This is a step by step instruction how to add GNU Linux host into Microsoft ActiveDirectory network.
The GNU Linux distribution used in the example is Ubuntu 14.10.
(The instructions on other distributions or version of Ubuntu system should be more or less the same)
Integration steps
1. Set the hostname of the linux box and be sure it is *unique* in ActiveDirecory domain, i.e. there no any computer in the network with the same name
$ sudo gedit /etc/hostnameAn example of hostname is DOMAIN-XX, where is XX can be some number # Set the fully qualified domain name of your host i.e. FQDN
$ sudo gedit /etc/hostsAdd following line on the top of the hosts file
127.0.0.1 DOMAIN-XX.domain.local DOMAIN-XX# Restart the hostname service
$ sudo service hostname restart# Check if the hostname and FQDN are set correctly
$ hostnamethis should output
DOMAIN-XX# And FQDN
hostname -fthis should output
DOMAIN-XX.domain.local# Download powerbroker tool from here http://download1.beyondtrust.com/Technical-Support/Downloads/PowerBroker-Identity-Services-Open-Edition/?Pass=True # Set a permission to execute it with
$ sudo chmod a+x pibsfilename.sh# Install downloaded tools
$ sudo ./# Join to ActiveDirectory with following command.sh
$ sudo domainjoin-cli join domain.local user-name@domain.local*NOTE* that here the user-name here is a registered user in ActiveDirectory which has privileges to add a host to ActiveDirectory domain Normally all employee users in network have such privileges, if not consult to ActiveDirectory Administrator to get it. *+Possible errors+* * If you are getting an error like this
Error: DNS_ERROR_BAD_PACKET [code 0x0000251e] A bad packet was received from a DNS server. Potentially the requested address does not exist.Note that starting from Ubuntu 14.04 NetworkManager has a local resolver which needs to be disabled
$ sudo gedit /etc/NetworkManager/NetworkManager.conflike this
#dns=dnsmasqConfigure dns server with resolvconf
$ sudo gedit /etc/resolvconf/resolv.conf.d/baseAnd add following content into it
domain domain.local search domain.local nameserver 192.168.1.1Update resolvconf with
$ sudo resolvconf -uAnd restart network manager service
$ sudo service network-manager restartAfter this you'll be able to
$ ping domain.local* If you are getting an error like this
Error: ERROR_ACCESS_DENIED [code 0x00000005] Access is deniedThis error can be because of two reasons Be sure that the hostname you are trying to add to ActiveDirecotory does not exist already Be sure that the user you are using for joining has sufficient privileges for adding a host in domain (consult to ActiveDirectory administrator) * Finally after joining successfully following will be printed
SUCCESS
Update ActiveDirectory with new host info
After joining to ActiveDirecotry run following commands to update ActiveDirectory with the information about the new host i.e. DNS entry, NTP etc.$ sudo /opt/pbis/bin/config UserDomainPrefix domain $ sudo /opt/pbis/bin/config AssumeDefaultDomain true $ sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash $ sudo /opt/pbis/bin/ad-cache --delete-all $ sudo /opt/pbis/bin/update-dnsrestart computer
$ sudo restart
Adding specific user into sudoers list
ActiveDirectory domain users are just like local users on Ubuntu system, so if you want to make a specific user as "root" modify
$ sudo gedit /etc/sudoersadd following line into it
DOMAIN\\max.musternam ALL=(ALL) ALLwhere max.musterman is a user from ActiveDirectory Domain h1. Allowing ActiveDirectory user login to Ubuntu To allow ActiveDirectory users to login into Ubuntu system ligthdm (display manager of Ubuntu system) needs to be configured
$ sudo gedit /etc/lightdm/lightdm.confAdd following lines into lightdm configuration file
allow-guest=false greeter-show-manual-login=truerestart lightdm
$ sudo service lightdm restart
Possible issue related ignorance of settings in /etc/hosts
To avoid possible ignorance of settings in /etc/hosts file modify$ sudo gedit /etc/nsswitch.confbe sure that it has following line
hosts: files dns
Logging in
Restart your Ubuntu host and in the login screen type your ActiveDirectory username preceded with domain name DOMAIN e.g.DOMAIN\max.mustermanand use your ActiveDirectory user password to log in
