Pop!_OS and Ubuntu can be joined to an Active Directory domain, which allows users to log in with their existing network credentials.
Install the necessary packages:
sudo apt install sssd heimdal-clients msktutil
While installing those packages, you will be prompted for the following information. These are sample responses. Our domain is called “system76.local” and our Active Directory server is called “adserver” in this example:
Forest name: SYSTEM76
Domain controller hostname: ADSERVER.system76.local
Administrative server for your Kerberos realm: ADSERVER.system76.local
Move the default Kerberos configuration file to a backup, and create a fresh file to use:
sudo mv /etc/krb5.conf /etc/krb5.conf.default
sudo nano /etc/krb5.conf
Edit the /etc/krb5.conf file with the following contents:
[libdefaults]
default_realm = SYSTEM76.LOCAL
rdns = no
dns_lookup_kdc = true
dns_lookup_realm = true
[realms]
SYSTEM76.LOCAL = {
kdc = ADSERVER.system76.local
admin_server = ADSERVER.system76.local
}
Initialize Kerberos and generate a keytab file. The first command requires the username of a domain administrator, and our computer’s hostname is “pop-os” in this example:
kinit administrator
klist
msktutil -N -c -b 'CN=COMPUTERS' -s POP-OS/pop-os.system76.local -k my-keytab.keytab ‑‑computer-name POP-OS ‑‑upn POP-OS$ ‑‑server adserver.system76.local ‑‑user-creds-only
msktutil -N -c -b 'CN=COMPUTERS' -s POP-OS/pop-os -k my-keytab.keytab ‑‑computer-name POP-OS ‑‑upn POP-OS$ ‑‑server adserver.system76.local ‑‑user-creds-only
kdestroy
Move the keytab to the /etc/sssd directory, and configure SSSD:
sudo mv my-keytab.keytab /etc/sssd/my-keytab.keytab
sudo nano /etc/sssd/sssd.conf
The SSSD configuration file should contain the following:
[sssd]
services = nss, pam
config_file_version = 2
domains = system76.local
[nss]
entry_negative_timeout = 0
#debug_level = 5
[pam]
#debug_level = 5
[domain/system76.local]
#debug_level = 10
enumerate = false
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
dyndns_update = false
ad_hostname = pop-os.system76.local
ad_server = adserver.system76.local
ad_domain = system76.local
ldap_schema = ad
ldap_id_mapping = true
fallback_homedir = /home/%u
default_shell = /bin/bash
ldap_sasl_mech = gssapi
ldap_sasl_authid = POP-OS$
krb5_keytab = /etc/sssd/my-keytab.keytab
ldap_krb5_init_creds = true
After saving, set the appropriate permissions on that configuration file:
sudo chmod 0600 /etc/sssd/sssd.conf
Configure PAM:
sudo nano /etc/pam.d/common-session
Look for the line that contains “session required pam_unix.so” and add this line immediately below it:
session required pam_mkhomedir.so skel=/etc/skel umask=0077
After saving that file, restart SSSD:
sudo systemctl restart sssd
Add the domain administrator to the local sudo group:
sudo adduser administrator sudo
Then, test a login with the domain administrator:
su -l administrator
Reboot the computer. At the login screen, you can click the “Not listed?” link, and type the username of any domain user. After logging in with a domain user for the first time, that user will appear on the login screen’s user list.