How do I join a laptop computer running Ubuntu 17.04 to a windows domain, I am looking for the easiest way as I have limited knowledge on Ubuntu. We're looking at it as an alternative to windows for our desktop computers. what I'm after is a how to guide (screenshots would be helpful) as I have 30 laptops to set up and then 30 workstations plus IT suites if the laptops work successfully.
41 Answer
General
As you mention to integrate a large number of hosts, I would recommend you to use some kind of configuration management tool. I use Ansible for such things. Try it manually once and when everything works automate it.
As you also mention to do this in a corporate environment I would suggest to use Ubuntu 16.04 instead of 17.04 because 17.04 is no longterm support release and therefore is only supported until January 2018.
Additionally this question seems well suited for serverfault.
How-tos
A good starting point would be the official documentation: . I also found this tutorial quite helpful (and it has a lot of screenshots): .
Ansible Playbook
Based on the mentioned How-tos (and a lot others) I created an Ansible role to automate this process. The directory structure is as follows:
ansible/
├── adIntegration.yaml
└── roles └── ad-integration ├── handlers │ └── main.yaml ├── tasks │ └── main.yaml └── templates ├── etc │ ├── krb5.conf.jinja2 │ ├── realmd.conf.jinja2 │ └── sssd │ └── sssd.conf.jinja2 └── usr └── share └── lightdm └── lightdm.conf.d └── 50-ubuntu.conf.jinja2(I like to put the files in a directory structure resembling the target structure)
Some files are down below, adapt to your needs:
adintegration.yaml
---
# execute like:
# ansible-playbook ~/ansible/adIntegration.yaml --inventory ~/ansible/production.hosts
# or
# ansible-playbook ~/ansible/adIntegration.yaml -i ~/ansible/production.hosts
- hosts: "ad-integration" remote_user: "admin" # change to whatever user you have with sudo rights become: yes vars_prompt: # the vars are later used for the join - name: "ad_admin_name" prompt: "username for AD join" private: no - name: "ad_admin_password" prompt: "password for AD" private: yes confirm: yes roles: - role: "ad-integration"
...main.yaml (handlers)
---
- name: "restart sssd" service: name: "sssd" state: "restarted" listen: "sssd needs restart"
...main.yaml (tasks)
---
- name: "install needed packages" apt: name: "{{ item }}" state: "present" with_items: - "adcli" - "krb5-user" - "libnss-sss" - "libpam-sss" - "libwbclient-sssd" - "realmd" - "sssd" - "sssd-tools" - "samba-common"
# copy this from a working one
- name: "template krb5.conf" template: src: "etc/krb5.conf.jinja2" dest: "/etc/krb5.conf" owner: "root" group: "root" mode: "0644" backup: yes
- name: "template realmd.conf" template: src: "etc/realmd.conf.jinja2" dest: "/etc/realmd.conf" owner: "root" group: "root" mode: "0644" backup: yes
- name: "join domain" shell: "echo '{{ ad_admin_password }}' | realm join COMPANY.COM -U '{{ ad_admin_name }}' --install=/ -v" # --install=/ needed because of realm bug in package detection register: "realm_join" changed_when: "'Successfully enrolled machine in realm' in realm_join.stderr" failed_when: "'Couldn\\'t join realm' in realm_join.stderr"
- name: "template sssd.conf" template: src: "etc/sssd/sssd.conf.jinja2" dest: "/etc/sssd/sssd.conf" owner: "root" group: "root" mode: "0600" backup: yes notify: "sssd needs restart"
- name: "activate automatic creation of home directories" lineinfile: dest: "/etc/pam.d/common-session" line: "session optional pam_mkhomedir.so " state: "present" insertbefore: "# end of pam-auth-update config" backup: yes
- name: "create lightdm directories" file: path: "/usr/share/lightdm/lightdm.conf.d/" state: "directory" owner: "root" group: "root" mode: "0755"
# the important part here is to add greeter-show-manual-login=true under [SeatDefaults]
- name: "activate username on login window" template: src: "usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf.jinja2" dest: "/usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf" owner: "root" group: "root" mode: "0644" backup: yes
...realmd.conf.jinja2
[active-directory]
default-client = sssd
os-name = {{ ansible_distribution }}
os-version = {{ ansible_distribution_version }}
[service]
automatic-install = no
[users]
default-home = /home/%D/%U
default-shell = /bin/bash
[company.com]
fully-qualified-names = no
automatic-id-mapping = yes
user-principal = yes
manage-system = no
enumerate = yessssd.conf.jinja2
[sssd]
domains = company.com
config_file_version = 2
services = nss, pam
[domain/company.com]
realmd_tags = manages-system joined-with-adcli
ad_domain = company.com
krb5_realm = COMPANY.COM
id_provider = ad
cache_credentials = True
krb5_store_password_if_offline = True
enumerate = True
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
default_shell = /bin/bash
# maybe needed for older AD schemes
#ldap_id_mapping = False
#ldap_schema = ad
#ldap_user_object_class = person
#ldap_user_name = msSFU30Name
#ldap_user_uid_number = msSFU30UidNumber
#ldap_user_gid_number = msSFU30GidNumber
#ldap_user_home_directory = msSFU30HomeDirectory
#ldap_user_shell = msSFU30LoginShell
#ldap_user_gecos = displayName
#ldap_group_object_class = group
#ldap_group_name = msSFU30Name
#ldap_group_gid_number = msSFU30GidNumber
