This is a second version of this other guide that applied to previous Ubuntu versions.
Since Ubuntu 8.04 (Hardy Heron), and now Ubuntu 8.10 (Intrepid Ibex) it come the Likewise Open package that makes basic Active Directory authentication in Ubuntu a breeze.
Just follow these steps:
sudo apt-get updatesudo apt-get install likewise-opensudo domainjoin-cli join fqdn.of.your.domain Administratorsudo update-rc.d likewise-open defaultssudo /etc/init.d/likewise-open start
and you can now log into your machine using your DOMAIN\user credentials. Remember that the DOMAIN\ part is mandatory and that it represents the short name of your Active Directory domain. You can join the domain using any user with sufficient privileges (there’s no need to use Administrator), and you can even directly join the PC in a particular OU passing the –ou argument to domainjoin-cli. The fourth point maybe won’t be necessary when Ubuntu 8.04 LTS wil be released because it seems to be a bug in the package (it won’t start likewise on reboot, so if you don’t issue this command it would seem that nothing is working after a reboot).
I’ve just started to use this method on a test machine so I’ll leave more opinions on this product in the future.
EDIT: First impressions
After some days of not so extensive usage, I’ve seen a couple of things that it’s worth notice:
- the likewise-open process seems to “die” from time to time, blocking all your login accesses with a “ERROR” message. Restarting it through init script solves the issue… but it’s something that definitely should not happen
- It informs you on login if your password is going to expire in X days (as set in your GPO). Very nice indeed.
Notes to the readers: if you’re experiencing installation problem, the best way is to report them to the likewise-open-discuss mailing list. There you can contact directly likewise developers (of Samba fame) and solve your problems or doubts.
EDIT2: it seems that with the final Ubuntu 8.04 update, likewise-open package is now 100% stable, I didn’t have a single failure since last update (one week up, while before it died at least once per day)
EDIT3: as mentioned in the comment, with likewise-open 4.x you can add
winbind use default domain = yes
in /etc/samba/lwiauthd.conf so you d’nt have to specify the DOMAIN\ part every time you log in your box.
The eternal fight between admins and computers 
Interesting, I will have to give this a try. Thanks for the article.
this will get you started
1. set a static ip address (optional)
2.install likewise “sudo apt-get install likewise-open”
3. edit your resolv.conf to have “nameserver (DNS IP ADDRESS)”
4. edit smb.conf “hosts: files dns”
5. now you can join the domain “sudo domainjoin-cli join fqdn.of.domain administrator”
6. to port rights over like sudo add this to your sudoers file (this example is to give AD admins sudo rights)”%domain\\administrators ALL=(ALL) ALL”
7. now you are all set.. Enjoy!!!
@Rich33716: This is great, unless you are not a domain admin. In the case where a WinXP computer is used on a corporate network (already joined the domain by IT) and later Linux (Ubuntu) and likewise-open are installed on the same computer (dual-boot), is there a way to join the domain when booting into Linux (without being a domain admin)?
This works great. There is a slight change to step #4, the last word ‘default’ should be ‘defaults’. Thanks for the post.
Eric, thanks for the fix. Damned copy&paste :)
Some problems with the PAMmodule, any ideas?
root@frank-laptop:~# domainjoin-cli join nbs.no Administrator
Joining to AD Domain: nbs.no
With Computer DNS Name: frank-laptop.nbs.no
Administrator@NBS.NO‘s password:
Warning: Unknown pam configuration
The likewise PAM module cannot be configured for the common-pammount service. Either this service is unprotected
(does not require a valid password for access), or it is using a pam module that this program is unfamiliar with.
Please email Likewise technical support and include a copy of /etc/pam.conf or /etc/pam.d.
Warning: A resumable error occurred while processing a module
Even though the configuration of ‘pam’ was executed, the configuration did not fully complete. Please contact
Likewise support.
This is a problem that I ran into when trying to setup an active directory and this fixed it. This is an excerpt from: http://technicalmumblings.wordpress.com/
Installing is simple as Likewise-open is now in the repositories:
sudo apt-get install likewise-open
However, I got an error message when trying to join the domain:
“Error: Unable to resolve DC name [code 0x00080026]resolving ‘test.example.org’ failed. Check that the domain name is correctly entered. Also check that your DNS server is reachable, and that your system is configured to use DNS in nsswitch.”
