Skip to content

HOWTO: Active Directory authentication in Ubuntu 8.04 and 8.10

by on April 6, 2008

This is a second version of this other guide that applied to previous Ubuntu versions.
Since Ubuntu 8.04 (Hardy Heron), and now Ubuntu 8.10 (Intrepid Ibex) it come the Likewise Open package that makes basic Active Directory authentication in Ubuntu a breeze.

Just follow these steps:

  1. sudo apt-get update
  2. sudo apt-get install likewise-open
  3. sudo domainjoin-cli join fqdn.of.your.domain Administrator
  4. sudo update-rc.d likewise-open defaults
  5. sudo /etc/init.d/likewise-open start

and you can now log into your machine using your DOMAIN\user credentials. Remember that the DOMAIN\ part is mandatory and that it represents the short name of your Active Directory domain. You can join the domain using any user with sufficient privileges (there's no need to use Administrator), and you can even directly join the PC in a particular OU passing the --ou argument to domainjoin-cli. The fourth point maybe won't be necessary when Ubuntu 8.04 LTS wil be released because it seems to be a bug in the package (it won't start likewise on reboot, so if you don't issue this command it would seem that nothing is working after a reboot).

I've just started to use this method on a test machine so I'll leave more opinions on this product in the future.

EDIT: First impressions

After some days of not so extensive usage, I've seen a couple of things that it's worth notice:

  • the likewise-open process seems to "die" from time to time, blocking all your login accesses with a "ERROR" message. Restarting it through init script solves the issue... but it's something that definitely should not happen
  • It informs you on login if your password is going to expire in X days (as set in your GPO). Very nice indeed.

Notes to the readers: if you're experiencing installation problem, the best way is to report them to the likewise-open-discuss mailing list. There you can contact directly likewise developers (of Samba fame) and solve your problems or doubts.

EDIT2: it seems that with the final Ubuntu 8.04 update, likewise-open package is now 100% stable, I didn't have a single failure since last update (one week up, while before it died at least once per day)

EDIT3: as mentioned in the comment, with likewise-open 4.x you can add

winbind use default domain = yes

in /etc/samba/lwiauthd.conf so you d'nt have to specify the DOMAIN\ part every time you log in your box.

About these ads
82 Comments
  1. Interesting, I will have to give this a try. Thanks for the article.

    • Rich33716 permalink

      this will get you started

      1. set a static ip address (optional)
      2.install likewise “sudo apt-get install likewise-open”
      3. edit your resolv.conf to have “nameserver (DNS IP ADDRESS)”
      4. edit smb.conf “hosts: files dns”
      5. now you can join the domain “sudo domainjoin-cli join fqdn.of.domain administrator”
      6. to port rights over like sudo add this to your sudoers file (this example is to give AD admins sudo rights)”%domain\\administrators ALL=(ALL) ALL”
      7. now you are all set.. Enjoy!!!

      • Greg permalink

        @Rich33716: This is great, unless you are not a domain admin. In the case where a WinXP computer is used on a corporate network (already joined the domain by IT) and later Linux (Ubuntu) and likewise-open are installed on the same computer (dual-boot), is there a way to join the domain when booting into Linux (without being a domain admin)?

  2. This works great. There is a slight change to step #4, the last word ‘default’ should be ‘defaults’. Thanks for the post.

  3. Eric, thanks for the fix. Damned copy&paste :)

  4. Frank permalink

    Some problems with the PAMmodule, any ideas?

    root@frank-laptop:~# domainjoin-cli join nbs.no Administrator
    Joining to AD Domain: nbs.no
    With Computer DNS Name: frank-laptop.nbs.no

    Administrator@NBS.NO‘s password:
    Warning: Unknown pam configuration
    The likewise PAM module cannot be configured for the common-pammount service. Either this service is unprotected
    (does not require a valid password for access), or it is using a pam module that this program is unfamiliar with.
    Please email Likewise technical support and include a copy of /etc/pam.conf or /etc/pam.d.

