New Active Directory Integration features in Ubuntu 22.04 (part 1)

On April 21 Ubuntu Desktop 22.04 was released with a lot of new, exciting new features for both consumer and enterprise users. Improved Linux Active Directory (AD) integration is historically one of the most requested functionalities by our corporate users, and with 22.04, we decided to act on the feedback and offer a way to natively manage Ubuntu desktops with the same, familiar tools our clients are already using to manage their Windows estate.

This is the first of a series of posts where we will examine the different aspects of the new advanced Active Directory integration functionalities and it will give you an overview of ADsys.

You can find links to the other articles in the series below:

• Part 2: Group Policy Object support
• Part 3: Privilege management (sudo and local users)
• Part 4: Remote script execution
• ADsys FAQ

Linux Active Directory integration

According to recent Microsoft figures the majority of medium and large enterprises decide to use Active Directory to manage the identity and compliance of their desktop estate. That has been the case for decades now, and companies have invested heavily to create tools and automation workflows aimed at improving the security and efficiency of their IT admin teams.

Linux desktops, including Debian and Ubuntu, supported Active Directory integration for a very long time through SSSD; however, that was limited to authentication and a small subset of related Group Policy Object policies.

IT system administrators who wanted to use AD to enforce policy compliance or apply remote configuration faced a difficult choice: paying a premium for third-party privileged access management solutions (that are primarily tailored at servers) or relying on a plethora of custom developed tools and scripts.

ADsys, the new Active Directory client

Ubuntu Desktop 22.04 sees the introduction of ADsys, our new Active Directory client which contains everything you need to integrate Ubuntu to your Active Directory, including admx and adml template files.

ADsys it is made of two components: adsysd, a daemon that implements the Group Policy protocol and relies on Kerberos, Samba and LDAP for authentication and policy retrieval, and adsysctl, a command line interface that controls the daemon and its status.

ADsys does not replace SSSD and PAM, which are still responsible for user authentication and setting the home directory, rather it compliments them to add the following functionalities:

• Native Group Policy Object support for both machine and user policies targeting dconf settings on the client machine
• Privilege management, allowing the possibility to grant or revoke superuser privileges for the default local user, and Active Directory users and groups
• Custom scripts execution, giving the possibility to schedule shell scripts to be executed at startup, shutdown, login and logout

In addition to these features, the command line tool is able to generate the required .admx and .adml policy files that you can install in Active Directory. Once imported, they can be easily found and modified in the Group Policy Management Editor in Windows Server.

All features have been developed with the intent to align the Active Directory management experience of Ubuntu as closely as possible to the one available in Windows. This was done to flatten the learning curve required by system administrators to securely manage a fleet of Ubuntu desktop computers at scale.

Getting the new features 

While SSSD is an upstream component available for all desktop users, you need an Ubuntu Pro subscription to take advantage of the new advanced features offered by ADsys. You can get a personal license free of charge using your Ubuntu SSO account. ADSys is supported on Ubuntu starting from 20.04.2 LTS, and tested with Windows Server 2019.

We have recently updated the Active Directory integration whitepaper to include a practical step by step guide to help you take you full advantage of the new features. If you want to know more about the inner workings of ADsys you can head to its Github page or read the product documentation.

If you want to learn more about Ubuntu Desktop, Ubuntu Advantage or our advanced Active Directory integration features please do not hesitate to contact us to discuss your needs with one of our advisors.

Read the second part of this article

Find out more

• Ubuntu Desktop for organisations
• Ubuntu compliance monitoring with Microsoft Intune
• Improve your endpoint security with Ubuntu Pro