Update 3/31/2016 – PBIS doesn’t work well as of late and this method has been superceded by this article here: http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/
Update 5/18/2014 – I created scripts to automate 90% of this process. I still recommend you read this post before just jumping in and using the scripts so that you know what exactly it is you are doing. However the scripts can save you a lot of time. You can get them by clicking here.
If you are like me and work in a mixed environment then the above topic is probably quite important to you. Especially if you also happen to be a security person for your organization and centralized account administration is a big deal.
In this tutorial, I will be walking through how to join an Ubuntu 14.04 LTS Server to a Windows Active Directory Domain. Furthermore, we will be adding a new domain group to the “sudoers” group on the box so that our Domain Admins will automatically have the ability to use sudo to administer your Ubuntu Servers as needed.
Additionally, we will also be making it easy for them to login (no appending of the domain onto their user account name) and giving them the more user-friendly BASH shell, rather than the default SH.
All commands reference the fictional domain “CONTOSO.COM” to make the syntax easier to understand. The Domain Controller (DC) for the domain will be at “192.168.0.100”. The domain controller is assumed to be running DNS services as this is tightly integrated with Active Directory. The name of the domain admin in the Windows domain is “admin”
This guide assumes the following:
1. You have a Server 2003 or newer domain environment
2. You are running Ubuntu 13.10 or above on your server (I am working on a 14.04 LTS release). This may work on older versions.
3. You are at least a domain admin or can instruct someone who is to make some domain changes.
4. You have full root privileges on the Ubuntu server
5. Proper ports are open between your Active Directory Domain Controller and the Ubuntu server you wish to join to your domain. You can see which ports are needed for AD traffic here: What ports on the firewall should be open between Domain Controllers and Member Servers?
Ahead of time….
1. Install Ubuntu Server and name it appropriately. If you want your server to ultimately be found at linuxserver05.contoso.com then you would edit your /etc/hostname file to read “linuxserver05” (without the quotes).
2. Set a static IP address on your Linux server. As part of the config be sure to specify the following lines (in etc/network/interfaces):
dns-nameservers 192.168.0.100 ##the IP address of your domain controller
Okay, let’s go!
We are going to be using a software package called “Power Broker Identity Services, Open Edition” to simplify life. The download packages for this service can be found here: http://download1.beyondtrust.com/Technical-Support/Downloads/PowerBroker-Identity-Services-Open-Edition/?Pass=True
So the first thing to do is to log in, elevate your privileges, and use wget to pull the latest package file down:
Next, we need to install the package
shutdown now -r
“No” you do not need “legacy links”
The last command reboots your box. Once it comes back up, login and elevate your privileges, then we are going to join the domain and reboot again…
If you were like me and did something stupid… like named the local administrator account on your Ubuntu server the same as an account in your windows domain, you need to rename that local admin account to something innocuous before going any further. I wrote up a short guide here on how to do that: Change Username of First User
/opt/pbis/bin/domainjoin-cli join contoso.com [email protected]
shutdown now -r
Once the box comes back up again, elevate your privileges and then configure several more things…
/opt/pbis/bin/config UserDomainPrefix contoso
/opt/pbis/bin/config AssumeDefaultDomain true
/opt/pbis/bin/config LoginShellTemplate /bin/bash
Now, there is also a small bug in PAM (an authentication module used by PBIS). We need to modify a config file. You can do this via the following:
Find the line that says “session sufficient pam_lsass.so” and change it to read this:
————–OKAY – JUMP OVER TO YOUR WINDOWS DOMAIN CONTROLLER AND LOGIN AS A DOMAIN ADMIN——–
Do the following:
1. Create a new global security group called “LinuxAdmins” (without the quotes)
2. Add the built-in “Domain Admins” group to the newly created “LinuxAdmins” group
—————BACK TO YOUR UBUNTU BOX——————
We need to edit the “sudoers” file which is done via VISUDO. NANO is the default text editor. If you want to change to something else (I prefer “vim”) use the following command:
Once you have chosen a text editor you prefer, launch VISUDO
Append this new line to the bottom of the file:
Save and close… reboot the box one more time and then attempt a login with your domain admin credentials.
EDIT: I had some trouble with the syntax on the very last step for adding the AD group to the sudoers file. Here is what helped. Log in as a domain user in the Linuxadmins group. Then run this command and examine the output:
You should see that your user is a member of the “LinuxAdmins” group or a member of the “contoso\linuxadmins” group. If you followed the above tutorial it should be the former and the syntax now provided in the tutorial for adding the group to the sudoers file should work.
This is because we ran this command earlier:
Which means the system assumes the “contoso\” in front of all usernames and group names. If when you run the “id” command it is showing your domain name in front of the group name. Your sudoer line will need to look like this:
Notice the double “\\” – it is necessary (not a typo) however I am not going to go into why.