    Warning: A resumable error occurred while processing a module
    Even though the configuration of ‘pam’ was executed, the configuration did not fully complete. Please contact
    Likewise support.

  5. Joshua permalink

    This is a problem that I ran into when trying to setup an active directory and this fixed it. This is an excerpt from: http://technicalmumblings.wordpress.com/

    Installing is simple as Likewise-open is now in the repositories:

    sudo apt-get install likewise-open

    However, I got an error message when trying to join the domain:

    “Error: Unable to resolve DC name resolving ‘test.example.org’ failed. Check that the domain name is correctly entered. Also check that your DNS server is reachable, and that your system is configured to use DNS in nsswitch.”

    Having checked the nsswitch.conf and resolve.conf files, and having followed the advice on the Ubuntu forums about setting a static IP for the domain joining process, I checked the nsswitch.conf file again and found that the entries for winbind were missing.

    My revised /etc/nsswitch.conf looked like:

    # /etc/nsswitch.conf
    # Example configuration of GNU Name Service Switch functionality.
    # If you have the `glibc-doc-reference’ and `info’ packages installed, try:
    # `info libc “Name Service Switch”‘ for information about this file.

    passwd: compat winbind lwidentity
    group: compat winbind lwidentity
    shadow: compat winbind

    hosts: files dns winbind
    networks: files

    protocols: db files
    services: db files
    ethers: db files
    rpc: db files

    netgroup: nis

  6. Flint Dominic permalink

    one tip is to add domain admins to sudo list, but requires a slightly diff syntax:

    %DOMAIN\\domain^admins

    needs 2 slashes for some reason.

  7. Felipe Fiorini permalink

    After executing the command:
    sudo domainjoin-cli join felispaopf.NET Administrator
    this error occurred:
    Error: Manual configuration required

    The configuration stage ‘open ports to DC’ cannot be completed automatically. Please manually
    perform the following steps and rerun the domain join:

    Some required ports on the domain controller could not be contacted. Please update your
    firewall settings to ensure that the following ports are open to ‘andreza.PET.NET’:
    88 UDP
    137 UDP
    389 UDP
    464 UDP
    123 UDP
    88 TCP
    139 TCP
    389 TCP
    445 TCP
    464 TCP
    The client and the server does not have firewall, someone could help me?

  8. This article is interesting. I will give it a try myself.

    I have just upgraded to Ubuntu 8.04 that was released on 24th this month.

    http://www.ncaditya.com/ubuntu-804-released/

  9. Clas permalink

    Filipe – The ntpd is not running on your AD server, on the DC check services that Windows time is running

    Then configure windows time
    C:\>w32tm /config /update /manualpeerlist:”0.pool.ntp.org,0×8 1.pool.ntp.org,0×8 2.pool.ntp.org,0×8 3.pool.ntp.org,0×8″ /syncfromflags:MANUAL

  10. Filipe – 88 is Kerberos service. You forgot to enable it on the DC!

  11. I joined domain successfully but I can’t login with domain account! Just local account is permintted! What’s problem here?

  12. I joined domain successfully but I can’t login with domain account! Just local account is permitted! What’s problem here?

  13. thank you for the article!

  14. henku permalink

    I am running Ubuntu Hardy on a Microsoft Active Directory. I was successful joining the domain and a couple of days I was able to login as well with the “domain\username” and AD password.
    Then the system crashed and since that time I get an error at login, while I could join the domain.
    I tried to reinstall, but without result.
    Then I recovered the original config files as far as I was able to locate them, I deleted the folder with the domain user files reinstalled likewise and tried to join the domain again. I am able to join the domain, but I am not able to login with the required username (with domain prefix) and password.
    Now I am ran out of ideas.
    Please help

  15. JeremyinNC permalink

    Try username@domain.com as your userid.

  16. gmcalp permalink

    I am getting the same error as Filipe, and I know that all of those ports are enabled on the DC. Any other ideas?

