Update 3/31/2016PBIS doesn’t work well as of late and this method has been superceded by this article here: http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/


Update 5/18/2014I created scripts to automate 90% of this process. I still recommend you read this post before just jumping in and using the scripts so that you know what exactly it is you are doing. However the scripts can save you a lot of time. You can get them by clicking here.

If you are like me and work in a mixed environment then the above topic is probably quite important to you. Especially if you also happen to be a security person for your organization and centralized account administration is a big deal.

In this tutorial, I will be walking through how to join an Ubuntu 14.04 LTS Server to a Windows Active Directory Domain. Furthermore, we will be adding a new domain group to the “sudoers” group on the box so that our Domain Admins will automatically have the ability to use sudo to administer your Ubuntu Servers as needed.

Additionally, we will also be making it easy for them to login (no appending of the domain onto their user account name) and giving them the more user-friendly BASH shell, rather than the default SH.

All commands reference the fictional domain “CONTOSO.COM” to make the syntax easier to understand. The Domain Controller (DC) for the domain will be at “192.168.0.100”. The domain controller is assumed to be running DNS services as this is tightly integrated with Active Directory. The name of the domain admin in the Windows domain is “admin”

This guide assumes the following:

1. You have a Server 2003 or newer domain environment
2. You are running Ubuntu 13.10 or above on your server (I am working on a 14.04 LTS release). This may work on older versions.
3. You are at least a domain admin or can instruct someone who is to make some domain changes.
4. You have full root privileges on the Ubuntu server
5. Proper ports are open between your Active Directory Domain Controller and the Ubuntu server you wish to join to your domain. You can see which ports are needed for AD traffic here: What ports on the firewall should be open between Domain Controllers and Member Servers?

Ahead of time….
1. Install Ubuntu Server and name it appropriately. If you want your server to ultimately be found at linuxserver05.contoso.com then you would edit your /etc/hostname file to read “linuxserver05” (without the quotes).

2. Set a static IP address on your Linux server. As part of the config be sure to specify the following lines (in etc/network/interfaces):

dns-search contoso.com
dns-nameservers 192.168.0.100 ##the IP address of your domain controller

Okay, let’s go!

We are going to be using a software package called “Power Broker Identity Services, Open Edition” to simplify life. The download packages for this service can be found here: http://download1.beyondtrust.com/Technical-Support/Downloads/PowerBroker-Identity-Services-Open-Edition/?Pass=True

So the first thing to do is to log in, elevate your privileges, and use wget to pull the latest package file down:

sudo -s
wget http://download.beyondtrust.com/PBISO/8.0.0.2016/linux.deb.x64/pbis-open-8.0.0.2016.linux.x86_64.deb.sh

Next, we need to install the package

chmod a+x pbis-open-8.0.0.2016.linux.x86_64.deb.sh
bash pbis-open-8.0.0.2016.linux.x86_64.deb.sh
shutdown now -r

“No” you do not need “legacy links”

The last command reboots your box. Once it comes back up, login and elevate your privileges, then we are going to join the domain and reboot again…

If you were like me and did something stupid… like named the local administrator account on your Ubuntu server the same as an account in your windows domain, you need to rename that local admin account to something innocuous before going any further. I wrote up a short guide here on how to do that: Change Username of First User

sudo -s
/opt/pbis/bin/domainjoin-cli join contoso.com [email protected]
shutdown now -r

Once the box comes back up again, elevate your privileges and then configure several more things…

sudo -s
/opt/pbis/bin/config UserDomainPrefix contoso
/opt/pbis/bin/config AssumeDefaultDomain true
/opt/pbis/bin/config LoginShellTemplate /bin/bash
/opt/pbis/bin/update-dns
/opt/pbis/bin/ad-cache --delete-all

Now, there is also a small bug in PAM (an authentication module used by PBIS). We need to modify a config file. You can do this via the following:

vim /etc/pam.d/common-session

Find the line that says “session sufficient pam_lsass.so” and change it to read this:

session [success=ok default=ignore] pam_lsass.so

————–OKAY – JUMP OVER TO YOUR WINDOWS DOMAIN CONTROLLER AND LOGIN AS A DOMAIN ADMIN——–
Do the following:
1. Create a new global security group called “LinuxAdmins” (without the quotes)
2. Add the built-in “Domain Admins” group to the newly created “LinuxAdmins” group
—————BACK TO YOUR UBUNTU BOX——————

We need to edit the “sudoers” file which is done via VISUDO. NANO is the default text editor. If you want to change to something else (I prefer “vim”) use the following command:

sudo update-alternatives --config editor

Once you have chosen a text editor you prefer, launch VISUDO

visudo

Append this new line to the bottom of the file:

%linuxadmins ALL=(ALL:ALL) ALL

Save and close… reboot the box one more time and then attempt a login with your domain admin credentials.

