Integrating Linux into Active Directory for authentication gives obvious benefits. This document details the installation of LikewiseOpen.
At one point I used to remove the local accounts but I have found that not such a good idea. I now leave one local admin account on the servers just in case the Active Directory integration fails for some reason. Sounds obvious, now.
Please note that the sections that you will probably want to change are coloured red. If your Active Directory group names have a space in the name, you will need to use the “^” character to mark the spaces.
First, start with the obligatory system update to make sure the system is ready:
$ sudo apt-get update
$ sudo apt-get upgrade
We should now be ready to install LikewiseOpen:
$ sudo apt-get install likewise-open5
Now we can join the domain:
$ sudo domainjoin-cli join domain.local AdministratorAssuming everything went well, you will probably want to update the DNS server for Active Directory by typing:
$ sudo lw-update-dns
One important thing to not here though is that the DNS entries made by this tool seem to expire if it never gets updated. To solve this you can either run this command from a Cron job or add a static mapping in the DNS server. To set up a cron job:
$ sudo vi /etc/cron.daily/lw-update-dns
and paste the following:
#!/bin/bash /usr/bin/lw-update-dns
Don’t forget to make it executable:
$ sudo chmod 755 /etc/cron.daily/lw-update-dns
The next thing to do is to allow the Domain Admins group access to the sudo command. This is accomplished by editing the sudoers file.
$ sudo vi /etc/sudoers
You need to add the following line to the file:
%domain^admins ALL=(ALL) ALLOptional
Finally, we will customise the installation to make is a bit more user friendly. The following changes to location of the home folders created to exist with the regular users. This is fine since this is a single user domain and there will be no local users.
$ sudo lwconfig homedirtemplate %H/%U
Next we change the default domain so that the system will assume that the username clients connecting are from the Active Directory domain. The benefit here is that users can log in using just ‘username’ instead of ‘username@domain.local‘.
$ sudo lwconfig AssumeDefaultDomain true
To improve the security of the system, you might want to restrict access to ONLY Domain Admin accounts. This can be accomplished by:
$ sudo lwconfig RequireMembershipOf DOMAIN\domain^admins
Please be sure to replace DOMAIN in the command above with the actual name of your domain.
Assuming all went well, you should now be able to ssh into the system using a domain account with Domain Admins being able to use the sudo command.
Last edited by Antony on August 6, 2013 at 4:30 PM
thank you for this detail, but I have a question I wanted to be a restriction of access to a user group AD so I remplacerdomain by admin behalf of my group, for example tech so $ sudo lwconfig RequireMembershipOf DOMAIN tech .
at first I saw that it works but after a time (18h) I no longer access it by any user (please help me :'(
Did you replace the word DOMAIN in that command line with the name of your domain? Eg. My domain is THORNLIE and so the command for me would be:
$ sudo lwconfig RequireMembershipOf THORNLIE\domain^adminsI made that mistake myself once or twice when I’m setting up new servers 🙂
Hope this helps,
Antony
great blog you have here, thanks alot for making it available!