How-to setup Ubuntu Server Active Directory integration

Quick & Easy Method

Install Likewise-Open 6.x

Find link for the most current DEB Likewise-Open version 6.x at http://www.likewise.com/community/index.php/download and then download the package (32-bit or 64-bit)from sfx. Example: 

wget http://www.likewise.com/bits/6.0/8234/LikewiseOpen-6.0.0.8234-linux-amd64-deb.sh
sudo ./LikewiseOpen-6.0.0.8234-linux-amd64-deb.sh 

Join the computer to the domain

Note: In the command listed below replace the your-domain-name & your-Administrator-account-name with appropriate information.  You may also use any other privileged account rather than the Administrator account to join the computer to the domain.

sudo domainjoin-cli join your-domain-name your-Administrator-account-name

At the prompt, enter the domain administrator password.   

 Test authentication with domain account

su your-domain-name\\your-Administrator-account-name

Enter the password for the Domain Administrator account at the prompt.    

Configure SSH for Domain Authentication

Edit the SSH config file (replace jed with your favorite editor): 

sudo jed /etc/ssh/sshd_config

Find the Authentication section. You will find a list of names in this field. Add a * (asterisk) to the end.   

Example: 

Allowusers *

Close and save the config file.   

Restart the SSH daemon

sudo /etc/init.d/ssh restart

SSH authentication with domain credentials

ssh your-domain-name\\your-Administrator-account-name@localhost

Add Domain Admins to the Sudoers File

Edit the sudoers file: 

sudo jed /etc/sudoers

Add the following line to the end of the file:  

%your-domain-name\\domain^admins ALL=(ALL) ALL

Save and close the file.  

Usage

To use a domain account to SSH in to the computer, use the following example:  

 login as: your-domain-name\your-AD-account-username

Note: In a Unix shell, a \ (backslash) character is used as an escape key. When referring to a domain account while in a bash shell, use two backslashes. (SSH login prompt only requires one backslash)  

Example:   

su your-domain-name\\Administrator  

Active Directory Groups

You can now use AD accounts in chown & AD groups in chgrp to assign permissions to directories and files just like you would with local Linux users & groups. For example to see your AD groups type the following:

groups

References

• Likewise
• Likewise-Open issues with local user passwords

Credits

Special thanks to Jeremy Dye for providing the information used in this post.

Likewise Open issues with local user passwords & authentication fixed

Likewise-Open version 6

In the previous versions of Likewise Open that we’d tried on our Ubuntu Servers libpam-cracklib was required to work around the Likewise-open local password bug.  Likewise Open version 6 is much cleaner, works like a champ,  pam_lwidentity no longer returns PAM_SUCCESS for users it doesn’t know about.  Now if it can’t find the user in LDAP it continues to descend through the PAM stack and tries to authenticate against the local user accounts – just like you’d expect it to.

Additional Resources

• Likewise Open - An open source application that joins Linux, Unix, and Mac machines to Microsoft Active Directory and securely authenticates users with their domain credentials.
• Likewise Open 6.0 Installation & Administration Guide
• How PAM Works