These instructions are for integrating Ubuntu 16.04 with AD (Windows
Server 2008 R2 & Windows Server 2012 R2).

Note: system time must be correct; set the clock with ntpdate or such.


1.	Install prerequisites

	apt-get install adcli krb5-user realmd samba-common-bin samba-libs sssd sssd-tools libnss-sss libpam-sss ntp packagekit


2.	Ensure that your host can see the domain:

		realm discover -v example.com

	Should produce output similar to:

		[root@hostname ~]# realm discover -v EXAMPLE.COM
		* Resolving: _ldap._tcp.example.com
		* Performing LDAP DSE lookup on: XXX.XXX.XXX.XXX
		* Performing LDAP DSE lookup on: XXX.XXX.XXX.XXX
		* Successfully discovered: EXAMPLE.COM
		EXAMPLE.COM
			type: kerberos
			realm-name: EXAMPLE.COM
			domain-name: EXAMPLE.COM
			configured: no
			server-software: active-directory
			client-software: sssd
			required-package: oddjob
			required-package: oddjob-mkhomedir
			required-package: sssd
			required-package: adcli
			required-package: samba-common
		example.com
			type: kerberos
			realm-name: EXAMPLE.COM
			domain-name: example.com


3.	ensure that /etc/hosts and /etc/resolv.conf contain at least one domain
	controller, e.g.:

	/etc/hosts:
	10.0.0.12  ldap.example.com ldap

	/etc/resolv.conf:
	search example.com
	nameserver 10.0.1.129

	(These are examples only; which domain controller you should use depends
	on which subnet the computer is on.)


4.	Join to domain:

	realm join -v --user=admin_user example.com


5.	Verify that domain join was successful:

	realm list

	Output should be something like:
	[root@server]# realm list
	example.com
	  type: kerberos
	  realm-name: EXAMPLE.COM
	  domain-name: example.com
	  configured: kerberos-member
	  server-software: active-directory
	  client-software: sssd
	  required-package: oddjob
	  required-package: oddjob-mkhomedir
	  required-package: sssd
	  required-package: adcli
	  required-package: samba-common-tools
	  login-formats: %U@example.com
	  login-policy: allow-realm-logins

	Should output a bunch of AD groups for the user:

   	id admin_user@example.com

	Should output "no such user":

	id admin_user


5. Restrict AD logins to certain groups only:

	realm permit -g "domain admins@example.com"
	realm permit -g "enterprise admins@example.com"

	Now the output of 'realm list' should include lines like this:
	  login-policy: allow-permitted-logins
	  permitted-logins:
	  permitted-groups: domain admins@example.com, enterprise admins@example.com


6. Add AD groups to /etc/sudoers (use backslashes to escape spaces):

	in /etc/sudoers:
	%enterprise\ admins@example.com       ALL=(ALL)       ALL
	%domain\ admins@example.com   ALL=(ALL)       ALL


## Tweaks

### omit the "@domain.name" in usernames:

To allow login usernames to omit the "@domain.name" part, comment out this
line in /etc/sssd/sssd.conf:

	use_fully_qualified_names = True

To change the homedir path format, edit the "fallback_homedir" line in
/etc/sssd/sssd.conf .

### Automatic home directory creation:

To enable the automatic creation of home directories for domain users, edit
/etc/pam.d/common­session:

Add the following to the bottom:
session     required     pam_mkhomedir.so skel=/etc/skel/ umask=0022

### Granting sudo privileges per user:

You can add domain users to the /etc/group file; to grant sudo for a specific
user, add them to the 'sudo' group.


## Extra troubleshooting steps:

(adapted from
https://www.reddit.com/r/linuxadmin/comments/4z8y3i/cross_distro_centos7_ubuntu_1604_sssdrealmd/)

If realm join fails, try creating /etc/sssd/sssd.conf in advance with the
following contents:

	[nss]
	filter_groups = root
	filter_users = root
	reconnection_retries = 3

	[pam]
	reconnection_retries = 3

	[service]
	automatic-install = no

### Test obtaining a Kerberos ticket:

To properly join the realm, you will need a valid Kerberos ticket for a Domain
user with permission to join a system to the Domain. Type the following and
provide the account password when prompted:

kinit domainuser@EXAMPLE.COM

Verify that the Kerberos ticket was obtained successfully by executing the
following command:

klist

You can also try joining using a kerberos ticket obtained with the above,
rather than having 'realm join' prompt for a password again:

Execute the following command, remembering to substitute HOSTNAME for the
actual hostname (not FQDN) of the system and harambe for the actual user for
which you have a Kerberos ticket:

realm --verbose join EXAMPLE.COM --user-principal=HOSTNAME/harambe@EXAMPLE.COM --unattended