Use active directory ubuntu что это
Установка Контроллера Домена Active Directory на Ubuntu под управлением Samba
SAMBA это открытая реализация протокола SMB который предоставляет сервис файлов и печати для клиентов SMB / CIFS. Samba помогает в успешном взаимодействии по сети вашей системы Ubuntu с клиентами под Windows, обеспечивая тем самым и интеграции с общими сервисами для среды Windows. Эти услуги помогают обмену данными и информацией о компьютерах и пользователях, участвующих в сети, и могут быть классифицированы по трем основным категориям с точки зрения функциональности:
Сервис общих файлов и печати: Использует протокол Server Message Block (SMB) для облегчения обмена файлами, директориями, разделами, и работе печати через сеть.
Сервис Директорий: предоставляет жизненно важную информацию о компьютерах и пользователях сети с помощью Lightweight Directory Access Protocol (LDAP) и Microsoft Active Directory.
Аутентификация и доступ: устанавливает личность пользователя или компьютера в сети и определяет информацию, к которой компьютер или пользователь имеет право доступа, используя права доступа к файлам, групповых политик, а также службу аутентификации Kerberos.
В этой статье рассказывается как установить Active Directory Domain Controller под управлением Samba на Ubuntu 16.04. Samba как AD DC требует версию минимум 4.0.0. Настоятельно рекомендуется использовать последний стабильный релиз Samba который содержит исправление ошибок прошлых релизов и улучшение поддержки Microsoft Active Directory и дополнительные возможности.
Основное преимущество этого заключается в том, что нам не нужно устанавливать отдельный Kerberos KDC. Samba включает в себя AD совместимый KDC и предоставляет свою собственную реализацию LDAP для AD бекэнда.
Перед началом
Начнем по порядку. Изменяем настройки сервера согласно нашим трем пунктам выше.
1) Настройте ваш сервер на использование статичного IP. Отредактируйте файл /etc/network/interfaces на IP «96.126.107.141», имя контроллера домена «some-org.com» и другие детали:
# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 96.126.107.141
netmask 255.255.255.0
network 96.126.107.0
broadcast 96.126.107.255
gateway 96.126.107.1
dns-nameservers 96.126.107.141 8.8.8.8
dns-search some-org.com
# This is an autoconfigured IPv6 interface
iface eth0 inet6 auto
Мы изменил iface eth0 inet dhcp на iface eth0 inet static и то что выделено жирным — это конфигурация сети.
2) Исправьте ваш файл resolv.conf — добавьте имя вашего контроллера домена.
# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND — YOUR CHANGES WILL BE OVERWRITTEN
nameserver 96.126.107.141
nameserver 8.8.8.8
nameserver 207.192.69.4
search some-org.com
3) Наконец — поправьте ваш /etc/hosts file и установите «ubuntu.some-org.com» как имя хоста:
# cat /etc/hosts
127.0.0.1 localhost
96.126.107.141 ubuntu.some-org.com ubuntu
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
# echo ubuntu.some-org.com > /etc/hostname
# /etc/init.d/networking restart
[ ok ] Restarting networking (via systemctl): networking.service.
После изменение требуется перезапустить сеть.
Наконец, всё готово к установке пакетов.
Установка пакетов
Сначала требуется установить пакеты необходимые для установки нашего Domain controller Active directory.
# apt-get install git attr build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl ntp ntpdate winbind
При установке пакетов у вас спросят информацию о вашем kerberos. Вам требуется предоставить зону по умолчанию Kerberos и информацию об администраторе. Вы можете указать вашу зону по умолчанию как some-org.com и администрирующий сервер как имя хоста указанное выше.
Установка и настройка SAMBA
Вам потребуется скачать последние пакеты Samba с git репозитория в директории»samba4″.
После скачивания войдите в директорию «samba4» и настройте ваш пакет Samba.
#cd samba4
root@ubuntu:
#./configure —enable-debug —enable-selftest
root@ubuntu:
Сборка SAMBA достаточно продолжительна. После того как все будет сделано — проверьте версии SAMBA и клиента SMB — они должны совпадать.