    The client is running a firewall, and has all of those ports opened to the DC.

  17. Charlotte permalink

    I had configured samba and winbind on Gutsy. Worked fine. Using that method, I was able to set the configuration files in the etc folder so that users could use their AD logons without having to type the domain name and separator in the Ubuntu logon screen. All they had to do was type in the username. Can likewise be configured to do this too?

  18. @Charlotte: yes, you can do this as well with likewise.
    Create a file, for example, in /etc/samba named map.txt, containing the alias map, for example:

    username = DOMAIN\username

    Then, edit /etc/samba/lwiauthd.conf and make sure it contains:

    winbind nss info = lwopen
    lwopen:name_map = /etc/samba/map.txt

    restart likewise and then you can login with username and not DOMAIN\username, and this will be your real username in the system.

  19. Charlotte permalink

    Before I try this, I need clarification. When you say to create an alias map with “username = DOMAIN\username,” does this mean that where your example says “DOMAIN\username,” that I would need an entry for every potential user with my real domain name and the users’ usernames, or do you mean that the entry should literally read as you wrote it, or do you mean that I should use my actual domain name with the generic term “username” after it? (I’d hate to think that I need to map every single user in the AD.)

  20. This functionality is amazing. Thanks a bunch for the howto.

    Cheers.

    -Tres

  21. @charlotte: I’m sorry to disappoint you but, as Likewise’s developers said on the ML, currently you can’t use wildcards in the map file. So yes, DOMAIN\username it’s the actual name of the user and you have to repeat the association for every user you want to login in that box. Although it’s a PITA, I understand, you can alleviate it by replicating by some method (rsync?) a central map file that you update every time you create an user (because you use a script to create user, don’t you? :)

  22. Charlotte permalink

    Thank you. Likewise is probably not the best way for me since I have some Ubuntu workstations that are accessible to every potential user in AD, and it’s unrealistic to expect the users to logon with anything more than their usernames. Using samba and winbind in Gutsy, I was able to close the “winbind separator” option, and this simple step eliminated the need of using the domain name to logon.

    I was looking into Likewise because I have so far had trouble with krb5, samba, and winbind on fresh installs of Hardy, but I think it’d be better for me to hammer out these difficulties rather than use Likewise. Thanks again.

  23. lawrence permalink

    Charlotte

    winbind use default domain = yes

    to the previously mentioned file and it will do what you want.

  24. Marc permalink

    Great info all!!! This all was helpful getting my ubuntu box connected!

  25. Charlotte permalink

    Thanks lawrence, adding the “winbind use default = yes” line to /etc/samba/lwiauthd.conf worked. The AD users no longer need to type the domain name and separator at the logon screen.

  26. @lawrence: thanks, didn’t know that! :)

  27. Bill permalink

    Charlotte, so did you add just the “use default” line to your lwiauthd.conf, or did you also add the lines mentioned earlier in this thread (i.e., winbind nss info = lwopen and lwopen:name_map = /etc/samba/map.txt)?

    Also, do you allow all of your AD users access to your *nix systems, or do you restrict access to only certain users? We have thousands of AD users, but only a few dozen should have access to our *nix servers, so I’m wondering what is the best way to control that.

  28. Matt B permalink

    Sorry, but I need some help too because I’m confused now:

    Charlotte used ‘winbind use default = yes’ in the conf file but Lawrence said to use ‘winbind use default domain = yes’ so which one is it?

    Do we still need map.txt after Lawrence’s suggestion?

    If the map file is needed, should it say ‘username = EXAMPLE.COM\username’ or should it use the extra backwards slash and say ‘username = EXAMPLE.COM\\username’ ??

    In the question above, is ‘username’ supposed to be replaced with an actual AD user?

    SOrry for the tons of questions, but I’ve spent an hour on this with no luck. Thanks.

  29. Mike M permalink

    Just tested it out on a clean Ubuntu build – took some massaging, but I was able to add the server to the domain. Tested Lawrence’s suggestion – worked like a dream.

