then edit /etc/pam.d/sshd, adding the following line after "pam_selinux.so close"
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
Finally, use visudo to allow the appropriate AD group to sudo by adding the following after the wheel entry:
"%domain admins" ALL=(ALL) ALL
You should be good to go! Make sure you try sshing from a new session, don't logout from the first session in case something goes wrong.