EDIT: I had some trouble with the syntax on the very last step for adding the AD group to the sudoers file. Here is what helped. Log in as a domain user in the Linuxadmins group. Then run this command and examine the output:

id

You should see that your user is a member of the “LinuxAdmins” group or a member of the “contoso\linuxadmins” group. If you followed the above tutorial it should be the former and the syntax now provided in the tutorial for adding the group to the sudoers file should work.

This is because we ran this command earlier:

/opt/pbis/bin/config UserDomainPrefix contoso

Which means the system assumes the “contoso\” in front of all usernames and group names. If when you run the “id” command it is showing your domain name in front of the group name. Your sudoer line will need to look like this:

%contoso\\linuxadmins ALL=(ALL:ALL) ALL

Notice the double “\\” – it is necessary (not a typo) however I am not going to go into why.

References:

http://notesonit.blogspot.com/2013/03/howto-powerbroker-identity-services.html
http://askubuntu.com/questions/452904/likewise-open-14-04-other-easy-way-to-connect-ad
http://askubuntu.com/questions/363869/powerbroker-likewise-open-ubuntu-13-04-13-10-upgrade?rq=1
http://ubuntuforums.org/showthread.php?t=766763
https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto
http://www.cyberciti.biz/faq/ubuntu-add-user-to-group/

1 of 1

93 comments on: Add Ubuntu 14.04 LTS Server to a Windows Active Directory Domain – Fullest Integration

  1. Pingback: Shell scripts for quickly integrating an Ubuntu 14.04 LTS server into a Microsoft Windows Server Active Directory Domain | KiloRoot.com

  2. Osama Eid
    Reply

    thanks for your effort

  3. Andre
    Reply

    Hi,

    Thank you for the blog post.
    I did follow your steps but when I’m joining my domain $/opt/pbis/bin/domainjoin-cli join CASEMG01.local [email protected]

    I’m receiving the following message:

    Error: ERROR_GEN_FAILURE [code 0x0000001f]

    Do you know what’s can be happening?

    Thanks for your help.

    • nbeam
      Reply

      Hey Andre,

      What version of ubuntu are you try to set this up on?

      I did some quick searching and here are a couple of possibilities…
      http://askubuntu.com/questions/32261/how-can-i-add-ubuntu-to-a-windows-domain

      Take a look at that link.

      A couple of things I would test… You need to know the IP address of a Domain Controller in your windows domain. I would try to ping the DC from the ubuntu box and see if they can see each other. If you can’t talk to a DC you are going to be dead in the water.

      Also, I would make sure with the IP settings on your ubuntu box to setup the Windows DC as your primary DNS server. Server 2008 (perhaps earlier) and forward tend to tie DC functionality and DNS very closely together. If you are sure you are using the DC as your DNS server (assuming that it is setup as a DNS server, which I believe is the default setup for a DC on 2008 and newer versions of Windows Server) try to ping some other boxes on your windows network using their FQDN’s (fully qualified domain names) and see if they resolve to an IP and you can ping them. If they resolve to an IP then your DNS is working correctly.

      As noted in the link, make sure there aren’t any computer objects already in the Domain with the same name as the machine you are trying to join. Make sure your user account has sufficient privileges to join machines to the domain (I have a domain admin account on the test setup I was working on).

      Hope this gives you some things to look into at least!

      Kind Regards,

      Nathan

    • DovendyrE
      Reply

      sudo apt-get remove avahi-daemon fixed the same issue for me.

  4. Jason Tomme
    Reply

    Thank you very much for this. Everything worked flawlessly.

    • nbeam
      Reply

      You are very welcome!

  5. Sherwin Roi Alcala
    Reply

    I was stuck in the first step, I can’t download the Powerbroker. I follow your instructions but I always get this message:

    Resolving download.beyondtrust.com…failed: Name or service not known
    wget: unable to resolve host address ‘download.beyondtrust.com’

    I’m pretty sure that the download link is working. What suppose to be the problem?

    I’m using Ubuntu 14.04 LTS.

    • nbeam
      Reply

      I just double checked the download link. It seems to be working just fine.

      Try the following command from your server command line:

      ping http://www.google.com

      ctrl-c to stop it from running.

      If you aren’t getting a response and particularly can’t resolve the http://www.google.com to an IP address then I think I know what is going on.

      My guess is that whatever DNS server you have set your box to use for name resolution isn’t working or at least isn’t resolving the beyond trust domain to its public IP.

      Hope this is helpful, report back for us how it goes.

      Regards,

      Nathan

      • Sherwin Roi Alcala

        Hi,

        I can’t ping http://www.google.com, it says:

        ping: unknown host http://www.google.com

        Sorry to bother you, I’m just starting to learn linux, how can I change my DNS server?

        Thanks and regards.