    So for the record:

    Add “winbind use default domain = yes” to /etc/samba/lwiauthd.conf, restart the service and you should be OK.

  30. renz permalink

    Please help! I have this error. I cannot connect my ubuntu box to AD although the Administrator password is correct. Any idea? thankz a lot!

    renz@mis-6:~$ sudo domainjoin-cli join maokaw.com Administrator
    Joining to AD Domain: maokaw.com
    With Computer DNS Name: mis-6.maokaw.com

    Administrator@maokaw.com‘s password:
    Could not connect to server controller01.maokaw.com
    Connection failed: NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
    Failed to verify membership in domain: NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT!

    Error: Unable to join domain

    Creating the computer account in Active Directory failed. Common causes are a bad administrator password, a bad OU name, or
    an existing computer account but not modificiation permissions.
    renz@mis-6:~$

  31. I have recently installed Ubuntu 8.04 and already have a Windows 2003 domain. I installed Likewise and have followed all instructions and googled and can not find an answer to my problem. My FQDN of my domain internally is wonder.local and the netbios name is Wonder0. I can ping wonder0 but not wonder.local. In Terminal when i type in
    sudo domainjoin-cli join wonder.local stuart

    I get

    Error: Unable to resolve DC name

    Resolving ‘wonder.local’ failed. Check that the domain name is correctly entered. Also check that your DNS server
    is reachable, and that your system is configured to use DNS in nsswitch.

    When i try
    sudo domainjoin-cli join wonder0 stuart

    I get

    Joining to AD Domain: wonder0
    With Computer DNS Name: woollywonder.wonder0

    stuart@WONDER0′s password:
    [2008/07/15 18:24:29, 0] utils/net_ads.c:ads_startup_int(493)
    ads_connect: No logon servers
    Failed to contact DC when trying to synchronize local system clock!
    None of the domain controllers listed in DNS could be contacted, or there are no DCs listed in DNS.

    Error: Unable to join domain

    Creating the computer account in Active Directory failed. Common causes are a bad administrator password, a bad
    OU name, or an existing computer account but not modificiation permissions.

    Can anyone please help?

  32. Please note, the time and date on domain controller and Ubuntu workstation are about 20 seconds apart

  33. Stéphanie Lanthier permalink

    I’m using Likewise-open on Solaris and Centos boxes. I just tried the Lawrence suggestion about the “winbind use default domain = yes” add in the /etc/samba/lwiauthd.conf file; that’s amazing.

    Unfortunately, I have *two* domains… So, only the trick doesn’t work for all users.

    Is there a similar trick to allow a sequential search in multiple domains? Or should I create aliases for those users lying in the second domain?

    Best regards

  34. Jerick permalink

    Stuart,

    The issue that you are seeing with this error “Error: Unable to join domain ” is caused by mDNS and the Avahi deamon. There is an issue with mDNS and .local domains. To fix the issue edit /etc/nsswitch.conf and change this line:
    hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4

    to this line

    hosts: files dns mdns4_minimal mdns4 winbind

    I had to add the FQDN of my domain and domain controllers to the hosts file.

  35. Hi, everyone. I just finished successfully setting up an Ubuntu Hardy 8.04.1 system to (albeit insecurely) successfully authenticate to AD using likewise-open and mount some Windows shares, when connecting via ssh, using pam_mount and cifs.

    The likewise-open part went seamlessly (using some of the helpful tips in the comments above).

