Joining Ubuntu to an Active Directory Domain

Back in 2009, I did a whole lot of messing around with Linux and Active Directory integration, primarily for Apache. Now that Linux is coming to Windows, I figured I’d brush up on my Linux and Windows Integrated Authentication skills to work with Ubuntu, too.

Clients and Servers

Since 2009, it seems that a couple things have changed in the client realm. In particular, winbind fell out of favor to Likewise Open (which I used to <3) which was bought by BeyondTrust and turned into PowerBroker Open. But that’s since fallen out of favor to the SSSD or “System Security Services Daemon“. SSSD seems pretty cool but everyone hates its name and assumes that its name is keeping it from greater adoption.

Sometimes when researching SSSD, you’ll come across a few mentions of FreeIPA which is similar to Active Directory, OpenLDAP, and ApacheDS. Oh, and I recently found out that Samba4 allows Linux servers to join Active Directory as Domain Controllers (!!) but I can’t tell if it can be a forest of its own (reddit review here).

There are other players I’m leaving out but after a bit of casual research, no others seem to stand out. Ultimately, while there are a number of ways to setup AD/Linux authentication with Ubuntu, it appears that SSSD is the current way to go. Let’s go ahead and set that up.

Before We Begin

There’s an official Ubuntu guide for SSSD and Active Directory, but this one is slimmed down. If you have any issues, you can comment here or reference some of the solutions they offer. First, some assumptions.

  • Fresh install of Ubuntu 15.10 Server
  • DNS is set to AD’s DNS servers
  • The Active Directory domain is base.local
  • The test user is base\adadmin, which has domain admin privs on AD

If you’re behind a proxy, apt-get and curl/wget/etc won’t work out of the box. Here’s how to add some proxy variables (kinda like Internet Properties -> Connections -> LAN settings -> Proxy Server) so that you can use these tools.

Also, you’re going to need to make sure that your time is set properly. Kerberos is heavily dependent on time, and will break if your computer is more than 5 minutes skewed from the AD domain.

# Install required packages (ntp service keeps your clock on time)
sudo apt-get -y install ntp ntpdate 

# To add your DC to the time server list, edit /etc/ntp.conf, otherwise this should work
sudo service ntp stop
sudo ntpdate -s
sudo service ntp start

Joining the domain

Joining an Active Directory in Ubuntu isn’t quite as easy as SUSE, but it’s still decently straight-forward.

  • Install required packages
  • Create and modify sssd.conf
  • Modify smb.conf
  • Restart services
  • Join domain

First, installed the required package using apt-get. I also recommend command-not-found and mlocate, which help you with finding files.

Note, in this tutorial, I use vi. I used to use pico, which became nano, but found that vi could be found across all distributions by default. vi or “vim” can be intimidating, but honestly, I only know about 5 commands and it gets me by. Here’s a nice tutorial on Learning vi progressively.

sudo apt-get install krb5-user samba sssd

Next, setup SSSD by creating the file, setting the owner, and changing its permissions

# sssd.conf doesn't exist by default
sudo touch /etc/sssd/sssd.conf
sudo chown root:root /etc/sssd/sssd.conf
sudo chmod 600 /etc/sssd/sssd.conf

sudo vi /etc/sssd/sssd.conf

services = nss, pam
config_file_version = 2
domains = BASE.LOCAL

id_provider = ad
override_homedir = /home/%d/%u
access_provider = simple
simple_allow_users = [email protected],[email protected]
simple_allow_groups = linux-admin,linux-users

Note that this config only allows 2 users and 2 groups to gain access. If you remove the last 2 lines, anyone can login. There are a few ways to restrict access but it looks like this is the simplest way.

Next, sudo vi /etc/samba/smb.conf and replace the line workgroup = WORKGROUP with the following:

workgroup = BASE
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = BASE.LOCAL
security = ads

Time to restart services and join the domain! Here’s a screenshot of my Ubuntu server “ubuntunew” joining my domain, base.local:


It’s just these commands, nothing scary:

# restart services
sudo service smbd restart
sudo service nmbd restart
# get Kerberos ticket-granting ticket
kinit adadmin
# Next one joins the domain and requires samba
sudo net ads join -k

If you have permissions to add computers to the domain and everything went well, then you should now be able to see your Ubuntu server in Active Directory!


Now that everything is setup all nice, start SSSD to do some caching and interception that makes things much smoother somehow.

sudo service sssd start


If you’re having an issue joining the domain with the error message “Failed to join domain: failed to lookup DC info for domain ‘BASE.LOCAL’ over rpc: An internal error occurred” you can specify the exact domain controller you want to contact (h/t Florent Appointaire).

sudo net ads join -S dc.base.local

If you’re getting the error “failed to lookup dc info for domain base rpc undetermined error”, you may have a stale DC. Consider following applicable portions of this tutorial by Microsoft (h/t Rob Sewell)

Login as Windows user

If you’d like to login to the machine as a windows user, as opposed to just grabbing a ticket using kinit, you can either login via SSH or by using su or “substitute user”.

Here’s an example of me using su. First, I logged in to the Linux server as a regular user, then I login as my own Active Directory account “base\ctrlb” by issuing the command su ctrlb. An alternative way is su base\\ctrlb. That extra backslash is intentional, it escapes the second backslash.


Alternatively, you can ssh in directly with ssh or PuTTY.

And that’s it! Want to see this all in one shot? Check out the gist.

Chrissy is a Cloud and Datacenter Management & Data Platform MVP who has worked in IT for over 20 years. She is the creator of the popular SQL PowerShell module dbatools, holds a master's degree in Systems Engineering and is coauthor of Learn dbatools in a Month of Lunches. Chrissy is certified in SQL Server, Linux, SharePoint and network security. You can follow her on Twitter at @cl.

