Active Directory Authentication on Linux - A Simple Guide

Continuing my previous post walking through a Linux server install with an eye toward creating a standard build, this post contains a set of easy steps to configure Active Directory (AD) authentication on Linux for your standard user accounts. This post makes a great companion piece because it's the first thing I do after completing my Linux builds. Let's get right to it, shall we?

Note: this post is specific to Debian and derivatives (verified working on Ubuntu 24.04 also), but should be fairly easily adapted to other Linux distros.

Step 1 - Create a Backup

After completing your initial server build and installing the base packages, it's a great time to create a backup/snapshot, if you haven't already.

Step 2 - Prerequisites

In order to complete these steps, you'll need to ensure a few prerequisites are in place:

1. Pretty obviously, a working Active Directory domain; you'll need to know both hostname and IP address for your AD DNS server and at least one domain controller.
2. Your Linux server, configured with a static IP address, a hostname that's unique among your domain-joined computers, configured for DNS resolution against your AD DNS server.
   1. On the Linux server, we'll enable root to login via SSH temporarily for troubleshooting/configuration purposes.
3. Create an AD group to contain the user accounts permitted to authenticate to the Linux servers.
   1. (Optional) Create an AD account with permission to query AD for troubleshooting, both now and for future tasks; see my previous article about searching AD with Linux using ldapsearch for reference.
4. An AD account with permission to query AD, for testing/troubleshooting purposes.
5. I've uploaded sample copies of all the files referenced in this post to the Solo Admin Github repository, under the "posts/active-directory-authentication-on-linux" folder. Feel free to grab them and customize them for your environment.
   1. For the purposes of this post, the AD domain will be domain.com, the Linux server will be called server.domain.com, and the AD domain controller will be called dc.domain.com.
   2. Do NOT keep these default values! They must be updated for your environment.

Now that the prerequisites are in place, we'll be following the steps at https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectorySssd rather than reinvent the wheel with an identical walkthrough. Here are some notes on the process:

1. Make sure and explicitly update /etc/hosts, modifying the entry with your server's name to reflect its IP, instead of 127.0.0.1. Ping by name to verify that it no longer resolves to 127.0.0.1.

  192.168.0.1 server.domain.com server

2. In my environment, I've replaced the ntp package with ntpsec. The ntp.conf file in the repo works identically for either.
3. When changing ownership after the first successful login, I've always used Domain Users for my group designation, e.g.

chown -R <AD user>:"Domain Users" /home/<AD user>/.ssh

As I mentioned previously, having an account for AD integration can come in handy at any step of this process when trying to troubleshoot, and the excellent ldapsearch Linux utility is your friend.

NOTE - this guide, and the linked Debian HOW-TO page, are for authentication only, and not SAMBA file servers/domain controllers, etc. Your server, by virtue of the final join-ad.sh script, will have a computer account in the domain, but it will be limited.

As always, if you're stuck and would like help, shoot an email to matt@thesoloadmin.com and I'll do what I can. 😎