      • nbeam

        First, welcome to a whole new world. Second, lets see if you have WAN connectivity at all:

        Try this:

        ping 8.8.8.8

        See what that comes back with. I have a feeling your might not have internet connectivity at all 🙁

        Almost everything in linux is configured in a text file. Learning how to use a commandline text editor can be a bit tricky at first but after a little while you get the hang of it. Rather than explain everything in the comments, I am just going to give you some links:

        Using VIM text editor:
        http://lifehacker.com/5844890/the-interactive-vim-tutorial-teaches-you-how-to-use-the-super-efficient-vim-text-editor

        Once you learn how to use VIM, you can use it to modify existing files or create new ones. The command syntax is simply:

        vim filename

        The file you need to edit is:
        /etc/network/interfaces

        The interfaces file defines IP addressing for each of your NIC connections. Here is information on that:
        http://www.cyberciti.biz/faq/setting-up-an-network-interfaces-file/

        The line of information you are looking to add specifically is the following:

        dns-nameservers 192.168.15.1 8.8.8.8

        It actually isn’t discussed in that link I provided on the interfaces file, however it is discussed here:
        http://askubuntu.com/questions/143819/how-do-i-configure-my-static-dns-in-interfaces

        And that is a very good discussion of some ubuntu specific “junk” you need to know about configuring NIC connections. It is a good read.

        In the example above I provided above (dns-nameservers) the first IP address would be internal, the second IP address is Google’s public DNS server. they are separated by a space. You could get rid of the internal name server all together, except that you are trying to add the server to your windows domain, in which case I would strongly suggest you put in the IP address of your windows domain controller as the primary name server.

        Now, if you are not familiar with/don’t have a good handle on at least some of the following terms:

        IP Address
        DHCP
        Static Address
        DNS
        Netmask
        Gateway
        Nameserver
        WAN
        LAN
        NIC

        It isn’t the end of the world but I would say you aren’t overly familiar with networking, in which case you have a lot more reading to do before you get to this point. Once again, I don’t say this to discourage you at all, rather to point you in the right direction so you can get where you want to go and know how you got there. My goal is simply to help folks out :), hopefully I am doing that.

        Regards,

        Nathan

  6. Tony Searle
    Reply

    followed your instructions Ubuntu server 14.04 Windows 2008 R2 Domain

    issue at this point

    /opt/pbis/bin/domainjoin-cli join contoso.com [email protected]

    Error: Module not configured [code 0x000003eb]

    • nbeam
      Reply

      It has been a month or so since I wrote this article up but I vaguely remember running into this error and I am trying to remember what I did to overcome it.

      I found this for you here: http://ubuntuforums.org/archive/index.php/t-810405.html

      It seems to address your exact issue although I am not sure if this is the area of configuration you are missing. Here are the relevant parts of that discussion (simply a copy-paste from the post so forgive the formatting):

      ————————–
      I hate to tag on to this but I’m having a problem like this one I get this error when I trying to join the domain at my work to access the database off my laptop I can join it fine with XP Pro on the other partition anyway this is what it is telling me

      Error: Module not configured [code 0x00080042]

      Even though the configuration of ‘hostname’ was executed, the configuration is
      not complete. Please contact Likewise support.

      I know this is an oldish post, but I fixed this by adding –ou with the relevant organizational unit to the join command and it worked…

      sudo domainjoin-cli join –ou OUName yourdomain.com yourADusername
      windwalker78
      ——————————————

      March 26th, 2009, 04:49 PM
      I know this is an oldish post, but I fixed this by adding –ou with the relevant organizational unit to the join command and it worked…

      sudo domainjoin-cli join –ou OUName yourdomain.com yourADusername

      Thanks for the posting this information 🙂

      Regards,
      Todor

      ——————————-
      April 29th, 2009, 07:53 AM
      Yea, thanks a lot!! It worked for me,too!
      Martin
      Ahlan
      August 12th, 2009, 02:51 PM
      I had the same problem.
      Although the error message was “module not configured”
      the problem was actually caused by the domain not being written case sensitive.

      In my case our domain is Ultimate.White-Elephant.ch
      when I first used domainjoin-cli I entered join ultimate.white-elephant.ch

      Windows isn’t case sensitive but Linux is! 🙁

      Instead of saying that it can’t find the domain
      (which it does if you badly mistype)
      it reports this very silly unhelp message.

      When I typed the name of the domain EXACTLY as it is defined under windows
      then I was able to join my Ubuntu machine to our AD domain.
      RMTPriyantha

      ———————————————–
      January 6th, 2010, 12:33 PM
      change the following setting in /etc/resolv.conf file

      sudo gedit /etc/resolv.conf

      # Generated by NetworkManager
      nameserver 192.168.0.1(DNS server Address)
      nameserver 0.0.0.0

      and sudo gedit /etc/dhcp3/dhclient.conf

      change the prepend domain-name-servers 192,168,0,1;(DNS server Adress)

      this works for me 🙂

      Domini0n

      ————————————–
      September 30th, 2011, 03:28 PM
      It’s an old topic, but for those who have not been able to solve this for themselves.

      The reason I got this error was because I forgot to enter a DNS name for this server in our DNS.

      After doing this I could join the domain without problems.
      Always make sure you use a user that has the rights to join a computer to the domain.

      HOWTO Delegate the rights on AD: http://support.microsoft.com/kb/932455
      ————————————————————————————————————————–

      Okay, that is the end of the relevant bits. Tell me if one of the above solutions fixes your issue.

      Regards,

      Nathan

  7. Sieren
    Reply

    Hallo,
    my problem is, i can connect to the Windows share with my Ubuntu Client (14.04) but the other way is not possible. On my Windows 8 Client i can see the Ubuntu client but i can’t use the Ubuntu share . Samba is running and i think i have done the necessary changes.
    But to be sure, could you post your smb.conf? Than i can controll it.

    • nbeam
      Reply

      Hi Sieren,

      I haven’t explored sharing out folders on Ubuntu server actually so I don’t think my SMB conf will have much to offer as I haven’t done any configuration in it. Based on general knowledge here is what little I can tell you:

      There are two major types of file sharing technologies used on networks, NFS and SMB. Windows hosts natively support and use SMB, Linux hosts natively use and support NFS. You are moving in the right direction though… On Linux, there is a technology which allows them to access (and I believe also host) SMB shares called SAMBA.

      Now, after a little google searching I did find this:

      http://www.howtoforge.com/samba-server-ubuntu-14.04-lts

      In that article, however, they are dealing with two machines in the same WORKGROUP, rather than a Windows Domain and I am not sure if that is where the hang up is coming from.

      The did mention, after you configure your SMB share to make sure you restart the Samba service (daemon) on your ubuntu box with the command:

      service smbd restart

      It would be nice if it is as simple as that :). Having not done this myself, I am afraid I can’t offer much more insight but you have given me inspiration for another article. Right now, however, I am tied up in Microsoft Hyper-V Clustering hell, hence I haven’t written anything substantial in the last two weeks on here 🙂 and my next article will probably be focused in that area.

      Kind regards and good luck!

      Nathan

  8. darren
    Reply

    Thanks for the article. I was stuck for a long time with a General error 0x0000001f when I tried to run domainjoin-cli. Finally I found a site that had me remove avahi and then everything started working just fine. Apparently it’s a discovery service (ala Bonjour) that is automatically installed with ubuntu 14.

    sudo apt-get remove avahi-daemon

    Thanks again,
    Darren

    • nbeam
      Reply

      Thanks for replying back! Hopefully this will help other folks struggling with the same issue!

    • Esteban
      Reply

      Thank you very much.
      Your CONTRIBUTION has been of great help.

      • nbeam

        Awesome! Glad Darren’s tip came in handy! Thanks Darren for contributing!

    • Richard
      Reply

      Thanx for the tip to remove the ——- avahi-daemon ———-! It fixes here too!
      Thank you!

  9. Brent Cox
    Reply

    Thanks for this info, I followed your instructions on my server and it works like a charm.

  10. Kevin
    Reply

    Worked very well. Thank you for taking the time to post it! (Ubuntu Server 14.04 LTS x64bit)

  11. Jens
    Reply

    Excellent HowTo, thank you!

  12. David
    Reply

    Thank you, awesome work. Did the job on the first try.

  13. John Drury
    Reply

    My problem is that the home drive is being mapped but the login does not see it so gives / as home drive.

  14. Jason
    Reply

    Worked perfectly thanks for your article!

  15. Ben
    Reply

    Great article, thanks very much for putting it together. I’m using an Ubuntu server to provide SSH for Comp. Sci. students (KS12) so that they can have a safe environment to code in Python. One thing I’d really like to get working is to mount their Windows home directory within their /home/%user% directory automatically at login via SSH. Any ideas?

    • nbeam
      Reply

      That sir, sounds like another article :).

      So let me ask this. Do you have roaming profiles in your Active Directory environment turned on? I.E. their home directory and a bunch of other stuff follows them around from windows computer to windows computer. Is that what you are trying to do here?

      –OR–

      Each student has their own profile on a single desktop machine and you want that to be mounted as a “share” in their home/%user% directory in linux?

      The latter scenario I can start conceiving of ways to do it. Especially if you are already active directory integrated on the linux box so they are sharing a username across machines/OS’s.

      This could be a fun project. I have an active directory domain here at my house/home office for work/test purposes. I could setup some users and generate some content and see if I can’t figure out a way to do one of the above scenarios.

      If you want the first option, I would suggest you start googling “windows roaming profiles” in Linux. You can also lookup PBIS (power broker identity services) which is the package I use in our article to integrate the linux box into Active Directory. It might have functionality like this already built-in.

      Kind Regards,

      Nathan

      • Ben

        Thanks for the reply, it’s the first option in that our students have roaming profiles. I’ll take a look at the PBIS functionality available, would love some help with it though 🙂

      • Vault-Tec

        Hello,

        Thanks for this article, even 3 years later it still helps poor admins like me!

        I’m very interested about the roaming profiles. I got some differents ideas:

        1) Fully roaming profiles: redirect all the user’s directory from the computer directly to our data server. I’m not sure how to do it, because I do not know how Unix will react in case of a user not using his usual computer. Is the /home directory possibly linked directly to the AD session and not to the computer? Also, is a W2012 data server will allow access to that kind of manipulation from a linux? I guess if it is integrated in the AD…

        2) Half-roaming profile: redirect the user’s directory to another ext4, and then everyday using crontab make a copy of the files into our data server. The script will need to create automatically a directory with the name in session. Howether, same issue occured: how uniw will react in case of multiple session opening, or unusual computer?

        Thanks a lot if someone of you worked a little about it one day!

  16. James
    Reply

    Your post is especially good for a server, but I am adding desktops. I have sudo/gksudo working as expected but when an application itself spawns an elevation dialog that dialog specifically asks for the local administrator account (thus ignoring the domain users who have similar privileges on this machine).

    You can read more about it here: http://ubuntuforums.org/showthread.php?t=2249611

    Thanks for any help you are able to provide.

    • nbeam
      Reply

      Interesting… I only work with the server version of ubuntu so I haven’t encountered this issue. I wish I could be of more help but work has me really tied up at the moment (lots of irons in the fire so to speak). I have been trying to finish several posts for this blog for example but just haven’t had the time. 🙁 If you do find an answer, please post it on here for anyone else that comes along that runs into similar issues. Kind regards and good luck! -Nathan

  17. James Williams
    Reply

    Just wanted to add my thanks and say how useful your guide has been.

    I skipped the section on resolving the bug with PAM due to it not being present in the config file. I assume this is because I am using a new version of PBIS.

    • nbeam
      Reply

      Thanks! Always appreciate the encouragement 🙂 and additional tips for everyone else!

  18. Nelson Rivera
    Reply

    My background is basically Windows administration, but for the last several years, I’ve be converting our network from a purely M$ setup to a more heterogeneous setup. After some initial resistance (dueling pistols at dawn), I’m free to convert our back end systems to other operating systems (Ubuntu, CentOS, FreeBSD, etc…). Demonstrating that we could accomplish the same goals for a fraction of the expense of Microsoft solutions and usually with better performance and reliability, got management on board.

    Integrating security is one of the last major pieces that I was missing. I knew it was possible to integrate with Active Directory, but this article just made that trivia. I was able to integrate all my servers between a couple cups of coffee!

    THANK YOU! THANK YOU! THANK YOU!

    • nbeam
      Reply

      You are very very welcome 🙂 – I am all for heterogeneous environments and look forward to posting more articles on accomplishing as much! Cheers!

  19. Dr.Mythnick
    Reply

    for ubuntu server 14.04 it works great.

    for ubuntu desktop 14.04 it’s painfully to try to set it up and always ends not working.

    • nbeam
      Reply

      Yes, I have heard this from several people now. I haven’t had a need to connect an ubuntu desktop to a windows domain, just a bunch of servers. Hence I haven’t ever written an article on it. I *think* if you Google a bit though you might come across a different software package that works well for Ubuntu Desktop. From what I can vaguely remember there were some software options if you had a GUI that were supposed to make joining a domain even more painless than this article. I might be wrong about that but I swear I remember coming across several articles about this. If I get some time I will see if I can’t try to figure it out myself in a test environment here and then get back to you.

  20. Tri Nguyen
    Reply

    Thanks for the great guide.
    After completing the last step and reboot, I was able to login using one of the domain account. However, it logged in for a second and then kick me back to the logon screen. I tried to login with the local account but the same thing happens. Any thought on how I can fix this?
    Thanks again!

    • Tri Nguyen
      Reply

      I follows all the step again with this change (%contoso\\linuxadmins ALL=(ALL:ALL) ALL) at the end. Everything seems to be okay now. Thanks 🙂

      • Igor

        I have the same issue. When I try to login it kick me back. How did you manage to login locally?

        Thank you

  21. Kartik
    Reply

    I have two different issues on two different systems, both CentOS 6.5

    On the first system:
    I upgraded likewise 6.x to 8.x on Centos6.5 ad doing this brke vsftpd. There is nothing in /var/log/secure (where pam logs), no changes were made to /etc/pam.d/vsftpd, nothing i vsftpd running in full logging mode…the message I get is Login Incorrect (ftp attempt), the same user is able to ssh to the system using the same password.

    On the second system:
    I reinstalled likewise 6.x after doing a uninstall purge and removing any rpms etc. This is the message I get after doing a domainjoin-cli
    Even though the configuration of ‘pam’ was executed, the configuration is not complete. Please contact Likewise support.

  22. Pingback: Configure Active Directory Authentication with PowerBroker Open (RHEL/CentOS) |

  23. Fabiano Borges de Sousa
    Reply

    An excelent guide, flawess!

  24. Pingback: Joining Linux Mint 17 to a Windows Domain using PBIS Open |

  25. Pingback: Agregando Ubuntu 14.04 a Active Directory: configuraciones finales | Way to IT

  26. Rohit Gupta
    Reply

    Thanks for the gr8 article.