Создание Samba Active Directory
Следующий шаг — инициализация вашего контроллера. Вы можете просто выполнить команду:
/samba4# /usr/local/samba/bin/samba-tool domain provision —realm=some-org.com —domain=some-org —adminpass=»password» —server-role=dc —dns-backend=SAMBA_INTERNAL
Looking up IPv4 addresses
Looking up IPv6 addresses
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=some-org,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=some-org,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: ubuntu
NetBIOS Domain: SOME-ORG
DNS Domain: some-org.com
DOMAIN SID: S-1-5-21-4019752003-3807572232-1148719748
Можно, конечно, использовать Bind9 как DNS, но SAMBA уже содержит в себе собственный полнофункциональный DNS сервер. Это указано командой SAMBA_INTERNAL. Далее нам требуется запустить сервис SAMBA после настройки контроллера.
Проверка вашего Samba Domain Controller
Мы можем запустить «smbclient», для проверки того, что Samba предоставляет стандартные AD DC общие директории «netlogon» и «sysvol», которые были указаны в «smb.conf» во время настройки.
Sharename Type Comment
——— —- ——-
print$ Disk Printer Drivers
IPC$ IPC IPC Service (ubuntu server (Samba, Ubuntu))
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
Server Comment
——— ——-
UBUNTU ubuntu server (Samba, Ubuntu)
Workgroup Master
——— ——-
WORKGROUP UBUNTU
Для проверки работы аутентификации вы можете попробовать подключиться к общей директории «netlogon», используя аккаунт администратора домена, который был создан во время настройки.
47431 blocks of size 524288. 40274 blocks available
Настройка SAMBA_INTERNAL DNS
Работающий DNS имеет важное значение для правильной работы с Active Directory. Без правильных записей DNS, Kerberos не будет работать, что в свою очередь означает, что многие из основных функций так же не будут работать. Всегда стоит потратить некоторое дополнительное время, обеспечивая ваши настройки DNS, чтобы убедиться, что они должным образом сделаны.
Требуется изменить файл /etc/resolv.conf для внесения нашего имени домена:
#echo domain some-org.com >> /etc/resolv.conf
Ваш контроллер домена требуется сервер имен, который способен разрешить запросы в зоны Active Directory. Поскольку это ваш первый контроллер домена в лесу AD.
Так же требуется изменить файл «/usr/local/samba/etc/smb.conf» и добавить dns от google как dns_forwarder.
# cat /usr/local/samba/etc/smb.conf
# Global parameters
[global]
workgroup = SOME-ORG
realm = SOME-ORG.COM
netbios name = UBUNTU
server role = active directory domain controller
dns forwarder = 8.8.8.8
Тестирование DNS
Для проверки правильной работы DNSвыполните команды и проверьте правильность вывода:
Настройка Kerberos
Kerberos важная часть Active Directory. Обычно настраивается в файле /etc/krb5.conf. Во время инициализации рабочий пример будет создан в файле /usr/local/samba/share/setup/krb5.conf. Вы можете заменить файл krb5.conf на файл примера путем копирования или создания символьной ссылки.
Вам потребуется отредактировать этот файл и изменить default_realm на имя вашего DC:
# cat /etc/krb5.conf
[libdefaults]
default_realm = SOME-ORG.COM
dns_lookup_realm = false
dns_lookup_kdc = true
Имя realmдолжно быть указано ВЕРХНИМ РЕГИСТРОМ.
Тестирование Kerberos
Вы можете использовать kinit для тестирования вашей конфигурации Kerberos:
# kinit administrator@SOME-ORG.COM
Password for administrator@SOME-ORG.COM:
Warning: Your password will expire in 41 days on Sun 27 Nov 2016 09:31:07 AM UTC
Вам потребуется отключить срок действия пароля администратора active directory для того чтобы исключить проблемы аутентификации в будущем.
# /usr/local/samba/bin/samba-tool user setexpiry administrator —noexpiry
Expiry for user ‘administrator’ disabled.
