New Active Directory integration features in Ubuntu 22.04 – FAQ
Massimiliano Gori
on 27 May 2022
Tags: Identity Management , Ubuntu Desktop
Linux Active Directory integration is one of the most popular and requested topics from both the community and our clients. On May 17 we delivered a webinar on the new AD integration features introduced with 22.04 (now available on demand) and following that we received an overwhelming number of questions.
In this blog post we would like to address directly the most frequent ones
You can find links to the articles in ADsys blog series below:
- Part 1: ADsys announcement
- Part 2: Group Policy Object support
- Part 3: Privilege management (sudo and local users)
- Part 4: Remote script executionADsys FAQ
What is ADsys and how is it different from SSSD?
SSSD is an upstream Active Directory service that manages access to remote directory services and authentication mechanisms including, but not limited to, Active Directory.
ADsys is the new, Ubuntu specific Active Directory Client. ADsys extends SSSD functionalities by adding the following :
- Native Group Policy Object support for both machine and user policies targeting dconf settings on the client machine
- Privilege management, allowing the possibility to grant or revoke superuser privileges for the default local user, and Active Directory users and groups
- Custom scripts execution, giving the possibility to schedule shell scripts to be executed at startup, shutdown, login and logout
- Admx and adml administrative templates for all supported versions of Ubuntu
Which Ubuntu versions does Adsys support?
ADsys is supported on 20.04.2+, 22.04 and future desktop releases.
Does ADsys work with Ubuntu Server?
Yes it does, however gsettings are not available on Ubuntu Server by default.
Once you install the package you can use the ADsys functionalities by following the same steps included in the documentation.
Does Canonical offer a cloud management system for ubuntu?
Yes, Canonical offers Landscape, which is a management and monitoring solution that works for both server and desktop. Landscape is not intended to be an AD replacement, rather compliment it by adding Linux specific functionalities like the ability to configure mirrors.
You can find more information about Landscape on its dedicated product page.
With ADsys, as well as future enterprise products, we are trying to extend Ubuntu compatibility with popular enterprise management and compliance tools, allowing IT administrators to reuse the same knowledge, tools and processes they have developed for Windows to manage their Ubuntu fleet.
What is required to enable privilege escalation and remote script execution?
The ADsys GPO functionality can be used by everyone free of charge, however you need an Ubuntu Pro Desktop token to use the privilege escalation and remote script execution functiontionalities.
The differences between the free and paid tiers is summarized in the table below:
Can we use Powershell scripts in ADsys?
The ADsys remote script execution feature supports all binaries that can be executed on Ubuntu. This means that Powershell scripts can be executed if the related snap is installed on the machine.
You can install Powershell on Ubuntu using the snap install Powershell command.
Is Samba/Winbind supported?
Winbind support has been added starting from April 2023.
If your machine has samba shares attached you can reference files in these directories (e.g. a wallpaper).
The scripts execution feature requires you to make the scripts available in your Active Directory sysvol samba share.
Is SSSD required to use ADsys?
Yes, SSSD or Winbind are required as machines need to be joined to the domain for ADsys to work.
Can the sudo permissions be tuned to restrict access to a specific set of commands?
Not at the moment. The privilege escalation feature of ADsys allows you to disable local administrators and add/remove sudo privileges to Active Directory users and groups.
Please contact us if your organization has a specific use case you would like to discuss.
Does the machine need to be joined to AD before enabling ADsys?
Yes, the machines need to be joined through SSSD. You can join a machine both using the initial installer flow or at any time during the life of the machine.
You can find a detailed description of the steps required to join a machine to a domain in our Active Directory integration whitepaper.
How can you map file shares and printers?
Currently the best way to map file shares and printers is through a logon shell script. We are looking closely at the possibility of performing this action through GPOs and we will consider adding it to the product backlog based on customer interest.
Please contact us if your organization has a specific use case you would like to discuss.
Can you push certificates through AD GPOs?
Currently you cannot push certificates through GPOs. We are looking closely at the feature and will consider adding it to the product backlog based on customer interest.
Please contact us if your organization has a specific use case you would like to discuss.
Does Ubuntu support Azure AD?
ADsys and SSSD are currently clients targeted at Active Directory Domain Services and they do not support Azure AD.
Azure AD authentication is a very requested feature and it is in our future product roadmap.
Are there any AD schema changes required?
No schema changes are required to use the new ADsys features, however you need to import the relevant administrative templates for your distribution.
The ADsys client has a command to download the correct administrative templates automatically, alternatively you can find them on the relevant project GitHub page.
Is there a GUI to add an Ubuntu machine to a domain?
The installer flow provides a graphical user interface that guides you through the Active Directory configuration steps.
Ubuntu machines can be joined to a domain also after installation, however no UI is available at this point.
Are roaming profiles supported?
Roaming profiles are not supported at this point. We are looking closely at the feature and will consider adding it to the product backlog based on customer interest.
Please contact us if your organization has a specific use case you would like to discuss.
Can you map a unified home directory?
Yes, this can be done using a logon shell script.
Can you disable USB auto mounting?
Yes, ADsys allows you to set GPOs that enforce default or custom dconf settings on the client.
After you install the Administrative Profiles included in the tool you can disable USB auto mounting by setting the key desktop/media-handling/automount value to false.
Find out more
- Ubuntu Desktop for organisations
- Ubuntu compliance monitoring with Microsoft Intune
- Improve your endpoint security with Ubuntu Pro
Ubuntu desktop
Learn how the Ubuntu desktop operating system powers millions of PCs and laptops around the world.
Newsletter signup
Related posts
Announcing Authd: OIDC authentication for Ubuntu Desktop and Server
Today we are announcing the general availability of Authd, a new authentication daemon for Ubuntu that allows direct integration with cloud-based identity...
Entra ID authentication on Ubuntu at scale with Landscape
Authd allows Entra ID authentication on both Ubuntu Desktop and Server. Learn how to configure Authd at scale using Landscape and Cloud-init
Imagining the future of Cybersecurity
October 2024 marks the 20th anniversary of Ubuntu. The cybersecurity landscape has significantly shifted since 2004. If you have been following the Ubuntu...