The Open Code Project

Information

  • Total Authors: 15

  • Total Articles: 40

Thanks To

How to Set Up an Ubuntu Active Directory Client

December 11th,2009 by Allan Bogh

Here I will explain a solution that worked for me to configure an Ubuntu workstation to authenticate with an Active Directory domain. The workstation was able to browse domain resources (ie, filesystem) without having to log in and it pulled the AD group information from the domain controller. A process was used to map certain groups to Linux (Ubuntu) groups, however extensive verification of the results could not be performed.

If you're using a VMWare client then you must set a static MAC address, don't allow your VM software to automatically update the MAC address.

Setup your network

First, set your IP to static IP and configure DNS to point to your domain controllers or any other DNS server you may have. This will allow you to call Windows computers by their short names. You must also fill in the Search Domains with your domain name.

Network Settings

Notice that I used "mydomain.local". This causes a stupid issue with mDNS that will need to be adjusted. If you use something like "mydomain.com" then you shouldn't need to do the next step.

Modify nsswitch.conf (fix the .local mDNS issue)

Open the file /etc/nsswitch.conf by starting your terminal (Applications >> Accessories >> Terminal) and type in:

sudo gedit /etc/nsswitch.conf


Modify the line that reads:

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4


Change it to:

hosts:          files dns mdns4_minimal mdns4


This should allow a program called Likewise-open to authenticate with Active Directory and create a computer account.

Install Likewise-open

Now, in the terminal, type in

sudo apt-get install likewise-open5 likewise-open5-gui


You can also use Synaptic and search for "likewise". You'll notice a likewise-open and also likewise-open5. They both seem to work. I have installed likewise-open5 and likewise-open5-gui.

Join the domain

Once those are installed you can configure Likewise-open by going to System >> Administration >> Active Directory membership. Likewise-open will ask you for a username and password. This user must have privileges to join a computer to the domain.

Likewise-open GUI configuration

You can also use the command line to join the computer to the domain:

sudo domainjoin-cli join mydomain.local Administrator

You will then be asked to restart the computer. When the computer restarts you can use the Other User login option.

Other User login

Type in "mydomain\username" where "mydomain" is the short name for your domain and "username" is some domain user account. If all of the steps above worked out well then you should be authenticated and logged into Ubuntu. You might get an Authentication Failure notice, which is usually due to one of the network settings from above being messed up or the username being typed in wrong.

When you've verified that the account can log in you can log out and return to your normal Ubuntu account. A few more optional steps can be used to complete the process.

Sudoers

Edit your sudoers file by opening up a terminal window and typing 

sudo visudo

A vi-style program will show and allow you to edit the sudoers configuration. Under the %admin line you should add the following:

%MYDOMAIN\\Domain^Admins ALL=(ALL) ALL

Make MYDOMAIN whatever your short domain name is (don't make it MYDOMAIN.LOCAL).

Add users to the login screen

Most domains won't want this but you might like it for a Kiosk or a sample computer. When using domain logins you will have to type "mydomain\username" using the Other User login option. This can be too many steps for some people so it may be necessary to add a single-click option for their username. The end result will look like the following image.

Ubuntu login

Log in as your domain user and open up the terminal. Type "id" in the terminal window to view your UID and GID information. It will look something like:

DOMAIN\username@ubuntu-client:~$ id
uid=1234567889(username) ....

We only really care about the uid at this point. Write it down and log out of this user and back into the normal Ubuntu user account.

You will need to edit your /etc/passwd file. Open a terminal window and type the following command:

sudo gedit /etc/passwd

Make a new line at the bottom and duplicate the following information with the numbers that you wrote down: 

DOMAIN\username:x:1234567889:0:John Doe,,,:/home/DOMAIN/username:/bin/bash

The group id (0) is admin to help make this person a local admin, but you should be able to use the uid in it's place if you don't want to use the admin group. It should look like this in that case:

DOMAIN\username:x:1234567889:1234567889:John Doe,,,:/home/DOMAIN/username:/bin/bash

Now you can log out of the local Ubuntu user's account and see the updated login screen. The domain user or kiosk user can click on the big button and type in the password for the account.

Comments (6)


2009-12-12 05:43:41Lancelot
This is great. I'll have to reread it more carefully and then try it out. Two questions: 1. I really feel queasy about adding things to my sudoers list. Is there any way to avoid this and still have it work?
2. What ports does Active Directory use -- can this be used to tunnel AD connections through SSH (e.g. from my home laptop to work)?

2009-12-12 06:56:07Matt Simmons - http://www.standalone-sysadmin.com
Cool, thanks. I'm so glad that Likewise Open is showing up in Ubuntu. It's just so much better than doing it manually. I first found it in August of 2008, and I was highly impressed, to say the least. I can't recommend it to enough people!

2009-12-12 07:16:39Allan Bogh - http://www.opencodeproject.com
@Matt - Sorry about the comment system being slow. I'm fixing it this weekend. I've cleaned up your comments and linked your URL. For everyone else, please give the comments a second or two to update and don't use HTML in your comment, I can't allow HTML, but I'll make the system a little bit better with links.

2009-12-12 07:21:16Allan Bogh - http://www.opencodeproject.com
@Lancelot: The Sudoers part is completely optional. This is only necessary if you want Domain Admins to be part of the list, otherwise you can just login as your local admin in Ubuntu. Domain Users will log in as a normal User account if you don't add them to sudoers.

I believe AD uses 52 and 53 for DNS, 88 for Kerberos, and 445 for microsoft-ds.

2009-12-15 08:47:17software developer - http://www.geeks.ltd.uk/Services.html
Cool,

Thanks for sharing,

Keep up the good work

2009-12-18 04:26:54Software companies - http://www.geeks.ltd.uk/
Nice post,

I now have ubuntu set up and it s working great,

Thanks for writing, most people don't bother.

:

:

:


: formatting help
Close

Formatting instructions:

You can use <a> tags but everything else will be stripped and your comment will look funny.

I swear, don't use html except the <a> tag or else some random star will supernova. Remember, we have a star right next to us, so don't try it.

This isn't bbcode either so don't use it. That is all.



© 2010 Allan Bogh. Valid CSS & XHTML Arcsin