Примечание: Всегда указывайте ваш realm в верхнем регистре. Для проверки работы Kerberos запустите:
Valid starting Expires Service principal
10/17/2016 04:19:31 10/17/2016 14:19:31 krbtgt/SOME-ORG.COM@SOME-ORG.COM
renew until 10/18/2016 04:19:19, Etype (skey, tkt): arcfour-hmac, arcfour-hmac
Создание директории пользователей
Создадим теперь директорию пользователей и установим правильные права и владельца.
# chmod g+s /Users
root@ubuntu:
# chown root:users /Users
Далее отредактируйте ваш файл конфигурации SMB «/usr/local/samba/etc/smb.conf»:
[Users]
directory_mode: parameter = 0700
read only = no
path = /Users
csc policy = documents
Настройка NTP
Active Directory требует синхронизации времени для всех участников домена чтобы Kerberosработал правильно. Строго рекомендуется использовать NTP на вашем контроллере домена для синхронизации времени. Эта документация предоставит вам всю необходимую информацию для настройки NTP on anна вашем контроллере домена AD.
Итоги
И, наконец, мы создали наш контроллер домена AD на сервере Ubuntu 16.04. Вы можете создать свой собственный Active Directory DC и обмениваться данными по сети. Главным преимуществом этой конфигурации является возможность централизовать учетные данные пользователей и компьютеров. Он имеет ряд и других преимуществ. Некоторые из ключевых преимуществ:
Это перевод статьи. Оригинал можно почитать здесь.
Griffon’s IT Library
Simple IT Library for the rest of us
Ubuntu – Join Ubuntu 20.04 to Active Directory – How To
In one of our previous posts (Ubuntu – Join Ubuntu 20.10 Desktop in Active Directory Domain during Setup), we have demonstrated how easy it was to join an Ubuntu 20.10 Desktop edition into an Active Directory during the Setup process. Indeed, Ubuntu 20.10 ubiquity version offers a easy to use interface to provide the minimum necessary information to access the Active directory domain and the wizard perform its magic in the background.
However, some readers have been asking to provide some more information about how to join an Active Directory domain when the Ubuntu machine has already been installed. This post will try to provide enough information to join an Ubuntu 20.04 Desktop machine into an Active Directory…
Overview
Assumptions & Scenario
In this post, we will assume the following
If you have all these prerequisites met, we can move to the next section
Initial Ubuntu Desktop Configuration Settings
Before attempting to join Active Directory from your Ubuntu 20.04 Desktop, you will need to perform some per-configuration activities. Indeed, in order to successfully join AD Domain, you will need to configure you machine with the following settings
Step 0 – Installing SSSD software & Tools
SSSD stands for “System Security Services Daemon” which basically manage access and retrieve information to remote directories. SSSD is basically connecting to Active Directory and check if the account has the rights to perform the connection. This package is not installed by default. So, first we will need to install this package. To do that, open up a Terminal console and issue the following command
Click on Picture for Better Resolution
Wait for installation to complete and move to the next steps
Step 1 – Hostname & Hostname Resolution
In this step, we will ensure that our Ubuntu machine is already configured with a proper name and that the fully qualified domain name is used. To validate or configure your system with a proper computer name, you will need to edit the file.
In this file, you will have to enter the fully qualified domain name (FQDN) that will be used. It’s important to note that the FQDN of the Ubuntu machine needs to match the Domain name of the Active Directory. So, in our scenario, the FQDN will look like ubuntuwks01.c-nergy.lab
To check that the change is applied accordingly, you can issue the following command
As you can see, this command should return the FQDN you have defined in the /etc/hostname configuration file
Click on Picture for Better Resolution
Step 2 – Configuring valid DNS Servers on Ubuntu machine
If you are using a DHCP infrastructure, no need to perform any changes as long as the DHCP server provide the IP address of the Active Directory DNS server. If you are using a static ip address, you might need to change the DNS Server Address in your Ubuntu machine to point the AD DNS server.
