Note:
This documentation has moved to a new home! Please update your bookmarks to the new URL for the up-to-date version of this page.
Active Directory deployments can range from single-domain, one tree, with one or more servers, up to multiple domains and servers geographically dispersed spawning a structure that is referred to as a “forest”. Furthermore, such a forest is not necessarily static, allowing its multiple delegated administrators to add and remove domains from it. Depending on the desired level of integration and the complexity of the domain or forest, joining an Ubuntu system to Active Directory requires different tooling, configuration, and planning.
Joining an Ubuntu system to an Active Directory domain (or a forest) means that the Ubuntu system will get an account in that domain, and be able to identify and authenticate users from that domain. In other words, a joined Ubuntu system should be able to:
- authenticate Active Directory users, including changing their passwords
- recognize the Active Directory users as valid users on the Ubuntu system, with linux-compatible user and group identifiers (more on that later)
- recognize group memberships
Depending on how the join was performed, and the software stack available on the Ubuntu system, the following is also possible:
- authenticate and recognize users from different domains that make up the forest
- apply certain group policy objects (not covered here)
- provide file and print services to users from the domain
To set up your Active Directory integrations, we suggest first familiarising yourself with the following key topics:
- Choosing an integration method
- Security identifiers
- Identity mapping backends
- The rid idmap backend
- The autorid idmap backend
References
- About Active Directory:
- Samba Wiki pages:
- Manual pages: