Synology Directory Server and Ubuntu

For Ubuntu documentation:

ADSys is the Active Directory Group Policy client for Ubuntu.

ADSys enables management of Ubuntu Desktop and Server clients using Microsoft Active Directory. It integrates with services like SSSD or Winbind, which handle user access and authentication, providing extended functionality for managing and controlling Ubuntu clients.

With ADSys, policies can be applied to Ubuntu clients at boot and login, privileges can be granted and revoked, and remote script execution can be automated. ADSys also comes with administrative templates (ADMX and ADML) for all supported versions of Ubuntu.

System administrators can use ADSys to apply familiar skills and tools for managing Windows machines to the management of Ubuntu machines.

https://documentation.ubuntu.com/adsys/latest/

How to manually join Ubuntu clients to an Active Directory domain:

ADSys supports manual joining of Ubuntu clients to Active Directory (AD) using different backends.

Supported backends
ADSys supports two Active Directory backends:

SSSD, or System Security Services Daemon, provides access to centralized identity management systems like Microsoft Active Directory, OpenLDAP, and various other directory servers. This client component retrieves and caches data from remote directory servers, delivering identity, authentication, and authorization services to the host machine.

Winbind is a component of the Samba suite that provides integration and authentication services between UNIX or Linux systems and Windows-based networks, allowing the former to appear as members in a Windows Active Directory domain.

Configuring connections with these backends is briefly described below with links to external documentation.

• Installation packages

sudo apt update && apt install sssd-ad sssd-tools realmd adcli

•  Joining a domain 

 

realm join -v -U administrator example.local

password administrator (administrator account domain) 

Successfully enrolled machine in realm 

Check: Synology Directory Server, Users & Computers, computers 

realm discover example.local

example.local
type: kerberos
realm-name: EXAMPE.LOCAL
domain-name: example.local
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U@example.local
login-policy: allow-realm-logins

• /etc/sssd/sssd.conf :

change access_provider = ad to access_provider = simple

[sssd]domains = example.local
config_file_version = 2
services = nss, pam

[domain/example.local]default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = EXAMPLE.LOCAL
realmd_tags = manages-system joined-with-adcli
id_provider = ad
ldap_sasl_authid = EXAMPLECOMPUTER$
fallback_homedir = /home/%u@%d
ad_domain = example.local
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = simple

Some default settings worth mentioning are:

• cache_credentials: With this set to True, the credentials will be cached and
the users will be allowed to login even if the machine is disconnected from
the network.

• fallback_homedir: This is used if no homedir is provided by the domain’s data
provider. For instance, with the default, the home directory for user ‘linda’ is of
the form: ‘/home/linda@example.local’.

• use_full_qualified_names: users will be of the form ‘user@domain’, not just
the username. This should only be changed if you are certain no other domains
will ever join the AD forest, via one of the several possible trust relationships.

• Creating Home Directory

What the realm tool didn’t do for us is setup pam_mkhomedir (this should be
fixed with Bug #1894135 “Enable homedir creation” : Bugs : realmd package :
Ubuntu), so that network users can get a home directory automatically when they
login. This remaining step can be done by running the following command:

# pam-auth-update –enable mkhomedir

This will enable pam_mkhomedir.so in the /etc/pam.d/common-session pam
configuration file.