Join Domain

• https://ubuntu.com/server/docs/service-sssd

sudo apt install -y sssd-ad sssd-tools realmd adcli
sudo realm join -U ${myuser} -v ${mydomain}
echo "ad_gpo_ignore_unreadable = True" | sudo tee -a /etc/sssd/sssd.conf
sudo systemctl restart sssd
sudo pam-auth-update --enable mkhomedir
# You can now login, use realm to limit login access to specific ad groups/users
# sudo realm permit -g "domain users@example.io"
# sudo realm permit myuser@example.io

• sudo apt install sssd-ad sssd-tools realmd adcli

20.04

ssh-copy-id -i .ssh/id_ed25519 'busk@exampel.org'@10.x.x.x
ssh 'busk@extendhealth.com'@10.x.x.x
realm permit busk@example.org
realm permit -x jebusk@example.org
realm permit -g 'Domain Users@example.org'

ssh 10.250.6.180
# or for all
# echo "ad_gpo_access_control = permissive" >> /etc/sssd/sssd.conf
# sudo systemctl restart sssd

/etc/sssd/sssd.conf needs the following entry.

[domain/your.domain]
ad_gpo_access_control = permissive

sudo systemctl restart sssd

In order to fix this make sure that this AD object has following attributes readable: nTSecurityDescriptor, cn, gPCFileSysPath, gPCMachineExtensionNames, gPCFunctionalityVersion

Other

• https://wiki.ubuntu.com/Enterprise/Authentication/sssd
• https://ubuntu.com/server/docs/service-sssd
• sudo apt-get install sssd libpam-sss libnss-sss sssd-tools

sssd[: Group Policy Container with DN  xxxx is unreadable or has unreadable or missing attributes. In order to fix this make sure that this AD object has following attributes readable: nTSecurityDescriptor, cn, gPCFileSysPath, gPCMachineExtensionNames, gPCFunctionalityVersion, flags. Alternatively if you do not have access to the server or can not change permissions on this object, you can use option ad_gpo_ignore_unreadable = True which will skip this GPO. See ad_gpo_ignore_unreadable in 'man sssd-ad' for details