Having checked the nsswitch.conf and resolve.conf files, and having followed the advice on the Ubuntu forums about setting a static IP for the domain joining process, I checked the nsswitch.conf file again and found that the entries for winbind were missing.
My revised /etc/nsswitch.conf looked like:
# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference’ and `info’ packages installed, try:
# `info libc “Name Service Switch”‘ for information about this file.
passwd: compat winbind lwidentity
group: compat winbind lwidentity
shadow: compat winbind
hosts: files dns winbind
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
[…] -Ubuntu Active Directory integration […]
one tip is to add domain admins to sudo list, but requires a slightly diff syntax:
%DOMAIN\\domain^admins
needs 2 slashes for some reason.
After executing the command:
sudo domainjoin-cli join felispaopf.NET Administrator
this error occurred:
Error: Manual configuration required [code 0x00080043]
The configuration stage 'open ports to DC' cannot be completed automatically. Please manually
perform the following steps and rerun the domain join:
Some required ports on the domain controller could not be contacted. Please update your
firewall settings to ensure that the following ports are open to 'andreza.PET.NET':
88 UDP
137 UDP
389 UDP
464 UDP
123 UDP
88 TCP
139 TCP
389 TCP
445 TCP
464 TCP
The client and the server does not have firewall, someone could help me?
This article is interesting. I will give it a try myself.
I have just upgraded to Ubuntu 8.04 that was released on 24th this month.
http://www.ncaditya.com/ubuntu-804-released/
Filipe – The ntpd is not running on your AD server, on the DC check services that Windows time is running
Then configure windows time
C:\>w32tm /config /update /manualpeerlist:”0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8 3.pool.ntp.org,0x8″ /syncfromflags:MANUAL
Filipe – 88 is Kerberos service. You forgot to enable it on the DC!
I joined domain successfully but I can’t login with domain account! Just local account is permintted! What’s problem here?
I joined domain successfully but I can’t login with domain account! Just local account is permitted! What’s problem here?
thank you for the article!
I am running Ubuntu Hardy on a Microsoft Active Directory. I was successful joining the domain and a couple of days I was able to login as well with the “domain\username” and AD password.
Then the system crashed and since that time I get an error at login, while I could join the domain.
I tried to reinstall, but without result.
Then I recovered the original config files as far as I was able to locate them, I deleted the folder with the domain user files reinstalled likewise and tried to join the domain again. I am able to join the domain, but I am not able to login with the required username (with domain prefix) and password.
Now I am ran out of ideas.
Please help
Try username@domain.com as your userid.
I am getting the same error as Filipe, and I know that all of those ports are enabled on the DC. Any other ideas?
The client is running a firewall, and has all of those ports opened to the DC.
I had configured samba and winbind on Gutsy. Worked fine. Using that method, I was able to set the configuration files in the etc folder so that users could use their AD logons without having to type the domain name and separator in the Ubuntu logon screen. All they had to do was type in the username. Can likewise be configured to do this too?
@Charlotte: yes, you can do this as well with likewise.
Create a file, for example, in /etc/samba named map.txt, containing the alias map, for example:
username = DOMAIN\username
Then, edit /etc/samba/lwiauthd.conf and make sure it contains:
winbind nss info = lwopen
lwopen:name_map = /etc/samba/map.txt
restart likewise and then you can login with username and not DOMAIN\username, and this will be your real username in the system.
Before I try this, I need clarification. When you say to create an alias map with “username = DOMAIN\username,” does this mean that where your example says “DOMAIN\username,” that I would need an entry for every potential user with my real domain name and the users’ usernames, or do you mean that the entry should literally read as you wrote it, or do you mean that I should use my actual domain name with the generic term “username” after it? (I’d hate to think that I need to map every single user in the AD.)
This functionality is amazing. Thanks a bunch for the howto.
Cheers.
-Tres
@charlotte: I’m sorry to disappoint you but, as Likewise’s developers said on the ML, currently you can’t use wildcards in the map file. So yes, DOMAIN\username it’s the actual name of the user and you have to repeat the association for every user you want to login in that box. Although it’s a PITA, I understand, you can alleviate it by replicating by some method (rsync?) a central map file that you update every time you create an user (because you use a script to create user, don’t you? :)
Thank you. Likewise is probably not the best way for me since I have some Ubuntu workstations that are accessible to every potential user in AD, and it’s unrealistic to expect the users to logon with anything more than their usernames. Using samba and winbind in Gutsy, I was able to close the “winbind separator” option, and this simple step eliminated the need of using the domain name to logon.
