diff --git a/handlers/main.yml b/handlers/main.yml
index c1a0285..f49f174 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -36,7 +36,7 @@
     name: dbus
     enabled: yes
     state: restarted
-  when: ansible_os_family == 'RedHat'
+  when: ansible_os_family == 'RedHat' or ansible_distribution == 'Ubuntu'
 
 - name: restart oddjob
   service:
@@ -58,5 +58,12 @@
     state: restarted
   when: ansible_os_family == 'RedHat'
 
+- name: restart ssh
+  service:
+    name: ssh
+    enabled: yes
+    state: restarted
+  when: ansible_distribution == 'Ubuntu'
+
 - name: pam-auth-update
   command: /usr/sbin/pam-auth-update --package
diff --git a/meta/main.yml b/meta/main.yml
index f3dbd99..6c776f6 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -8,6 +8,10 @@ galaxy_info:
   - name: EL
     versions:
       - 7
+  - name: Ubuntu
+    versions:
+    - trusty
+    - xenial
   galaxy_tags:
     - ad
     - activedirectory
diff --git a/tasks/main.yml b/tasks/main.yml
index e385ce3..022654b 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -20,6 +20,9 @@
 - import_tasks: redhat.yml
   when: ansible_os_family == 'RedHat'
 
+- import_tasks: ubuntu.yml
+  when: ansible_distribution == 'Ubuntu'
+
 # Common files between the dists
 - name: krb5.conf
   template:
@@ -89,3 +92,10 @@
     - aad_sssd
 
 - meta: flush_handlers
+
+- name: Update sudoers to give AD group access
+  lineinfile:
+    path: /etc/sudoers
+    state: present
+    regexp: '^%domain\s'
+    line: '%domain\ admins@cloud.statcan.ca'
diff --git a/tasks/ubuntu.yml b/tasks/ubuntu.yml
new file mode 100644
index 0000000..e508f38
--- /dev/null
+++ b/tasks/ubuntu.yml
@@ -0,0 +1,31 @@
+---
+- name: auth packages
+  apt:
+    name: "{{ item }}"
+    update_cache: true
+  with_items: "{{ authconfig_packages }}"
+
+#- name: nsswitch conf
+#  template:
+#    src: nsswitch.conf.j2
+#    dest: /etc/nsswitch.conf
+
+# PAM module to auto-create home directories
+- name: mkhomedir
+  template:
+    dest: '/usr/share/pam-configs/mkhomedir'
+    src: 'mkhomedir.j2'
+    owner: 'root'
+    group: 'root'
+    mode: 0644
+  notify: pam-auth-update
+
+# PAM module to restrict access to specific users/groups
+#- name: enable access restrictions
+#  template:
+#    dest: /usr/share/pam-configs/access
+#    src: pam_config_access.j2
+#    owner: 'root'
+#    group: 'root'
+#    mode: 0644
+#  notify: pam-auth-update
diff --git a/vars/RedHat-7.yml b/vars/RedHat-7.yml
index 121cd6c..3be06f0 100644
--- a/vars/RedHat-7.yml
+++ b/vars/RedHat-7.yml
@@ -1,5 +1,5 @@
 ---
-# Cent/EL 7
+# CentOS / RHEL
 authconfig_packages:
   - 'sssd'
   - 'adcli'
diff --git a/vars/Ubuntu.yml b/vars/Ubuntu.yml
new file mode 100644
index 0000000..0ec481d
--- /dev/null
+++ b/vars/Ubuntu.yml
@@ -0,0 +1,14 @@
+---
+# Ubuntu packages
+authconfig_packages:
+  - realmd
+  - adcli
+  - packagekit
+  - ldap-utils
+  - krb5-user
+  - libpam-krb5
+  - sssd
+  - sssd-tools
+  - libpam-sss
+  - libnss-sss
+  - openssh-server