Click on Picture for Better Resolution
If you do change the ip configuration of your Ubuntu machine, do not forget to disable/enable the interface to ensure that the change will be committed. In the system settings > Network tab, slide the button to bring it down.
Click on Picture for Better Resolution
When done, enable the network interface back to ensure that the changes you have performed are applied accordingly
Click on Picture for Better Resolution
Step 3 – Configure Time services on Ubuntu machine
Time service is an important element in Active Directory and more specifically when using Kerberos protocol. If you have a large time difference between your ubuntu machine and a domain controller that will check your credentials, the login will fail (clock skew). Default clock skew is 5 minutes. To ensure that no time drift occur, we will need to configure ubuntu machine to point to a reliable time source.
By default, Ubuntu get its time from a public NTP server (usually ntp.ubuntu.com). To ensure that no time drift would occur, we will configure our Ubuntu machine to point to the Active Directory Time Source Server. In our scenario, we are using the Domain controller in AD as authoritative source for our Ubuntu machine.
To configure time service, edit the file
Look for the NTP line. Delete the information and enter the FQDN of your Time source server (see screenshot below)
Click on Picture for Better Resolution
At this stage, we should be ready to move forward to the next step….
Connecting to Active Directory
Step 1 – Discovering Active Directory
At this stage, we should be ready to connect to your Active Directory. Indeed, we have installed the necessary packages to “talk” to Active Directory (i.e. SSSSD) and the name resolution process has been configured accordingly (ip address and dns server settings). Before we effectively join the domain, we will first check that our configuration is valid and that we will be able to join our Active directory domain.
Open a Terminal console and issue the following command
As shown in the screenshot below, if your configuration is correct, you should see information about the AD domain you are about to join. Notice the line Configure : no which basically tells you that you are not yet connected to the Active Directory
Click on Picture for Better Resolution
Step 2 – Joining Active Directory
Time to join the Active Directory. The joining process is quite simple actually. From your Terminal Console, simply issue the following command
Click on Picture for Better Resolution
You will be prompted for a password. The password to be provided is for an account in Active Directory that has the right to join machines into the domain. Lot of people would be using the AD Administrator account
Click on Picture for Better Resolution
If no error messages are displayed, you can go to your Active Directory and check that a computer account for your Ubuntu machine has been created accordingly. By default, the computer account will be created and located under the Computers container.
Click on Picture for Better Resolution
You can also use the following command line to check and retrieve information about the Active Directory Domain our Ubuntu machine is connected to
Click on Picture for Better Resolution
You can also see the configured field that has changed from no to kerberos member. So, now your machine is able to retrieve information from your Active Directory and authenticate against it.
Step 3 – Creating home directory automatically
If you want to have user home directory created automatically when the user logs in, you will need to perform an additional step. This might not be needed in the future as this was detected as a bug in the realmd packages. To enable this feature, we will need to execute the following command in a Terminal console
Click on Picture for Better Resolution
Step 4 – Test your setup
You can test and validate the login process using the command line or by simply login in though the desktop interface. In our scenario, we will be using the Graphical interface to login into our Active Directory Infrastructure. You will simply need to follow these steps
Click on Picture for better Resolution
Click on Picture for better Resolution
Step 3 – In the Password screen, provide your AD password…Wait for the login process to complete
Click on Picture for better Resolution
Step 4 – Once you are logged into the Ubuntu machine, you can perform an additional check and assess that you are indeed using an Active Directory user account….
Click on Picture for better Resolution
We had a small issue when we first logged into Ubuntu machine using our Active Directory User account, the login process was looping and we were presenting the login screen time over again. To fix this issue, the easiest solution is to simply reboot your Ubuntu machine and try again
Leaving Active Directory
For whatever reasons, you would need to remove the Ubuntu machine from the Active Directory domain, you can simply issue the following command
If no errors are displayed on your screen, you have successfully left the AD Domain and you can use your Ubuntu machine as a standalone machine.