    I have followed every steps till the end and able to connect with the Domain accounts. But, using the domain account being a member of linuxadmins grp, i am unable to access the sudo -s – i am receiving error ” is not in the sudoers file. this incident will be reported.”

    can you please suggest in case i missed anything. thanks

  27. Rohit Gupta
    Reply

    Dear,

    Please ignore my last message about unable to have admin privileges for domain security group.

    I tried %domain\\domaingroup ALL=(ALL:ALL) ALL , but it didnt work, whereas if i change the line to %domaingroup ALL=(ALL:ALL) ALL then the domain security group members have admin privileges. Can you confirm the reason as why alternative is working? thanks

  28. Eddiie
    Reply

    This does not work for cross-domain authentication.
    Support will not help, mailing list no help, forum no help.

    Looking for alternatives; anyone know?

    • Eddiie
      Reply

      Bump……………..
      Can this issue get some attention?

      • nbeam

        Hey Eddiie,

        I can appreciate the frustration. It is hard when you are trying to solve for something that not many other people run into… or those that do have already thrown in the towel, or worse, figured it out and never told anyone. For myself, I am squarely in the first camp, I have never had to wrestle with cross-domain anything. I have done a bit with Active Directory Federation (a la’ a royal nightmare) and considering what a complicated mess that is I could never imagine throwing a ‘nix box into the mix :).

        In short, I hope someone is able to help on this. I would even give a full article space to it if someone has the answer. I don’t have an environment where I could even try it unfortunately :(.

        Good luck and/or good beer… you will probably need a bit of both.

  29. Alex.Tranauskas
    Reply

    Ran into several errors while doing this on my machine; here’s how I resolved the issues for anyone’s reference.

    In step 1 my PowerEdge 2850 wouldn’t take the manual configuration of the NIC; resulting in no internal or external network connectivity.

    using nano /etc/network/interfaces
    reset the nic to use DHCP, reset the machine with shutdown now -r
    This allowed me to once again ping in and out of my domain; but it wouldn’t resolve hostnames. On a whim I installed xubuntu with aptitude install xubuntu-desktop; and used it’s network manager to configure my nic.

    When using the joindomain-cli I would get an error saying that an SSH bit was found at [nowhere] etc.

    This was resolved by adding –disable ssh after -cli

    So the full command would look like this

    /opt/pbis/bin/domainjoin-cli –disable ssh join contoso.com [email protected]

    And since it’s close enough to 5pm on a Friday to be a weekend I’ll continue my sojourn into creating an Linux IRC server for my company on Monday.

    • nbeam
      Reply

      Thanks for the write-up! If you are using dhcp, and your dhcp server has the option configured, it should have handed out DNS servers with the address. That is an optional configuration item for dhcp though I think. If you run into that again, you can try running the command ifconfig to see what nic settings are applied and you can use the command nslookup some domain.com to see what DNS server is responding to your requests, if any. Anyhow, you may have already tried all that and your server was just acting funky. Glad you got it fixed 🙂

  30. Derek M
    Reply

    Thanks for your post, this was very helpful and much better than the documentation on the PowerBroker website.

    I was hoping you would be able to assist with one other thing: Is is possible to restrict domain logon access to only a handful of groups?

    Thanks again for the post,
    -D

  31. Carlo
    Reply

    Hi, I’m trying to join my pc with linux ubuntu using pbis but i get the following error:

    Error: ERROR_GEN_FAILURE [code 0x0000001f]

    This error occur when I’m trying to join domain from another subnet, any idea ?
    The server is a samba 4

    Thanks

    Carlo

  32. Bradley
    Reply

    Thanks so much, worked perfectly and everything went fine. After the last reboot, it showed my domain name but it didnt want to accept my password, is there a reason for this?

    • nbeam
      Reply

      Make sure your primary DNS server in your NIC config is configured to be the IP address of Domain Controller. If you are still having problems, make sure there are no other DNS servers configured except for your primary domain controller.

      I also had some issues when I was using two domain controllers, a primary and an RODC. The RODC caused nothing but headache, when stripped my config back to just hit my primary domain controller, everything worked. You can try all of the above out, your mileage may vary…

  33. Chris
    Reply

    Wish I would have seen this prior to starting. I have following the article on the Ubuntu forum (https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto) and no have seemingly locked my self out of the machine, both for local and Domain users.

    The join was successful, but on reboot, the Desktop user name is actually now that of the DOMAIN and I can’t change it. I am not able to use the original local user password or any domain password. I can get to the SSH login prompt (which of course allows me to specify a user login name), but no matter how a specify a local user account (in the format of ‘user’, ‘\user’ ‘.\user’ or ‘+user’), or a domain name (in the format ‘domain\user’), I cannot access the machine.

    I need some files on local users desktop, but I do not know how to retrieve them. I’m not even sure if re-installing the OS will help.

