Ubuntu 12.04 LTS (Precise Pangolin) Active Directory Integration with LikewiseOpen

By | 05/11/2012

Integrating Linux into Active Directory for authentication gives obvious benefits. This document details the installation of LikewiseOpen.

At one point I used to remove the local accounts but I have found that not such a good idea. I now leave one local admin account on the servers just in case the Active Directory integration fails for some reason. Sounds obvious, now.

Please note that the sections that you will probably want to change are coloured red. If your Active Directory group names have a space in the name, you will need to use the “^” character to mark the spaces.

First, start with the obligatory system update to make sure the system is ready:

$ sudo apt-get update
$ sudo apt-get upgrade

We should now be ready to install LikewiseOpen:

$ sudo apt-get install likewise-open5

Now we can join the domain:

$ sudo domainjoin-cli join domain.local Administrator

Assuming everything went well, you will probably want to update the DNS server for Active Directory by typing:

$ sudo lw-update-dns

One important thing to not here though is that the DNS entries made by this tool seem to expire if it never gets updated. To solve this you can either run this command from a Cron job or add a static mapping in the DNS server. To set up a cron job:

$ sudo vi /etc/cron.daily/lw-update-dns

and paste the following:

#!/bin/bash
/usr/bin/lw-update-dns

Don’t forget to make it executable:

$ sudo chmod 755 /etc/cron.daily/lw-update-dns

The next thing to do is to allow the Domain Admins group access to the sudo command. This is accomplished by editing the sudoers file.

$ sudo vi /etc/sudoers

You need to add the following line to the file:

%domain^admins ALL=(ALL) ALL

Optional

Finally, we will customise the installation to make is a bit more user friendly.  The following changes to location of the home folders created to exist with the regular users. This is fine since this is a single user domain and there will be no local users.

$ sudo lwconfig homedirtemplate %H/%U

Next we change the default domain so that the system will assume that the username clients connecting are from the Active Directory domain. The benefit here is that users can log in using just ‘username’ instead of ‘username@domain.local‘.

 $ sudo lwconfig AssumeDefaultDomain true

To improve the security of the system, you might want to restrict access to ONLY Domain Admin accounts. This can be accomplished by:

$ sudo lwconfig RequireMembershipOf DOMAIN\domain^admins

Please be sure to replace DOMAIN in the command above with the actual name of your domain.

Assuming all went well, you should now be able to ssh into the system using a domain account with Domain Admins being able to use the sudo command.

 Last edited by Antony on August 6, 2013 at 4:30 PM

3 thoughts on “Ubuntu 12.04 LTS (Precise Pangolin) Active Directory Integration with LikewiseOpen

  1. BELKACEMI

    thank you for this detail, but I have a question I wanted to be a restriction of access to a user group AD so I remplacerdomain by admin behalf of my group, for example tech so $ sudo lwconfig RequireMembershipOf DOMAIN tech .
    at first I saw that it works but after a time (18h) I no longer access it by any user (please help me :'(

    Reply
    1. Antony Post author

      Did you replace the word DOMAIN in that command line with the name of your domain? Eg. My domain is THORNLIE and so the command for me would be:

      $ sudo lwconfig RequireMembershipOf THORNLIE\domain^admins

      I made that mistake myself once or twice when I’m setting up new servers 🙂

      Hope this helps,

      Antony

      Reply
  2. ftc

    great blog you have here, thanks alot for making it available!

    Reply

Leave a Reply to BELKACEMI Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.