I was looking into Likewise because I have so far had trouble with krb5, samba, and winbind on fresh installs of Hardy, but I think it’d be better for me to hammer out these difficulties rather than use Likewise. Thanks again.
Charlotte
winbind use default domain = yes
to the previously mentioned file and it will do what you want.
Great info all!!! This all was helpful getting my ubuntu box connected!
Thanks lawrence, adding the “winbind use default = yes” line to /etc/samba/lwiauthd.conf worked. The AD users no longer need to type the domain name and separator at the logon screen.
@lawrence: thanks, didn’t know that! :)
Charlotte, so did you add just the “use default” line to your lwiauthd.conf, or did you also add the lines mentioned earlier in this thread (i.e., winbind nss info = lwopen and lwopen:name_map = /etc/samba/map.txt)?
Also, do you allow all of your AD users access to your *nix systems, or do you restrict access to only certain users? We have thousands of AD users, but only a few dozen should have access to our *nix servers, so I’m wondering what is the best way to control that.
Sorry, but I need some help too because I’m confused now:
Charlotte used ‘winbind use default = yes’ in the conf file but Lawrence said to use ‘winbind use default domain = yes’ so which one is it?
Do we still need map.txt after Lawrence’s suggestion?
If the map file is needed, should it say ‘username = EXAMPLE.COM\username’ or should it use the extra backwards slash and say ‘username = EXAMPLE.COM\\username’ ??
In the question above, is ‘username’ supposed to be replaced with an actual AD user?
SOrry for the tons of questions, but I’ve spent an hour on this with no luck. Thanks.
Just tested it out on a clean Ubuntu build – took some massaging, but I was able to add the server to the domain. Tested Lawrence’s suggestion – worked like a dream.
So for the record:
Add “winbind use default domain = yes” to /etc/samba/lwiauthd.conf, restart the service and you should be OK.
Please help! I have this error. I cannot connect my ubuntu box to AD although the Administrator password is correct. Any idea? thankz a lot!
renz@mis-6:~$ sudo domainjoin-cli join maokaw.com Administrator
Joining to AD Domain: maokaw.com
With Computer DNS Name: mis-6.maokaw.com
Administrator@maokaw.com‘s password:
Could not connect to server controller01.maokaw.com
Connection failed: NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
Failed to verify membership in domain: NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT!
Error: Unable to join domain [code 0x0008000e]
Creating the computer account in Active Directory failed. Common causes are a bad administrator password, a bad OU name, or
an existing computer account but not modificiation permissions.
renz@mis-6:~$
I have recently installed Ubuntu 8.04 and already have a Windows 2003 domain. I installed Likewise and have followed all instructions and googled and can not find an answer to my problem. My FQDN of my domain internally is wonder.local and the netbios name is Wonder0. I can ping wonder0 but not wonder.local. In Terminal when i type in
sudo domainjoin-cli join wonder.local stuart
I get
Error: Unable to resolve DC name [code 0x00080026]
Resolving 'wonder.local' failed. Check that the domain name is correctly entered. Also check that your DNS server
is reachable, and that your system is configured to use DNS in nsswitch.
When i try
sudo domainjoin-cli join wonder0 stuart
I get
Joining to AD Domain: wonder0
With Computer DNS Name: woollywonder.wonder0
stuart@WONDER0's password:
[2008/07/15 18:24:29, 0] utils/net_ads.c:ads_startup_int(493)
ads_connect: No logon servers
Failed to contact DC when trying to synchronize local system clock!
None of the domain controllers listed in DNS could be contacted, or there are no DCs listed in DNS.
Error: Unable to join domain [code 0x0008000e]
Creating the computer account in Active Directory failed. Common causes are a bad administrator password, a bad
OU name, or an existing computer account but not modificiation permissions.
Can anyone please help?
i found the solution to your problem here
try this:
sudo nano /etc/nsswitch.conf
change the
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
to
hosts: files dns
Please note, the time and date on domain controller and Ubuntu workstation are about 20 seconds apart
I’m using Likewise-open on Solaris and Centos boxes. I just tried the Lawrence suggestion about the “winbind use default domain = yes” add in the /etc/samba/lwiauthd.conf file; that’s amazing.
Unfortunately, I have *two* domains… So, only the trick doesn’t work for all users.
Is there a similar trick to allow a sequential search in multiple domains? Or should I create aliases for those users lying in the second domain?
Best regards
Stuart,
The issue that you are seeing with this error “Error: Unable to join domain [code 0x0008000e]" is caused by mDNS and the Avahi deamon. There is an issue with mDNS and .local domains. To fix the issue edit /etc/nsswitch.conf and change this line:
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
to this line
hosts: files dns mdns4_minimal mdns4 winbind
I had to add the FQDN of my domain and domain controllers to the hosts file.
Hi, everyone. I just finished successfully setting up an Ubuntu Hardy 8.04.1 system to (albeit insecurely) successfully authenticate to AD using likewise-open and mount some Windows shares, when connecting via ssh, using pam_mount and cifs.
The likewise-open part went seamlessly (using some of the helpful tips in the comments above).
The pam_mount stuff required a few hacks to work properly. Some of these hacks reduce the level of security and may be avoided in other ways. But, if you are like me, you like to get a working system first. :)
PROBLEM:
1. SSH – ssh won’t work with pam_mount unless you set the following config in your sshd_config file and restart the server:
ChallengeResponseAuthentication no
2. PAM – I use the following PAM config to ensure 1 password prompt for pam_mount:
common-auth – modify the likewise-open line to read:
auth [success=1 default=ignore] /lib/security/pam_lwidentity.so
and add after it (in common-auth or in a service specific file):
auth optional pam_mount.so
then, make sure that this line comes *before* anything in common-session:
session optional pam_mount.so
3. PMVARRUN – pam_mount has this command “pmvarrun” that it uses to increment a count of how many pam_mount sessions a user has running, so that if it thinks the user is logged in by some other means, it will NOT mount/unmount the volumes. This has the adverse effect of breaking pam_mount if it fails to keep track of this counter properly. Since mount and unmount will fail gracefully for most *real* filesystems if they are in use, I usually disable this feature in pam_mount with the following line in pam_mount.conf.xml:
/bin/true
I then make sure that the directory /var/run/pam_mount exists, but is empty. This make pam_mount mount/unmount on every login.
4. UNMOUNT – Finally, when ssh exits, and pam_mount tries to unmount the volumes, it fails, because ssh won’t allow it to set its uid to root to perform the umount operation as root. To get around this (for now), I allow all users to use the umount command via “sudo”. This is obviously a huge security hole, and should be fine-tuned. But, for proving it works, do: sudo visudo and add the following to the sudoers file:
Cmnd_Alias UMOUNT=/bin/umount
ALL ALL=NOPASSWD:UMOUNT
Then, in your pam_mount.conf.xml file, change the umount command to use “sudo umount” instead, like this:
sudo umount %(MNTPT)
I hope this helps someone else. For sure, there are some security issues in the above needing to be addressed. But, if you are needing AD+PAM_MOUNT+SSH (say, for LTSP), this will get you something working.
Cheers!
I made a typo in my post above. The line that Lawrence said must be added to /etc/samba/lwiauthd.conf in order for users to logon without the domain and separator. The correct line is:
winbind use default domain = yes
The map file described by Vide isn’t needed in this case.
[…] HOWTO: Active Directory authentication in Ubuntu 8.04 […]
I added:
winbind use default domain = yes
to
/etc/samba/lwiauthd.conf
Now when I run
chroot
I get this message:
id: cannot find name for group ID XXXXXXXXXX
Any ideas?
Did you figure this problem out yet? I can authenticate through the DOMAIN but get this error message in terminal…
How do you remove likewise and the setup? Tried this “how to” to merge my Ubuntu pc in the AD, but all I get is an “Error” everytime I log on, and every time I do a “sudo” command..
@Alexander: simply issue a
$ sudo aptitue purge likewise-open
anyway probably if you get the ERROR message chances are that you’ve not started likewise. Try to issue a
$ sudo /etc/init.d/likewise-open restart
Worked like a charm, I tried to join Ubuntu to a domain some time back but could never get to the bottom of why it wouldn’t join. All config was fine but something to do with the domain controllers policy was stopping it. Anyway great tutorial and cheers mate. Its people like you why the Linux community is so strong and why Linux will take over in the world of IT…
I am trying to join in Windows 2000 AD with Ubuntu 8.0.4. I followed the tutorial above and all works fine, I can login as DOMAIN\user. The problem is that, I can only browse through folders on the server that permission level set to everyone. When I try to connect to a folder that permission is applied to some selected users, first it asks for my password then it says “Unable to Mount Folder”. Now when I try to connect to that folder it says “You do not have permissions necessary to view the contents of “FolderName””. Needless to say I’ve already gave the necessary permission to my linux user. Any idea how I can solve this?
Thanks,
I manage to join my ubuntu with the AD server.. but my question is ..how to configure the AD user to use login shell automatically each time login into the linux?
[…] HOWTO: Active Directory authentication in Ubuntu 8.04 and 8.10 […]
I have likewise open working well. The problem I have is when I try to login using cached credential the login is successful but the home directory is different than the one used when I am online. I supposed that the problem was an alias I had but I deleted it and the problem remained unsolved.
The rests of the features are working.
Any idea??
The only way that I’ve found to restrict logins based on group membership is via the AllowGroups directive in sshd_config. Does anyone else have a better idea? I tried messing with the valid users directive in lwiauthd.conf with no luck.
BTW, the sshd config line looks like :
AllowGroups someDomainGroup
So take note that you don’t include the domain name here …. which may cause issues in multiple domain situations.
I just found a much better way that is integrated into the likewise configuration :
edit /etc/security/pam_lwidentity.conf with the line :
require_membership_of = DOMAIN\someDomainGroup
voila! Worked like a charm.
Does anyone know how to add and configure nis on this setting? Using samba/winbind, i’m able to add nis and automount it once users login using their AD credential. I successfully installed likewise which was fantastic. Now i need to figure out how to set automounting their shared home directories…
Thanks.
1) As Hector is trying to do, I am trying to map the Active Directory username’s home directory to “Places->Home” folder. How?
2) I also want to restrict local machine permissions. How?
3) Finally, I want to know how I can login to the computer as local admin/root now that I have it configured to default to the domain login. I DID give the domain’s administrator remote access. I guess would we just login as the domain’s admin, and sudo into the terminal?
Thanks Vide, for posting this, and thanks Lawrence and others for adding some cool features to this. Very nice.
BTW, this works like a charm for Ubuntu 8.10 as well as 8.04 (not just 8.04)
Not quite sure what happened to my last comment that I just made. My guess is its in the moderation que or something (although I thought I saw it immediately show up when I posted it).
Anyway, I have another question:
After getting things configured to default to DOMAIN login, and I do login as myself (non administrator on the AD server), I get the following error:
Internal Error: Failed to Initiate HAL
Anyone know how to get this to go away, and what the problem is?
– David
Well this worked for us here. Using 8.04 on a couple of test machines and laptops and they are now both fully working on our domain. Nicely explained and we managed to do it 1st go once we read through and made sure what we were doing. Was using Likewise-Open but the above seems to not depend on any of that.
Most educational!
TxRx
I had the same problem where it said, Error: Unable to resolve DC name [code 0x00080026] , make sure dns is used in nsswitch or something similar...
whole reason was because, my domain name is visibility.com
but my fqdn is internal.visibility.com, and i wasn't typing the internal part,
If you want to check the fqdn of your pc, log on to a pc that is in the domain, right-click my computer, go to properties, then click the computer name tab, it should list ex: yourpcname.internal.visibility.com
whatever comes after your pc name is your fqdn that you need to type in terminal
domainjoin-cli join internal.visibility.com administrator <-what mine looks like
[…] to this post for helping with this portion. The steps […]
Hi Folks,
thank you for diskussing all the problems I run into …
Due to this howto I managed to get the following working:
Ubuntu 8.04
Likewise Open
pam-mount
I changed pam.d/gdm, common-auth, common-session, /etc/security/pam_mount.conf.xml and /etc/ssh/sshd_config
everything works fine, I can log on, get my Windows-folder via pam_mount and can work just how I want to.
But: the mounted directory does not get unmounted.
I do not get any errors in the /var/log/auth
There is nothing to see which is somehow telling me that pam is trying to unmount at all.
it simply sais:
Feb 20 22:53:10 ubuntu sshd[18624]: pam_mount(pam_mount.c:134) clean system authtok (0)
I am sure this is something simple and I just forgot to do something, but I am stuck.
Any suggestions?
Roland
i need the comments in ubuntu 8.04 to configure nis server and client
So I followed all of the steps, and it said I joined the domain successfully. I even show the computer in Active Directory. However, when I restart the machine it doesn’t prompt me for my network credentials. It’s just the local username/password of the machine as if it had never happened.
What am I doing wrong here?
I am wondering if there is a why to use the groups from active Directory to allow access to shared folders (by samba) to Windows users. So my File Share server will be an Ubuntu Intrepid, but the users on the network have Windows XP and Vista
#
Please help! I have this error. I cannot connect my ubuntu box to AD although the Administrator password is correct. Any idea? thankz a lot!
renz@mis-6:~$ sudo domainjoin-cli join maokaw.com Administrator
Joining to AD Domain: maokaw.com
With Computer DNS Name: mis-6.maokaw.com
Administrator@maokaw.com’s password:
Could not connect to server controller01.maokaw.com
Connection failed: NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
Failed to verify membership in domain: NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT!
Error: Unable to join domain [code 0x0008000e]
Creating the computer account in Active Directory failed. Common causes are a bad administrator password, a bad OU name, or
an existing computer account but not modificiation permissions.
renz@mis-6:~$
#
Stuart said
July 15, 2008 at 8:26 am
I have recently installed Ubuntu 8.04 and already have a Windows 2003 domain. I installed Likewise and have followed all instructions and googled and can not find an answer to my problem. My FQDN of my domain internally is wonder.local and the netbios name is Wonder0. I can ping wonder0 but not wonder.local. In Terminal when i type in
sudo domainjoin-cli join wonder.local stuart
I get
Error: Unable to resolve DC name [code 0x00080026]
Resolving ‘wonder.local’ failed. Check that the domain name is correctly entered. Also check that your DNS server
is reachable, and that your system is configured to use DNS in nsswitch.
When i try
sudo domainjoin-cli join wonder0 stuart
I get
Joining to AD Domain: wonder0
With Computer DNS Name: woollywonder.wonder0
stuart@WONDER0’s password:
[2008/07/15 18:24:29, 0] utils/net_ads.c:ads_startup_int(493)
ads_connect: No logon servers
Failed to contact DC when trying to synchronize local system clock!
None of the domain controllers listed in DNS could be contacted, or there are no DCs listed in DNS.
Error: Unable to join domain [code 0x0008000e]
Creating the computer account in Active Directory failed. Common causes are a bad administrator password, a bad
OU name, or an existing computer account but not modificiation permissions.
Can anyone please help?
can u use ubuntu server. r else what is the best server in linux
please replay
r.mani2006@gmail.com
[…] When my old boss at Websense first introduced me to the world of Linux, being from a Windows shop, I naturally asked him how to join my Linux workstation to the domain. He of course said, “Why would you want to do that? Don’t taint the pureness of open source!” So I never pressed the issue. That is, until yesterday afternoon. I decided to give it a go again, and I have to tell you they have made it really easy. I read some blog posts on this before, and it used to be kind of a pain in the arse to do it. Not any more with the use of LikeWise Open which is available in the Ubuntu repositories. To install it and set it up, just do the following steps (Via AnotherSysadmin.Wordpress.Com): […]
Thanks Vide, this worked perfectly for me as is, on a fresh fully updated Jaunty (Kubuntu) install.
[…] We needs to rebuild our aging squid server and came accross this alternate way to bind with AD HOWTO: Active Directory authentication in Ubuntu 8.04 and 8.10 The eternal fight between admins and … Anyone tried […]
Thanks for this. It’s been a while since you wrote this. On ubuntu 9.04 it works like a breeze.
[…] anothersysadmin […]
Hi,
i was able to join ubuntu to our domain, however i’m trying to run squid proxy server and using the ldap_auth and squid_ldap_group to authenticate to the active directory, i’ve been authenticated but the system is not accepting my username and password from the active directory.
squid_ldap_auth: WARNING, could not bind to binddn ‘Invalid credentials’
on Ubuntu 9.04 and 9.10 likewise-open is installed by default with the desktop, and it makes it even easier to join a domain, and I recommend installing the desktop even if just to join the PC to the domain.
tagapaikot, I don’t have a specific answer for the problem, but I can tell you that likewise is not bind, and as such just enabling ldap authentication will not work (This is from my experience working in Samba).
I got samba to work at a time, but the server had to be re-installed a couple months ago and I don’t remember what I did. Anyhow, basically the authentication has to be done thru likewise
I have installed likewise-open (in Ubuntu 9.10) and followed these instructions up to the point of entering a domain administrator password. This is the problem:
I am on a corporate network and I do not have a domain administrator account. I am dual-booting Ubuntu on my laptop with WinXP. My laptop is already a member of the AD and I can login to the domain without issue when booting into WinXP. I have modified my smb.conf file and my hosts file in Ubuntu to match the same machine name and group / domain as that used in WinXP. But I am unable to join the domain without a domain administrator password.
Question: Because my computer has already joined the domain (in WinXP), can I simply login to the domain in Ubuntu without the need to join? If so, would someone please provide a description (or link) describing how to do this?
@Greg: if your AD admin didn’t change the default Active Directory behaviour, you can join the domain even with your normal user account (in fact, you can join up to 10 machines with a normal account). And no, the fact that you’ve already joined your WinXP doesn’t mean anything.
@Vide: Thank you for your response. I understand I can authenticate multiple Windows machines to the AD; but are you saying I should be able to login to the domain when booting into Linux? If so, please provide details. Every article I have read on this subject indicated joining the domain by using an AD administrator password (which I do not have). It seems to me that an Ad administrator should be necessary to initially setup the AD account for my machine but, after that account has been setup, there should be a way for me to login without the need for an AD administrator password (just as I do in Windows). Have I misunderstood this process?
@Greg did you join your windows laptop to the domain or did someone else? If you did then “sudo domainjoin-cli join your.domain.org yourwindowsloginname” should do the trick. There will be an error about not being able to set operating system attributes but that’s okay.
If someone else joined Windows to the domain you’ll have to get them to this part.
Note: I have to login using the double backslash convention (domain\\user) even though that’s not supposed to be necessary except on the command line.
@Vide: thanks a lot for writing this post!
@matt, I did not initially join my WinXP computer to the domain when it was setup if this is what you are asking. This was done by IT in my corporation (I am not a domain administrator). But, if you are asking if I can login to the domain; yes — I am a member of the domain and (when booting into WinXP) I can login to the domain on the same computer.
Unfortunately I can not get IT to join my Linux machine to the domain because my company supports only WinXP clients.
Hi Vide, thanks for the guide. It worked for me.
But one problem:
When I issued su – [domainuser_name], it log me one automatically without asking password.
One more thing, upon “lwiinfo -i [user]”, I see different UID and GID from the ones I set in UNIX attribut of AD.
Thanks a lot :).
This is normal and intended in Likewise Open. You have to purchase the enterprise version of likewise if you want to store the UUIDs in the Active Directory and not use the hash-generated ones (by the way if you configure the same range in all you likewise installation you’ll get always the same UID for the same user on different machines)
Hi All ,
I am getting the following error could please help me,
root@hostname:~# domainjoin-cli join (fqdn.x.x) domain\username
Joining to AD Domain: fqdn.x.x.x
With Computer DNS Name: hostname.x.x.x
domain\username password:
[2012/10/10 21:37:01, 0] libads/kerberos.c:ads_kinit_password(356)
kerberos_kinit_password domainnameusername@fqdn.x.x failed: Client not found in Kerberos database
Error: Unable to join domain
Creating the computer account in Active Directory failed. Common causes are a
bad administrator password, a bad OU name, or an existing computer account but
not modificiation permissions.
root@hostname:~#
[…] October 27, 2008 VPC, Ubuntu 8.10 (beta), and Active Directory Posted by Matt under Uncategorized | Tags: active directory, linux, pam, samba, ubuntu, vpc, winbind | Comments Off UPDATE: I discovered a ubuntu package called “likewise-open” that handles the AD integration very easily. […]
[…] Activate AD authentication on Ubuntu server […]
[…] anothersysadmin […]