    • nbeam
      Reply

      You “might” be able to use an ubuntu live disk and boot from that into a fresh “os” running off the disk and ram. From there, you could probably mount the partitions off of the install on your hard drive that you are currently locked out of and at least retrieve specific files (as long as you didn’t enable encryption of the home directory on your other install).

      If you can’t get su or root access on your current install, that would be the route I would try next. You will need to get handy with figuring out how to mount drives and partitions from another disk but there is enough info out there on how to do this that you could figure it out. Good luck! Tell us how it goes.

      • Chris

        Many thanks for this. I have booted from an Ubuntu 14.04 LTS server ISO into recovery mode, can mount sda1, navigate to the local users desktop, and copy the files to the root of the drive. All I need to do is get them off this virtual machine (running on ESXi).

        I wonder if I can “Fix” what I managed to break with regards to authentication. It would appear from the instructions I originally use that a lot of this is simply governed through text files.

      • nbeam

        Check the /etc/sudoers file.

        Also, there should be a text file somewhere defining what your default domain is during login (whatever it sticks in front of your username by default, i.e “domain\”).

        Regarding text files… welcome to linux :). Check your /etc/conf directory, that is the default location for config files for most applications.

        Glad you were able to get the drive mounted and at least recover your data.

      • Chris

        He NBean,

        This is great. I had already taken the plunge and re-install before your post, however, I now have a working Ubuntu 14.04 that is correctly joined to our domain and I can log in with both local and AD admin users. Dead simple.

        We using GNOME3 as a desktop (given the pretty much everyone come from a Windows background, including me) and I would like to create the same shortcuts available to all users on their desktop (simple links to a shared folder on the Ubuntu machine will do fine). If possible it would be nice to customise the Activities within Gnome to ensure that all have a consistent set such as a Terminal windows and Text Editor, but not necessary.

        Once again, thanks for the post.

  34. Jeff Puckett II
    Reply

    Hey this worked great for a very long time, thanks! Today however, I notice that I can log in, but when I run groups command from terminal, it only shows domain^users, and not my domain^admins, and therefore I am no longer on the sudoers list. Has anyone else had a problem with group membership disappearing? When I flip over to windows, I can see all my group membership just fine, so I know it’s all good on the windows side.

    • nbeam
      Reply

      Do you have multiple DC’s in your environment?

      • Vitaly

        Jeff,
        Yes, I and many others affect from this PBIS behavior – this seems like some ugly bug, across many PBIS versions.
        I tried both upgrade, downgrade; cleaning cache, decreasing cache time – it dodn’t help.
        Really upsetting.
        Vitaly
        http://community.spiceworks.com/topic/1307589-pbis-likewise-open-ubuntu-14-04-user-domain-prefix-problem-solved

      • nbeam

        Vitaly,

        Thanks for jumping in with a link to a potential fix! I haven’t ran into this issue yet myself so I am unsure of how to help.

        Kind regards and hopefully someone can confirm a fix.

  35. micro
    Reply

    does anyone use a different ssh client other than putty with beyond trust? If so can you provide the registry settings pointing to the alternate ssh client?

  36. connor
    Reply

    Hiya, When i run the : bash pbis-open-8.0.0.2016.linux.x86_64.deb.sh i get this error, any idea why?
    dpkg: error processing archive /opt/pbis-open-8.0.0.2016.linux.x86_64.deb/./packages/pbis-open-upgrade_8.0.0.2016_amd64.deb (–install):

    Any idea how to fix this?

    • nbeam
      Reply

      This is the 64-bit package installer. Are you running 64-bit Ubuntu Server? Just q quick guess.

  37. nbeam
    Reply

    I need to put an update/disclaimer on this article. After one or more recent security updates on Ubuntu, PBIS is no longer functioning for me in my domain. I need to test again with a fresh install of Ubuntu and the latest version of PBIS. I did get the latest version of PBIS and try it on an existing server to see if it would fix the issue but no luck… So anyone else having problems… yes, I am having them as well. I am running 14.04 LTS. Sorry… It was nice while it worked.

    • Ronnie Clark
      Reply

      What issues are you having? Would it be better to switch to older version of PBIS and ubuntu 12.x?
      I am getting this error now using Ubuntu 14.04 into a Windows 2003 AD domain:
      Error: DNS_ERROR_BAD_PACKET [code 0x0000251e]

  38. kamboj
    Reply

    thank your very much !!! it’s at first attempt. great !!!! I have searched a lot of website on internet but everything was very complicated but this tutorial is straightforward.

  39. Pingback: Access denied trying to login to Ubuntu 14.04 (Authentication with Active Directory) – Internet and Tecnnology Answers for Geeks

  40. Harshad Trivedi
    Reply

    Can some body tell me please How can i enable ubuntu login using Windows AD Credentials in ubuntu and MAC machine

    • nbeam
      Reply

      It’s coming… I am working on a new article using an alternate method for getting AD credentials to work with Ubuntu Servers… and Desktops.

