Integrate Ubuntu with AD using PBIS

OK, i finally found time to write my first technical article (after one year 🙁 ) in my blog. Today i would tell you my experience for integrate a Ubuntu client machine in Microsoft Active Directory domain (for centralize authentication, logging login, etc…).

Ok, let’s start!

AD pre-requisites:

  • Admin Privileges
  • rDNS configured (strongly recommended)

Ubuntu Client pre-requisites:

  • A NTP client daemon (i use chronyd in my infrastructure) installed, configured and running (Kerberos protocol in AD is sensitive to difference clock between clients and DC. The default tolerance is 300 seconds. If the client machine and the DC clock drift apart for more than 300 seconds, authentication against the DC will fail.)
  • Use a fully qualified domain name (FQDN) for client machine match the DNS record used (created first) in AD domain
  • A user with high privileges

Good, next step is installing PBIS on client machine.

For install PBIS the first step is download the package from github repository

I have downloaded and installed the latest release in this time (9.0.1.525).

Download using wget:

noc@test-vm-lnx:~$ wget https://github.com/BeyondTrust/pbis-open/releases/download/9.0.1/pbis-open-9.0.1.525.linux.x86_64.deb.sh

When download is completed, run the installer:

noc@test-vm-lnx:~$ sudo sh ./pbis-open-9.0.1.525.linux.x86_64.deb.sh

Joining in AD domain is very simple and not require additional configuration. domainjoin-cli command-line utility is tool required for this.

For joining in AD domain type this command in terminal window:

noc@test-vm-lnx:~$ sudo domainjoin-cli join mio-dominio.local Administrator
--> Joining to AD Domain
--> mio-dominio.local
--> With Computer DNS Name: test-vm-lnx.mio-dominio.local
--> Administrator@mio-dominio.local’s password:
--> SUCCESS

For test integration, you run a very simple AD query via ubuntu machine:

noc@test-vm-lnx:~$ sudo domainjoin-cli query
--> Name = test-vm-lx
--> Domain = mio-dominio.local
--> Distinguished Name = CN=test-vm-lnx,CN=Computers,DC=mio-dominio,DC=local

Perfect, is working.

Now, if necessary, you can configure Domain Admins AD group to allow Administrators to run sudo command.

Type in terminal:

noc@test-vm-lnx:~$ sudo visudo

and add in the LAST line:

%mio-dominio\domain^admins ALL=(ALL) ALL

Save file and exit.

Finish. I have (VERY simply – tnx to PBIS) added my Ubuntu-test-vm to AD domain.

Simply, clean and WORKING!

Leave a Reply

Your email address will not be published. Required fields are marked *