Final Notes
As you can see, nowadays, joining an Active Directory is relatively easy. Ubuntu 20.10 can join an Active directory Domain during the initial setup. If you need to join an Active directory domain after the initial setup, the process is really simplified through the usage of the sssd and realmd packages as long as you have all the necessary per-requistes in place.
We have provided here a really basic overview of Ubuntu integration with Active Directory. If you are interested in knowing more about Active Directory and Ubuntu integration, you might want to have a look at the two links provided below. They would provide you more detailed information about how the sssd is working and how to ensure that secure configuration can be achieved
References and additional readings
Noobient
Just Keep Noobing
Integrating Ubuntu with Active Directory
Prelude
You can run, but you can’t hide, sooner or later it’ll knock on your door. I was assigned with the task of providing our colleagues with Linux workstations. Previously we had Windows, which is no biggie. Then came OS X, which is far from being perfect, but still reasonably doable. And then came Linux…
The problem is that you have thousands of distros, each of which has dozens of releases, and even within the same release there are package updates that often change behaviour. So when you read a tutorial, you can never be sure the things it says will apply the same way to YOUR specific distro and release. Not to mention bugs… there are sooo many things that are supposed to work in a certain way but just refuse to. During making this thing, I faced countless bugs that I had to work around in some way. It’s terrible, really. I understand that Linux gives you endless possibilites, I give it that, but at the same time it sure as hell gives you the most bugs, by far.
Anyway, I’m not here to complain. I’m here to tell you how to do this on your own. The things you’ll achieve by the end of this article:
Installation
This guide assumes you use Ubuntu 15.10 x64. If you’re using a recent laptop with Nvidia card in it, chances are, Ubuntu won’t even boot. Yeah, we’re off to a great start. In this case you’ll have to hit the ‘e’ key when Grub shows up, and add this to the boot command:
Then hit F10 to boot. If you’re dealing with many workstations, it’s probably a good idea to add this to the installer itself so that you don’t have to do this all the time. To do this, use LiLi and after you applied to ISO, edit the boot/grub.cfg file accordingly.
When installing, make sure to download updates so that maybe you’ll hit fewer bugs afterwards. Also choose to encrypt disks if that’s your requirement – save yourself some time until you set up USB unlock and use a very-very simple password for that, you’ll remove this key with a much stronger one later.
Once the install finishes and you reboot, you’ll have to add that nouveau command line to Grub again (if you had to earlier). After startup, the first thing you wanna do is probably:
Then also enable the proprietary Nvidia driver from the control panel, and reboot.
Authentication
For this to work, you need to install a few packages:
Why the second line? Because otherwise it asks you certain questions, but for whatever reason sometimes it “forgets” to ask them all, so we won’t even bother with that and set up the related file on our own instead.
Speaking of files, let’s prepare them:
Kerberos
Now edit the empty /etc/krb5.conf file like this (ad.foobar.com is your domain, and dc1, dc2 are the domain controllers):
Find all the lines starting with server in /etc/ntp.conf and replace them with your DCs:
This is important for Kerberos to work since it greatly depends on time.
Samba
Now set up the empty /etc/samba/smb.conf with the following content:
Your /etc/sssd/sssd.conf should look like this:
Naturally, you’re free to use whatever shell you prefer.
Hostname
Your /etc/hostname will contain a line like this:
Where foo32linux is the workstation’s hostname. Modify that like this:
This setting is crucial for Samba to create a DNS record for the workstation in AD.
Now find the following line in /etc/pam.d/common-session :
And put this line after that:
This will make it possible to generate a home folder for AD users when they first log in. The umask above will make your users unable to browse other users’ files, but you can use whatever umask you want.
LightDM
Add these to your /usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf file:
And also to /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf :
These options are quite self-explanatory; they will allow you to enter a username that doesn’t exist on the system yet, the login screen will not show recently logged in users and won’t allow guests to use the computer.
Domain join
Now it’s time to apply the changes you made and actually join the computer to the domain.