    The pam_mount stuff required a few hacks to work properly. Some of these hacks reduce the level of security and may be avoided in other ways. But, if you are like me, you like to get a working system first. :)

    PROBLEM:
    1. SSH – ssh won’t work with pam_mount unless you set the following config in your sshd_config file and restart the server:

    ChallengeResponseAuthentication no

    2. PAM – I use the following PAM config to ensure 1 password prompt for pam_mount:

    common-auth – modify the likewise-open line to read:
    auth [success=1 default=ignore] /lib/security/pam_lwidentity.so

    and add after it (in common-auth or in a service specific file):
    auth optional pam_mount.so

    then, make sure that this line comes *before* anything in common-session:
    session optional pam_mount.so

    3. PMVARRUN – pam_mount has this command “pmvarrun” that it uses to increment a count of how many pam_mount sessions a user has running, so that if it thinks the user is logged in by some other means, it will NOT mount/unmount the volumes. This has the adverse effect of breaking pam_mount if it fails to keep track of this counter properly. Since mount and unmount will fail gracefully for most *real* filesystems if they are in use, I usually disable this feature in pam_mount with the following line in pam_mount.conf.xml:

    /bin/true

    I then make sure that the directory /var/run/pam_mount exists, but is empty. This make pam_mount mount/unmount on every login.

    4. UNMOUNT – Finally, when ssh exits, and pam_mount tries to unmount the volumes, it fails, because ssh won’t allow it to set its uid to root to perform the umount operation as root. To get around this (for now), I allow all users to use the umount command via “sudo”. This is obviously a huge security hole, and should be fine-tuned. But, for proving it works, do: sudo visudo and add the following to the sudoers file:

    Cmnd_Alias UMOUNT=/bin/umount
    ALL ALL=NOPASSWD:UMOUNT

    Then, in your pam_mount.conf.xml file, change the umount command to use “sudo umount” instead, like this:

    sudo umount %(MNTPT)

    I hope this helps someone else. For sure, there are some security issues in the above needing to be addressed. But, if you are needing AD+PAM_MOUNT+SSH (say, for LTSP), this will get you something working.

    Cheers!

  36. Charlotte permalink

    I made a typo in my post above. The line that Lawrence said must be added to /etc/samba/lwiauthd.conf in order for users to logon without the domain and separator. The correct line is:

    winbind use default domain = yes

    The map file described by Vide isn’t needed in this case.

  37. I added:
    winbind use default domain = yes
    to
    /etc/samba/lwiauthd.conf
    Now when I run
    chroot
    I get this message:
    id: cannot find name for group ID XXXXXXXXXX

    Any ideas?

    • Steve permalink

      Did you figure this problem out yet? I can authenticate through the DOMAIN but get this error message in terminal…

  38. How do you remove likewise and the setup? Tried this “how to” to merge my Ubuntu pc in the AD, but all I get is an “Error” everytime I log on, and every time I do a “sudo” command..

  39. @Alexander: simply issue a
    $ sudo aptitue purge likewise-open

    anyway probably if you get the ERROR message chances are that you’ve not started likewise. Try to issue a

    $ sudo /etc/init.d/likewise-open restart

  40. Worked like a charm, I tried to join Ubuntu to a domain some time back but could never get to the bottom of why it wouldn’t join. All config was fine but something to do with the domain controllers policy was stopping it. Anyway great tutorial and cheers mate. Its people like you why the Linux community is so strong and why Linux will take over in the world of IT…

  41. PardusLynx permalink

    I am trying to join in Windows 2000 AD with Ubuntu 8.0.4. I followed the tutorial above and all works fine, I can login as DOMAIN\user. The problem is that, I can only browse through folders on the server that permission level set to everyone. When I try to connect to a folder that permission is applied to some selected users, first it asks for my password then it says “Unable to Mount Folder”. Now when I try to connect to that folder it says “You do not have permissions necessary to view the contents of “FolderName””. Needless to say I’ve already gave the necessary permission to my linux user. Any idea how I can solve this?
    Thanks,

  42. asrul permalink

    I manage to join my ubuntu with the AD server.. but my question is ..how to configure the AD user to use login shell automatically each time login into the linux?

  43. Hector permalink

    I have likewise open working well. The problem I have is when I try to login using cached credential the login is successful but the home directory is different than the one used when I am online. I supposed that the problem was an alias I had but I deleted it and the problem remained unsolved.

    The rests of the features are working.

    Any idea??

