These instructions are for integrating Ubuntu 16.04 with AD (Windows Server 2008 R2 & Windows Server 2012 R2). Note: system time must be correct; set the clock with ntpdate or such. 1. Install prerequisites apt-get install adcli krb5-user realmd samba-common-bin samba-libs sssd sssd-tools libnss-sss libpam-sss ntp packagekit 2. Ensure that your host can see the domain: realm discover -v example.com Should produce output similar to: [root@hostname ~]# realm discover -v EXAMPLE.COM * Resolving: _ldap._tcp.example.com * Performing LDAP DSE lookup on: XXX.XXX.XXX.XXX * Performing LDAP DSE lookup on: XXX.XXX.XXX.XXX * Successfully discovered: EXAMPLE.COM EXAMPLE.COM type: kerberos realm-name: EXAMPLE.COM domain-name: EXAMPLE.COM configured: no server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common example.com type: kerberos realm-name: EXAMPLE.COM domain-name: example.com 3. ensure that /etc/hosts and /etc/resolv.conf contain at least one domain controller, e.g.: /etc/hosts: 10.0.0.12 ldap.example.com ldap /etc/resolv.conf: search example.com nameserver 10.0.1.129 (These are examples only; which domain controller you should use depends on which subnet the computer is on.) 4. Join to domain: realm join -v --user=admin_user example.com 5. Verify that domain join was successful: realm list Output should be something like: [root@server]# realm list example.com type: kerberos realm-name: EXAMPLE.COM domain-name: example.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U@example.com login-policy: allow-realm-logins Should output a bunch of AD groups for the user: id admin_user@example.com Should output "no such user": id admin_user 5. Restrict AD logins to certain groups only: realm permit -g "domain admins@example.com" realm permit -g "enterprise admins@example.com" Now the output of 'realm list' should include lines like this: login-policy: allow-permitted-logins permitted-logins: permitted-groups: domain admins@example.com, enterprise admins@example.com 6. Add AD groups to /etc/sudoers (use backslashes to escape spaces): in /etc/sudoers: %enterprise\ admins@example.com ALL=(ALL) ALL %domain\ admins@example.com ALL=(ALL) ALL ## Tweaks ### omit the "@domain.name" in usernames: To allow login usernames to omit the "@domain.name" part, comment out this line in /etc/sssd/sssd.conf: use_fully_qualified_names = True To change the homedir path format, edit the "fallback_homedir" line in /etc/sssd/sssd.conf . ### Automatic home directory creation: To enable the automatic creation of home directories for domain users, edit /etc/pam.d/commonsession: Add the following to the bottom: session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 ### Granting sudo privileges per user: You can add domain users to the /etc/group file; to grant sudo for a specific user, add them to the 'sudo' group. ## Extra troubleshooting steps: (adapted from https://www.reddit.com/r/linuxadmin/comments/4z8y3i/cross_distro_centos7_ubuntu_1604_sssdrealmd/) If realm join fails, try creating /etc/sssd/sssd.conf in advance with the following contents: [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [service] automatic-install = no ### Test obtaining a Kerberos ticket: To properly join the realm, you will need a valid Kerberos ticket for a Domain user with permission to join a system to the Domain. Type the following and provide the account password when prompted: kinit domainuser@EXAMPLE.COM Verify that the Kerberos ticket was obtained successfully by executing the following command: klist You can also try joining using a kerberos ticket obtained with the above, rather than having 'realm join' prompt for a password again: Execute the following command, remembering to substitute HOSTNAME for the actual hostname (not FQDN) of the system and harambe for the actual user for which you have a Kerberos ticket: realm --verbose join EXAMPLE.COM --user-principal=HOSTNAME/harambe@EXAMPLE.COM --unattended