In the world of virtualization good admins make snapshots of VM’s before making significant changes, right? Great idea except you need to be careful, because if you roll back a Microsoft Windows Domain Controller you could put yourself in a world of hurt. Here is an excellent article from Windows IT Pro magazine written by Greg Shields explaining why you should never rollback a snapshot of a Domain Controller.
Posts Tagged ‘active directory’
“USN rollback comes back with a vengeance when Domain Controllers are restored using snapshots.”
July 31, 2010How-to setup Ubuntu Server Active Directory integration
July 28, 2010Quick & Easy Method
Install Likewise-Open 6.x
Find link for the most current DEB Likewise-Open version 6.x at http://www.likewise.com/community/index.php/download and then download the package (32-bit or 64-bit)from sfx. Example:
wget http://www.likewise.com/bits/6.0/8234/LikewiseOpen-6.0.0.8234-linux-amd64-deb.sh sudo ./LikewiseOpen-6.0.0.8234-linux-amd64-deb.sh
Join the computer to the domain
Note: In the command listed below replace the your-domain-name & your-Administrator-account-name with appropriate information. You may also use any other privileged account rather than the Administrator account to join the computer to the domain.
sudo domainjoin-cli join your-domain-name your-Administrator-account-name
At the prompt, enter the domain administrator password.
Test authentication with domain account
su your-domain-name\\your-Administrator-account-name
Enter the password for the Domain Administrator account at the prompt.
Configure SSH for Domain Authentication
Edit the SSH config file (replace jed with your favorite editor):
sudo jed /etc/ssh/sshd_config
Find the Authentication section. You will find a list of names in this field. Add a * (asterisk) to the end.
Example:
Allowusers *
Close and save the config file.
Restart the SSH daemon
sudo /etc/init.d/ssh restart
SSH authentication with domain credentials
ssh your-domain-name\\your-Administrator-account-name@localhost
Add Domain Admins to the Sudoers File
Edit the sudoers file:
sudo jed /etc/sudoers
Add the following line to the end of the file:
%your-domain-name\\domain^admins ALL=(ALL) ALL
Save and close the file.
Usage
To use a domain account to SSH in to the computer, use the following example:
login as: your-domain-name\your-AD-account-username
Note: In a Unix shell, a \ (backslash) character is used as an escape key. When referring to a domain account while in a bash shell, use two backslashes. (SSH login prompt only requires one backslash)
Example:
su your-domain-name\\Administrator
Active Directory Groups
You can now use AD accounts in chown & AD groups in chgrp to assign permissions to directories and files just like you would with local Linux users & groups. For example to see your AD groups type the following:
groups
References
Credits
Special thanks to Jeremy Dye for providing the information used in this post.
Likewise Open issues with local user passwords & authentication fixed
July 9, 2010Likewise-Open version 6
In the previous versions of Likewise Open that we’d tried on our Ubuntu Servers libpam-cracklib was required to work around the Likewise-open local password bug. Likewise Open version 6 is much cleaner, works like a champ, pam_lwidentity no longer returns PAM_SUCCESS for users it doesn’t know about. Now if it can’t find the user in LDAP it continues to descend through the PAM stack and tries to authenticate against the local user accounts – just like you’d expect it to.
Additional Resources
- Likewise Open - An open source application that joins Linux, Unix, and Mac machines to Microsoft Active Directory and securely authenticates users with their domain credentials.
- Likewise Open 6.0 Installation & Administration Guide
- How PAM Works