  44. Cameron permalink

    The only way that I’ve found to restrict logins based on group membership is via the AllowGroups directive in sshd_config. Does anyone else have a better idea? I tried messing with the valid users directive in lwiauthd.conf with no luck.

    BTW, the sshd config line looks like :

    AllowGroups someDomainGroup

    So take note that you don’t include the domain name here …. which may cause issues in multiple domain situations.

  45. Cameron permalink

    I just found a much better way that is integrated into the likewise configuration :

    edit /etc/security/pam_lwidentity.conf with the line :

    require_membership_of = DOMAIN\someDomainGroup

    voila! Worked like a charm.

  46. girly permalink

    Does anyone know how to add and configure nis on this setting? Using samba/winbind, i’m able to add nis and automount it once users login using their AD credential. I successfully installed likewise which was fantastic. Now i need to figure out how to set automounting their shared home directories…

    Thanks.

  47. 1) As Hector is trying to do, I am trying to map the Active Directory username’s home directory to “Places->Home” folder. How?
    2) I also want to restrict local machine permissions. How?
    3) Finally, I want to know how I can login to the computer as local admin/root now that I have it configured to default to the domain login. I DID give the domain’s administrator remote access. I guess would we just login as the domain’s admin, and sudo into the terminal?

    Thanks Vide, for posting this, and thanks Lawrence and others for adding some cool features to this. Very nice.

    BTW, this works like a charm for Ubuntu 8.10 as well as 8.04 (not just 8.04)

  48. Not quite sure what happened to my last comment that I just made. My guess is its in the moderation que or something (although I thought I saw it immediately show up when I posted it).

    Anyway, I have another question:
    After getting things configured to default to DOMAIN login, and I do login as myself (non administrator on the AD server), I get the following error:
    Internal Error: Failed to Initiate HAL

    Anyone know how to get this to go away, and what the problem is?

    - David

  49. Well this worked for us here. Using 8.04 on a couple of test machines and laptops and they are now both fully working on our domain. Nicely explained and we managed to do it 1st go once we read through and made sure what we were doing. Was using Likewise-Open but the above seems to not depend on any of that.

    Most educational!

    TxRx

  50. ashley permalink

    I had the same problem where it said, Error: Unable to resolve DC name , make sure dns is used in nsswitch or something similar…

    whole reason was because, my domain name is visibility.com
    but my fqdn is internal.visibility.com, and i wasn’t typing the internal part,
    If you want to check the fqdn of your pc, log on to a pc that is in the domain, right-click my computer, go to properties, then click the computer name tab, it should list ex: yourpcname.internal.visibility.com
    whatever comes after your pc name is your fqdn that you need to type in terminal
    domainjoin-cli join internal.visibility.com administrator <-what mine looks like

  51. Roland permalink

    Hi Folks,
    thank you for diskussing all the problems I run into …
    Due to this howto I managed to get the following working:
    Ubuntu 8.04
    Likewise Open
    pam-mount

    I changed pam.d/gdm, common-auth, common-session, /etc/security/pam_mount.conf.xml and /etc/ssh/sshd_config

    everything works fine, I can log on, get my Windows-folder via pam_mount and can work just how I want to.
    But: the mounted directory does not get unmounted.
    I do not get any errors in the /var/log/auth
    There is nothing to see which is somehow telling me that pam is trying to unmount at all.
    it simply sais:
    Feb 20 22:53:10 ubuntu sshd[18624]: pam_mount(pam_mount.c:134) clean system authtok (0)
    I am sure this is something simple and I just forgot to do something, but I am stuck.
    Any suggestions?

    Roland

  52. azeez permalink

    i need the comments in ubuntu 8.04 to configure nis server and client

  53. Cinmachina permalink

    So I followed all of the steps, and it said I joined the domain successfully. I even show the computer in Active Directory. However, when I restart the machine it doesn’t prompt me for my network credentials. It’s just the local username/password of the machine as if it had never happened.

    What am I doing wrong here?

