AD Domain Join Ubuntu with DNS update

Here are a couple of useful articles to help with this task

Untested script 🙂

; Set the following values to match your env
DOMAIN_NAME=<my domain name in lower case>
DOMAIN_NAME_UC=<my domain name in uppercase>
DOMAIN_USER=<valid domain user that can join domain>

hostnamectl set-hostname $HOSTNAME

; Install Components
sudo apt-get install krb5-user samba sssd sssd-tools libnss-sss libpam-sss ntp ntpdate realmd adcli

; Update NTP Config
sed -e '\|server $DOMAIN_NAME|h; ${x;s/incl//;{g;t};a\' -e 'server $DOMAIN_NAME' -e '}' /etc/ntp.conf > /etc/ntp.conf

; Force an NTP Update
sudo systemctl stop ntp
sudo ntpdate $DOMAIN_NAME
sudo systemctl start ntp

; Find the Domain
sudo realm discover $DOMAIN_NAME_UC

; Join the Domain (Note: this might fail here due to kinit requiring a password -- if so, just run everything after this manually for now)
sudo realm join --verbose $DOMAIN_NAME_UC -U $DOMAIN_USER --install=/

; Edit the SSD
; Comment out the following line
; use_fully_qualified_names = True
sed -i '/^use_fully_qualified_names = True/s/^/#/g' /etc/sssd/sssd.conf 
sudo service sssd restart

; Setup Home Directory
; Add the following line in this /etc/pam.d/common-session below the line 'session optional' and save it:
session required skel=/etc/skel/ umask=0077
sed -i '/session optional.* some session required skel=/etc/skel/ umask=0077' /etc/pam.d/common-session

; Add suport for Domain Admins to /etc/sudoers
; Add 'AAD DC Administrators' group members as admins.
; %Domain\ Admins ALL=(ALL) NOPASSWD:ALL
sed -e '\|\%Domain\ Admins ALL=(ALL) NOPASSWD:ALL|h; ${x;s/incl//;{g;t};a\' -e '\%Domain\ Admins ALL=(ALL) NOPASSWD:ALL' -e '}' /etc/sudoers > /etc/sudoers

Note: To remove a ubuntu computer from the domain here’s what I did :

  • realm –verbose leave lan.domain.tld
  • deleted computer entry in AD
  • updated /etc/hostname file
  • updated /etc/hosts file
  • reboot, checked new hostname is valid
  • realm –verbose join lan.domain.tld –user-principal=NEWHOSTNAME/administrator@LAN.DOMAIN.TLD –unattended
  • reboot

Leave a Reply

Close Menu