      As far as MAC goes I have no idea but I would expect with Apple that there would already be built-in tools for adding it to a Microsoft Active Directory domain.

      • jamesisin

        Please do announce here when you create your new article. I am interested in exploring other methods. (Still haven’t sorted why I can’t authenticate in the GUI but I can in the terminal.)

        And, yes, there are built-in tools in the Mac OS for AD integration. Harshad should have no trouble seeking out articles.

      • nbeam

        Will do. I have a virtual environment set up at home now so I can quickly spin up a DC and a few distributions of ubuntu to test with. Thus far testing has gone really well. Using a packaged called RealmD. The only thing I can’t crack is getting the system to send secure dynamic updates to Microsoft DNS. Traditionally linux/windows admins have tended to just add those manually anyhow so I might just go ahead and do the article with that caveat. Dynamic DNS updates work but you have to disable a security feature in Microsoft DNS server to facilitate which I am not a fan of… Anyhow, I guess in a large environment if you have a lot of linux boxes to add to the domain you could disable it temporarily, add them, DNS dynamic updating will work, then re-enable the security feature. Adding a handful of DNS entries is no big deal but if you have start adding 50, 100, 1000… it could get to be a pain in the rear.

  41. Pingback: Add Ubuntu 14.04 Server or Desktop to Microsoft Active Directory Domain – Login to Unity with Domain Credentials « KiloRoot

  42. nbeam
    Reply

    I have written a new article using RealmD and SSSD to accomplish a domain join. It is linked up top and here: http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/

  43. Pingback: Access denied trying to login to Ubuntu 14.04 (Authentication with Active Directory) – Linux Solutions

  44. Vishal
    Reply

    I am not able to login with my domain credentials. It’s Access Denied.

    • nbeam
      Reply

      Take a look at the the new method using RealmD and SSSD. PBIS started becoming very hit or miss for me, hence I researched and deployed a new method. You should have better luck with RealmD/SSSD.

  45. Pingback: How To Add Ubuntu Machine In Windows Domain | youinsurance

  46. Pingback: How To Add User On Ubuntu Server | Information

  47. Pingback: How To Add Ubuntu Machine In Windows Domain | Gohowto

  48. Pingback: How To Configure Nfs Server In Ubuntu 13.10 | Information

  49. Pingback: How To Add Domain Users In Windows 2003 Server | Gohowto

  50. Pingback: How To Add Ubuntu In Windows Domain | Information

  51. Ragahva
    Reply

    While login to ubuntu 14.04 LTS Aceess Denied message what config file i need to change pls guide me

  52. Dimarc67
    Reply

    NBEAM–
    We’ve been using your PBIS scripts quite successfully for a while now–they make it extremely easy for us to build Ubuntu 14.04 servers and quickly join them to the domain. We may eventually (perhaps even be forced to) take a look at your steps for RealmD and SSSD, but for now we’ll stick with PBIS as long as it’s working for us.

    To that end, we’ve found that your PBIS scripts #1 and #3 work great for us with Ubuntu 16.04 LTS, but script #2 fails to edit the sudo users config file. Instead of inserting the entry into the file, it creates and inserts the entry into a new file named “–” (two hyphens). We’ve gotten around this by using visudo manually, but I wanted to ask if you know of any reason why the script wouldn’t run as expected on Ubuntu 16.04.

    Thanks for your great work!

    Dimarc67
    Frederick, MD

    • nbeam
      Reply

      I am glad you are having a lot of success/luck with PBIS. I dropped it about a year or so after writing that article because I found PBIS to be finicky overall but then again I have also spent the last 6 months correcting some misconfigurations with our AD infrastructure so for all I know that could have been part of the issue.

      My preference is definitely RealmD/SSSD for all the reasons I laid out in that new article. That said, I am curious about why 16.04 doesn’t like my second script. I will have to dust it off again and take a look. I like a good bash script mystery…

      Oh… the other annoying thing I have run into, specifically with editing the sudoers files, is that later on down the road, system updates (via apt-get update/upgrade) will sometimes modify the sudoers file… at which point you have to manually intervene and either keep your changes and/or discard changes made by the update or combine the two. Which is an annoyance in a small environment but I would imagine it would be extremely frustrating in a large environment where one might be relying on automation for things like system updates.

  53. ChrisW-SBM
    Reply

    Quick question… After logging in I get the message “Could not chdir to home directory /home/DOMAIN/cwhitaker.admin: No such file or directory”

    Is it supposed to be creating home directories automatically?

    • nbeam
      Reply

      Yes I believe it should be creating directories automatically. I would recommend moving off of PBIS though and using SSSD per the note at the top of the article, if at all possible.

      That said, if it isn’t creating directories automatically my guess is that there might be a permissions issue on the /home/DOMAIN/ root directory. Take a look at what the current permissions are and then try to chmod the directory and loosen them up a bit (temporarily for testing) to see if that makes a difference. That should tell you whether or not it is a permissions/ownership issue.

Join the discussion

Your email address will not be published. Required fields are marked *