linux:ad_integration:join_ad

Join Ubuntu to Windows domain

Download

You might have a fortress of Linux solitude at home, but unless you are one of the lucky ones working in a Linux-only environment, you can't escape the clutches of Microsoft and you are going to have to interact with Windows.

One of the trickiest aspects of getting Linux to play well with Windows is the Windows Domain. For the longest time this was a challenge most were simply not able to handle. This task required a very deep understanding of Samba and how to get Samba to communicate with Windows domain. Even armed with that knowledge, this wouldn't always work. That is, until now.

Fortunately, things have continued to get easier on the Linux operating system to where even what was once the most challenging tasks are mundane. One such tool that has made the challenge of joining a Windows domain is Likewise Open. Using Likewise Open's handy GUI tool (that also comes with an equally hand command line version) you can quickly and easily connect a Linux machine to a Windows domain.

Note: Packages were removed from PPA, and the project has been renamed to PowerBroker Identity Services “AD Bridge“. Go to www.beyondtrust.com for more details. (Download link)

This is simple. Follow these steps to get both the GUI and command line tools installed:

  1. Open up the Add/Remove Software tool.
  2. Search for “likewise open”.
  3. Mark likewise-open5, likewise-open5-gui, and winbind for installation (the Add/Remove tool will pick up any necessary dependencies for you).
  4. Click Apply to install (and Apply to accept any dependencies).

You are now ready to join your Windows domain. Let's tackle this via command line first.

Joining using the command line

You will be surprised how easy this is to do. Open up a terminal window and issue the following command:

sudo domainjoin-cli join DOMAIN_NAME USER

Where DOMAIN_NAME is the name of the Windows domain you want to join and USER is the user you authenticate with. You will be prompted for your user password and, upon successful authentication, you will have officially joined that domain! You should be able to do things like browse all machines on your network domain as well as connect to your Exchange server using Evolution!

If you want to leave the domain you can do so equally as easy with the command:

sudo domainjoin-cli leave

This will drop you from the domain you are currently joined.

The good thing about using PBIS is that it allows multiple ways to customize the login, domain prefix, login shell, folder name, etc. In order to set up default configuration for domain users, you need to use PBIS to set the environment for all required domain users that will be logged to the system. Please open the terminal and run following commands:

sudo /opt/pbis/bin/config UserDomainPrefix [Domain]

Set domain prefix

sudo /opt/pbis/bin/config AssumeDefaultDomain True

Set this to 'true' avoid entering domain names all the time

sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash

Set default shell

sudo /opt/pbis/bin/config HomeDirTemplate %H/%D/%U

Set different home dir then the local users on the machine

sudo /opt/pbis/bin/config RequireMembershipOf "[Domain]\\[SecurityGroup]"

Set specific Active Directory security groups

Next step, you need to edit the pamd.d common-session file. Please type in terminal:

sudo vim /etc/pam.d/common-session

Navigate to the line that states session sufficient pam_lsass.so and replace it with session [success=ok default=ignore] pam_lsass.so

Then, we need to edit the lightdm configuration file and append the following lines:

sudo vim /usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf

    allow-guest=false
    greeter-show-manual-login=true

Please note, that if you are using Lubuntu 14.04 your lightdm configuration file will be 60-lightdm-gtk-greeter.conf

To start up the GUI click F2 and enter domainjoin-gui to open up the graphical tool. This should be fairly straight-forward. You can name your computer what you want but you do have to use the exact domain name you would use to connect a Windows machine to your domain. In other words, if you domain is DOMAIN.LOCAL then use DOMAIN.LOCAL. If your domain is just DOMAIN then just use DOMAIN. As well, if you have to use an OU (Ogranizational Unit) to connect, make sure you have that correct. Once you have the information entered click Connect and an authentication window will appear. In this window you must enter your username and your password as you would enter them when connecting on a Windows machine. After you enter your credentials click OK and Likewise Open will attempt to connect. Upon successful authentication you will be a part of your company domain. Congratulations!

Logging in

Now log out of your desktop and log back in with your domain credentials. This most likely will mean you will log in with the username in the DOMAIN\user configuration. You can also log in to your local machine by logging in with the standard username and password on your local system.

Since Ubuntu lists local users and (be default) doesn't allow entering your username manually, you will have to edit your /etc/lightdm/lightdm.conf.d/50-unity-greeter.conf and append this line:

greeter-show-manual-login=true

This will allow you to enter your username manually. Or you can just hide all user

greeter-hide-users=true

Then restart lightdm

sudo service lightdm restart

or simply restart your PC

EDIT: For Ubuntu 14.04 and later - use /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf and append the above lines, or create /etc/lightdm/lightdm.conf and enter:

[SeatDefaults]
greeter-show-manual-login=true
greeter-hide-users=true

Sudo issues

You will find, when logged into your domain, that your user doesn't have sudo privileges. This means you will not be able to install software and administer various tasks. You can fix this by making an addition to the /etc/sudoers file. Open up the /etc/sudoers file and look for the line:

#Members of the Admin group may gain root privileges and do the following:

Under this line add the following:

%DOMAIN\GROUP ALL=(ALL) ALL

Where DOMAIN is the actual domain and GROUP is the group your user belongs to on the domain.

Now log out and log back in and your domain user should have sudoer privileges.

Enter your comment:
126​ -2 =
 
  • linux/ad_integration/join_ad.txt
  • Last modified: 2019/10/31 09:05
  • by 127.0.0.1