Posted in Active Directory, Linux, Security
25 comments on “Joining Ubuntu to an Active Directory Domain
  1. sathi says:


    I have followed the same but i got error , i am using 14.04 nad server 2010 but domain level and forest levels are 2008R2
    I can ping to my DC ( hostname ADDC)
    ping addc – success from ubuntu server
    ping success

    [email protected]:~$ sudo net ads join -k
    Failed to join domain: failed to lookup DC info for domain ‘FACEITNET.COM.AU’ over rpc: An internal error occurred.

    can you help me?

  2. Rowan says:

    Trying to login as windows user on ubuntu,

    but i get this as output:
    No passwd entry for user ‘[email protected]

    also tried without the “@domain.local”

  3. Tom says:

    After typing in the following command, the package asks for a relm:

    sudo apt-get install krb5-user samba sssd

    What is an Administrative Kerberos Relm?

    • Nick says:

      Your Administrative Kerberos Realm is your AD domain. Using the author’s example: BASE.LOCAL, the default realm you would enter would be BASE.LOCAL (make sure its in all caps).

      The following 2 prompts after that are asking for your kdc server & admin server, which would be the domain controller – again using the author’s example it would be DC.BASE.LOCAL for both your kdc server & admin server (again, these must be entered in all caps).

      If you made a mistake during configuration, you can edit /etc/krb5.conf
      On line 2 default_realm is your Administrative Kerberos Realm
      Further down in the [realms] section you can edit your realm, kdc server & admin server.

  4. Scott says:

    I am having a problem with the time service…

    sudo ntpdate -s
    Error resolving Name or service not known (-2)

  5. Neal Tomlinson says:

    I followed 5 other guides to joining an ubuntu server to a Windows AD as a domain member and failed each time. Therefore I felt an Eureka moment when I launched a Windows 10 network search and could see my ubuntu server 17.04 and view the test share on it. Thank you :)

  6. tmack8080 says:

    Has anyone tested this with Windows Server 2016 – domain functional level 2016?

  7. AYAD ISMAIL says:

    hi, I’m new to Linux world, I have Ubuntu 16.04 LTS (client) installed in a laptop how can I change configuration form workgroup to domain to join a server with Linux Ubuntu 16.04

  8. Greg Bryant says:

    I have my ubuntu 16.04 LTS server joined to our windows domain. Any domain user can log in. I’m using SSSD to try to only allow one specific domain group and I get seem to get it to work. None of the tutorials or content I’ve found online seems to work. My AD group has a space in it’s name; I’ve setup the ‘account required listsep=,’ in the pam.d/login file. I have UsePAM in my sshd_config file too.

    I’ve setup my access.conf file with:
    + : root : ALL
    + : myusername : ALL
    – : ALL : ALL

    to try to prevent any user from logging in but me & root and it still doesn’t work.

    Any ideas?

  9. Hi Team,

    Can any one tell me the recommended way to join Ubuntu 16.04 LTS Desktop to a windows domain by the Ubuntu Officials?
    I want to logon my Active Directory Domain users on Ubuntu Desktop. I found the below mentioned some procedures to join but I am not sure which one is a recommended and which one is official.

    – Joining Domain using Winbind and Samba. This process needs winbind, samba, smbfs, smbclient and additional tools installation and configurations on the Linux machine.

    – Joining Domain using DirectControl Utility. This is third party utility that needs to be installed on the workstation in order to join the workstation to the domain.

    – Joining Domain using SSSD. This process require samba, ntp, kerberos5-user and sssd package installation and configuration.

    – Joining Domain Using Likewise open graphical Utility. Like DirectControl this is also third party utility

    Please help me out to find the official recommendations


  10. Simun Fuglsbøl says:

    Hello, I have tried a lot of other guides, but this is the most comfortable to use, I have joined my Linux Ubuntu 16 to my Windows Domain, and I am able to kinit an su my windows administrator, but not anyone else.
    How are you able to get personal home folder to get created, that does not work for me.
    And secondly, how do I log in with my other windows users?


  11. Curtis says:

    This worked for me. However I have a parent child active directory setup. I’ve joined my linux box to the child domain. How can I provide access to the parent domain users?

  12. Rubert says:

    Hello, When I ran kinit adadmin, I got a message “kinit: Cannot contact any KDC for realm ‘IHM.LOCAL’ while getting initial credentials”

    Not sure what’s going wrong but my dns is not resolving the host name. I do have the DNS updated in the network settings. Can there be some where where i have to change manually?

    ping ihm-dc1.ihm.local (tried upper case as well if that how it should be)
    ping: ihm-dc1.ihm.local: Name or service not known

  13. ivan says:

    I have a different problem, I have two seperate domains with a thrust between them

    Domain A
    Domain B

    We have a linux monitoring system that is joined to Domain A and we need to authenticate also with Domain B. I have tried to add [CAPATHs] but to no avail i am getting that the server i am trying to reach is not in the kerberos.

    Can anyone help please?

  14. Barry Coleman says:

    This works for me but the shell it gives is a dash shell only giving $ and when i try to change it i get the error saying “You may not change the shell for ‘test’.”

  15. jagdish says:

    i had Installed Active Directory Infrastructure with SAMBA4 on Ubuntu 18.04 server, I had Integrate or join Ubuntu 18.04 desktop to Samba4 AD DC with SSSD and Realm, I had join one win 10 pro in samba4 ads. I have create some group policy as like usb storege disable, when i had joint win 10 that group policy it working as like win 10 client machine not access usb storage, same i had shift ubuntu client on that group policy in that case still ubuntu client access usb storage.

    My question is that how can i disable usb storage my all ubuntu client by using group policy in ad.

Leave a Reply