Linux Active Directory integration is one of the most popular and requested topics from both the community and our clients. On May 17 we delivered a webinar on the new AD integration features introduced with 22.04 (now available on demand) and following that we received an overwhelming number of questions.
In this blog post we would like to address directly the most frequent ones
SSSD is an upstream Active Directory service that manages access to remote directory services and authentication mechanisms including, but not limited to, Active Directory.
ADsys is the new, Ubuntu specific Active Directory Client. ADsys extends SSSD functionalities by adding the following :
ADsys is supported on 20.04.2+, 22.04 and future desktop releases.
Yes it does, however gsettings are not available on Ubuntu Server by default.
Once you install the package you can use the ADsys functionalities by following the same steps included in the documentation.
Yes, Canonical offers Landscape, which is a management and monitoring solution that works for both server and desktop. Landscape is not intended to be an AD replacement, rather compliment it by adding Linux specific functionalities like the ability to configure mirrors.
You can find more information about Landscape on its dedicated product page.
With ADsys, as well as future enterprise products, we are trying to extend Ubuntu compatibility with popular enterprise management and compliance tools, allowing IT administrators to reuse the same knowledge, tools and processes they have developed for Windows to manage their Ubuntu fleet.
The ADsys GPO functionality can be used by everyone free of charge, however you need an Ubuntu Advantage Desktop token to use the privilege escalation and remote script execution functiontionalities.
The differences between the free and paid tiers is summarized in the table below:
The ADsys remote script execution feature supports all binaries that can be executed on Ubuntu. This means that Powershell scripts can be executed if the related snap is installed on the machine.
You can install Powershell on Ubuntu using the snap install Powershell command.
No, Winbind is not supported as ADsys requires SSSD. We currently have no plans to add Winbind support.
If your machine has samba shares attached you can reference files in these directories (e.g. a wallpaper).
The scripts execution feature requires you to make the scripts available in your Active Directory sysvol samba share.
Yes, SSSD is required as machines need to be joined to the domain for ADsys to work.
Not at the moment. The privilege escalation feature of ADsys allows you to disable local administrators and add/remove sudo privileges to Active Directory users and groups.
Please contact us if your organization has a specific use case you would like to discuss.
Yes, the machines need to be joined through SSSD. You can join a machine both using the initial installer flow or at any time during the life of the machine.
You can find a detailed description of the steps required to join a machine to a domain in our Active Directory integration whitepaper.
Currently the best way to map file shares and printers is through a logon shell script. We are looking closely at the possibility of performing this action through GPOs and we will consider adding it to the product backlog based on customer interest.
Please contact us if your organization has a specific use case you would like to discuss.
Currently you cannot push certificates through GPOs. We are looking closely at the feature and will consider adding it to the product backlog based on customer interest.
Please contact us if your organization has a specific use case you would like to discuss.
ADsys and SSSD are currently clients targeted at Active Directory Domain Services and they do not support Azure AD.
Azure AD authentication is a very requested feature and it is in our future product roadmap.
No schema changes are required to use the new ADsys features, however you need to import the relevant administrative templates for your distribution.
The ADsys client has a command to download the correct administrative templates automatically, alternatively you can find them on the relevant project GitHub page.
The installer flow provides a graphical user interface that guides you through the Active Directory configuration steps.
Ubuntu machines can be joined to a domain also after installation, however no UI is available at this point.
Roaming profiles are not supported at this point. We are looking closely at the feature and will consider adding it to the product backlog based on customer interest.
Please contact us if your organization has a specific use case you would like to discuss.
Yes, this can be done using a logon shell script.
Yes, ADsys allows you to set GPOs that enforce default or custom dconf settings on the client.
After you install the Administrative Profiles included in the tool you can disable USB auto mounting by setting the key desktop/media-handling/automount value to false.
Canonical’s Kubernetes LTS (Long Term Support) will support FedRAMP compliance and receive at least 12…
Welcome to the Ubuntu Weekly Newsletter, Issue 878 for the week of February 2 –…
At Canonical, we firmly believe that delivering an outstanding, customer-centric support experience is impossible without…
I want to share how to install osTicket v1.14 for Ubuntu 20.04 server. osTicket written…
Now I want to share how to install WordPress on ubuntu 20.04 server. WordPress is…
Now I want to share the DNS server installation process on your Ubuntu 20.04 server.…