  54. David HC permalink

    I am wondering if there is a why to use the groups from active Directory to allow access to shared folders (by samba) to Windows users. So my File Share server will be an Ubuntu Intrepid, but the users on the network have Windows XP and Vista

  55. rajamani permalink

    #

    Please help! I have this error. I cannot connect my ubuntu box to AD although the Administrator password is correct. Any idea? thankz a lot!

    renz@mis-6:~$ sudo domainjoin-cli join maokaw.com Administrator
    Joining to AD Domain: maokaw.com
    With Computer DNS Name: mis-6.maokaw.com

    Administrator@maokaw.com’s password:
    Could not connect to server controller01.maokaw.com
    Connection failed: NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
    Failed to verify membership in domain: NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT!

    Error: Unable to join domain

    Creating the computer account in Active Directory failed. Common causes are a bad administrator password, a bad OU name, or
    an existing computer account but not modificiation permissions.
    renz@mis-6:~$
    #
    Stuart said
    July 15, 2008 at 8:26 am

    I have recently installed Ubuntu 8.04 and already have a Windows 2003 domain. I installed Likewise and have followed all instructions and googled and can not find an answer to my problem. My FQDN of my domain internally is wonder.local and the netbios name is Wonder0. I can ping wonder0 but not wonder.local. In Terminal when i type in
    sudo domainjoin-cli join wonder.local stuart

    I get

    Error: Unable to resolve DC name

    Resolving ‘wonder.local’ failed. Check that the domain name is correctly entered. Also check that your DNS server
    is reachable, and that your system is configured to use DNS in nsswitch.

    When i try
    sudo domainjoin-cli join wonder0 stuart

    I get

    Joining to AD Domain: wonder0
    With Computer DNS Name: woollywonder.wonder0

    stuart@WONDER0’s password:
    [2008/07/15 18:24:29, 0] utils/net_ads.c:ads_startup_int(493)
    ads_connect: No logon servers
    Failed to contact DC when trying to synchronize local system clock!
    None of the domain controllers listed in DNS could be contacted, or there are no DCs listed in DNS.

    Error: Unable to join domain

    Creating the computer account in Active Directory failed. Common causes are a bad administrator password, a bad
    OU name, or an existing computer account but not modificiation permissions.

    Can anyone please help?

  56. rajamani permalink

    can u use ubuntu server. r else what is the best server in linux

    please replay
    r.mani2006@gmail.com

  57. Lindsay Mathieson permalink

    Thanks Vide, this worked perfectly for me as is, on a fresh fully updated Jaunty (Kubuntu) install.

  58. Richard permalink

    Thanks for this. It’s been a while since you wrote this. On ubuntu 9.04 it works like a breeze.

  59. tagapaikot permalink

    Hi,

    i was able to join ubuntu to our domain, however i’m trying to run squid proxy server and using the ldap_auth and squid_ldap_group to authenticate to the active directory, i’ve been authenticated but the system is not accepting my username and password from the active directory.

    squid_ldap_auth: WARNING, could not bind to binddn ‘Invalid credentials’

  60. David HC permalink

    on Ubuntu 9.04 and 9.10 likewise-open is installed by default with the desktop, and it makes it even easier to join a domain, and I recommend installing the desktop even if just to join the PC to the domain.
    tagapaikot, I don’t have a specific answer for the problem, but I can tell you that likewise is not bind, and as such just enabling ldap authentication will not work (This is from my experience working in Samba).
    I got samba to work at a time, but the server had to be re-installed a couple months ago and I don’t remember what I did. Anyhow, basically the authentication has to be done thru likewise

  61. Greg permalink

    I have installed likewise-open (in Ubuntu 9.10) and followed these instructions up to the point of entering a domain administrator password. This is the problem:
    I am on a corporate network and I do not have a domain administrator account. I am dual-booting Ubuntu on my laptop with WinXP. My laptop is already a member of the AD and I can login to the domain without issue when booting into WinXP. I have modified my smb.conf file and my hosts file in Ubuntu to match the same machine name and group / domain as that used in WinXP. But I am unable to join the domain without a domain administrator password.