Once they all restarted successfully, do the join:
Once that also succeeds, restart the SSSD service:
If all is good, you can test AD auth with something like this:
Where stewie.griffin is an AD user. This should tell you that it’s created a new home folder for the user and also give you a shell. Congratulations, you just got AD auth working.
For sudo to work for AD users you need to extend the AD schema first. Grab the latest release of sudo and get the doc/schema.ActiveDirectory file.
Now it’s time for import (make sure to modify the domain path according to your domain name):
You need to do this on the “schema master” DC, which is most likely the first DC in your domain. If you don’t do it on the schema master, you’ll get a nice little error like this (I learned it the hard way):
The server side error is: 0x202b A referral was returned from the server.
But on the schema master it’ll work just fine. Verify it with ADSI Edit, open the Schema naming context and look for the sudoRole class.
Now create the sudoers OU on your domain root. You can use other paths, but then you’ll need to modify your SSSD config, so I recommend you to stick with this. This OU will hold all the sudo settings for all your Linux workstations. You can organize it any way you want, you can create per-computer or per-user rules, or whatever you want. This guide will use per-computer rules.
So, under this OU, create a sudoRole object. To create the sudoRole object you have to use ADSI Edit, but once created, you can use Active Directory Users and Computers to modify it.
Let’s assume I have a computer named foo32linux, a user called stewie.griffin and I want to let him run all commands with sudo on that comp. In this case, I create a sudoRole object under the sudoers OU. For the sudoRole you can use any name you want – I stick with the computer name since I use per-computer rules. Now set its attributes as follows:
That’s it for the AD side of things.
Linux
SSSD refreshes its local cache with the updated rules every few hours, but the simplest way to test it is to just reboot the computer. After that, log in with stewie.griffin and check if the newly created sudo rules really made their way to the comp:
It should list all the related entries you added to that user and computer. Easy-peasy!
Encryption
For unlocking the encrypted disk you’ll have both a USB key and a recovery key which you back up to AD.
For the recovery key you probably want something that’s easy to type. This key construct resembles FileVault (OS X) keys:
It should print one key slot being used (the one you specified during install) and some other diagnostic info. If it’s not the one, it will say something like this:
Device /dev/sda1 is not a valid LUKS device.
So you can’t miss it. Once you figured out the partition, add the 2 generated keys to its store:
Get an empty thumb drive and create a single ext2 partion on it. Set its label to KEY. Now put the USB key file on it and set up permissions:
In case your USB key is lost, you obviously don’t want to lose access to the computer. For this reason, grab the key from key-ad.txt and save it to the computer object using the MacLocker utility – this util will save the given key as a BitLocker password, given your AD is prepared for saving BitLocker info. It was originally intended for Mac FileVault keys, but works with any other keys just fine.
Setup
Create the /root/unlock.sh script:
This will be used upon boot to let you use an USB key and also a password in case the USB key is missing. Yes, there’s really no built-in method for this.
Now open /etc/crypttab and find the line for your encrypted partition (/dev/sda3 in our example):
Modify that like this:
The unlock.sh script is in fact put into the initrd, so it’s not read from /root/unlock.sh, this only tells the system to copy it from that location when compiling the initrd.
First create a backup, so that in case something goes wrong, you can still revert to the old setup from the Grub command line by appending “.orig” to the initrd path:
Now actually update the initrd with your crypttab changes:
If you can’t boot your system at all after this, you can also open the disk from a live Ubuntu system:
Updating the initrd isn’t enough just yet – there’s a serious bug that causes a 90 seconds delay during boot. So you have to disable LUKS system-wide to avoid it. Open /etc/default/grub and find the following line:
Then reboot and verify that you can boot up using both the USB key and the recovery key you saved to the AD computer object.
In that case it’s time to delete the old dummy unlock password you used during install:
Once done, all that’s left is to enjoy the AD integrated Ubuntu workstation you just set up.
Acknowledgements
This guide wouldn’t have been possible without the help and hints of these articles and/or threads:
Update: there’s also a bunch of scripts to automate all this: ubuntu-ad.