    Question: Because my computer has already joined the domain (in WinXP), can I simply login to the domain in Ubuntu without the need to join? If so, would someone please provide a description (or link) describing how to do this?

    • @Greg: if your AD admin didn’t change the default Active Directory behaviour, you can join the domain even with your normal user account (in fact, you can join up to 10 machines with a normal account). And no, the fact that you’ve already joined your WinXP doesn’t mean anything.

      • Greg permalink

        @Vide: Thank you for your response. I understand I can authenticate multiple Windows machines to the AD; but are you saying I should be able to login to the domain when booting into Linux? If so, please provide details. Every article I have read on this subject indicated joining the domain by using an AD administrator password (which I do not have). It seems to me that an Ad administrator should be necessary to initially setup the AD account for my machine but, after that account has been setup, there should be a way for me to login without the need for an AD administrator password (just as I do in Windows). Have I misunderstood this process?

    • @Greg did you join your windows laptop to the domain or did someone else? If you did then “sudo domainjoin-cli join your.domain.org yourwindowsloginname” should do the trick. There will be an error about not being able to set operating system attributes but that’s okay.

      If someone else joined Windows to the domain you’ll have to get them to this part.

      Note: I have to login using the double backslash convention (domain\\user) even though that’s not supposed to be necessary except on the command line.

      @Vide: thanks a lot for writing this post!

  62. Greg permalink

    @matt, I did not initially join my WinXP computer to the domain when it was setup if this is what you are asking. This was done by IT in my corporation (I am not a domain administrator). But, if you are asking if I can login to the domain; yes — I am a member of the domain and (when booting into WinXP) I can login to the domain on the same computer.
    Unfortunately I can not get IT to join my Linux machine to the domain because my company supports only WinXP clients.

  63. nqsonk9 permalink

    Hi Vide, thanks for the guide. It worked for me.
    But one problem:
    When I issued su – [domainuser_name], it log me one automatically without asking password.
    One more thing, upon “lwiinfo -i [user]“, I see different UID and GID from the ones I set in UNIX attribut of AD.
    Thanks a lot :).

    • This is normal and intended in Likewise Open. You have to purchase the enterprise version of likewise if you want to store the UUIDs in the Active Directory and not use the hash-generated ones (by the way if you configure the same range in all you likewise installation you’ll get always the same UID for the same user on different machines)

      • AITS permalink

        Hi All ,

        I am getting the following error could please help me,

        root@hostname:~# domainjoin-cli join (fqdn.x.x) domain\username
        Joining to AD Domain: fqdn.x.x.x
        With Computer DNS Name: hostname.x.x.x

        domain\username password:
        [2012/10/10 21:37:01, 0] libads/kerberos.c:ads_kinit_password(356)
        kerberos_kinit_password domainnameusername@fqdn.x.x failed: Client not found in Kerberos database

        Error: Unable to join domain

        Creating the computer account in Active Directory failed. Common causes are a
        bad administrator password, a bad OU name, or an existing computer account but
        not modificiation permissions.
        root@hostname:~#

Trackbacks & Pingbacks

  1. LC - episode #008 at Linuxcrypt.net Podcast
  2. Como autenticar no AD com Ubuntu at Another Geek Blog
  3. unix86.org » Samba Integrate into Active Directory
  4. Integrasi AD di Ubuntu Hardy Heron « Tr4ck1n9’s Blog
  5. How can I join a Ubuntu machine to my domain? | Ask The Admin
  6. Squid Ubuntu 8.04 LTS
  7. HOWTO GNU/LINUX: autenticarsi su Active Directory « Moros' Blog
  8. VPC, Ubuntu 8.10 (beta), and Active Directory « Matt on Rails
  9. Linux commands – for Daily usage | Синеочко
  10. HOWTO GNU/LINUX: Autenticarsi in un dominio Windows (Active Directory) | Morolandia

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: