How to add your Ubuntu computer to your Active Directory Domain (.local included) with Likewise
How to add your Ubuntu computer to your Active Directory Domain when your Windows SBS Domain ends in .local using Likewise
There are a number of options in order to get Active Directory integration with your Ubuntu systems. I personally liked Likewise as it provides a GUI and does a lot of the steps for you saving you time. Below are the instructions on how to install it as well as the changes you need to perform on your system for the DNS resolution to work correctly.
Likewise Open
Likewise Open simplifies the necessary configuration needed to authenticate a Linux machine to an Active Directory domain. Based on winbind, the likewise-open package takes the pain out of integrating Ubuntu authentication into an existing Windows network.
Installation
There are two ways to use Likewise Open, likewise-open the command line utility and likewise-open-gui.
To install the likewise-open package, open a terminal prompt and enter:
sudo apt-get install likewise-open
Or if you prefer, in the Ubuntu GUI you can search the online applications for likewise and click the install button.
Joining a Domain
The main executable file of the likewise-open package is /usr/bin/domainjoin-cli, which is used to join your computer to the domain. Before you join a domain you will need to make sure you have:
- Access to an Active Directory user with appropriate rights to join the domain.
- The Fully Qualified Domain Name (FQDN) of the domain you want to join. If your AD domain does not match a valid domain such as example.com, it is likely that it has the form of domainname.local.
- DNS for the domain setup properly. In a production AD environment this should be the case. Proper Microsoft DNS is needed so that client workstations can determine the Active Directory domain is available.If you don’t have a Windows DNS server on your network, see the section called “Microsoft DNS” for details.
To join a domain, from a terminal prompt enter:
sudo domainjoin-cli join example.com Administrator
| Replace example.com with your domain name, and Administrator with the appropriate user name. |
You will then be prompted for the user’s password. If all goes well a SUCCESS message should be printed to the console.
| After joining the domain, it is necessary to reboot before attempting to authenticate against the domain. |
After successfully joining an Ubuntu machine to an Active Directory domain you can authenticate using any valid AD user. To login you will need to enter the user name as ‘domainusername’. For example to ssh to a server joined to the domain enter:
ssh 'examplesteve'@hostname
| If configuring a Desktop the user name will need to be prefixed with domain in the graphical logon as well. |
To make likewise-open use a default domain, you can add the following statement to /etc/samba/lwiauthd.conf:
winbind use default domain = yes
Then restart the likewise-open daemons:
sudo /etc/init.d/likewise-open restart
| Once configured for a default domain the ‘domain’ is no longer required, users can login using only their username. |
The domainjoin-cli utility can also be used to leave the domain. From a terminal:
sudo domainjoin-cli leave
Other Utilities
The likewise-open package comes with a few other utilities that may be useful for gathering information about the Active Directory environment. These utilities are used to join the machine to the domain, and are the same as those available in the samba-common and winbind packages:
- lwinet: Returns information about the network and the domain.
- lwimsg: Allows interaction with the likewise-winbindd daemon.
- lwiinfo: Displays information about various parts of the Domain.
Please refer to each utility’s man page specific for details.
Troubleshooting
- If the client has trouble joining the domain, double check that the Microsoft DNS is listed first in
/etc/resolv.conf. For example:nameserver 192.168.0.1
- For more information when joining a domain, use the –loglevel verbose or –advanced option of the domainjoin-cli utility:
sudo domainjoin-cli --loglevel verbose join example.com Administrator
- If an Active Directory user has trouble logging in, check the
/var/log/auth.logfor details. - When joining an Ubuntu Desktop workstation to a domain, you may need to edit
/etc/nsswitch.confif your AD domain uses the .local syntax. In order to join the domain the “mdns4” entry should be removed from the hosts option. For example:hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
Change the above to:
hosts: files dns [NOTFOUND=return]
Then restart networking by entering:
sudo /etc/init.d/networking restart
You should now be able to join the Active Directory domain.
Microsoft DNS
The following are instructions for installing DNS on an Active Directory domain controller running Windows Server 2003, but the instructions should be similar for other versions:
- Click Start → Administrative Tools → Manage Your Server. This will open the Server Role Mangement utility.
- Click Add or remove a role
- Click Next
- Select “DNS Server”
- Click Next
- Click Next again to proceed
- Select “Create a forward lookup zone” if it is not selected.
- Click Next
- Make sure “This server maintains the zone” is selected and click Next.
- Enter your domain name and click Next
- Click Next to “Allow only secure dynamic updates”
- Enter the IP for DNS servers to forward queries to, or Select “No, it should not forward queries” and click Next.
- Click Finish
- Click Finish
DNS is now installed and can be further configured using the Microsoft Management Console DNS snap-in.
- Next, configure the Server to use itself for DNS queries:
- Click Start
- Control Panel
- Network Connections
- Right Click “Local Area Connection”
- Click Properties
- Double click “Internet Protocol (TCP/IP)”
- Enter the Server’s IP Address as the “Preferred DNS server”
- Click Ok
- Click Ok again to save the settings
References
Please refer to the Likewise home page for further information.
For more domainjoin-cli options see the man page: man domainjoin-cli.
Also, see the Ubuntu Wiki LikewiseOpen page.
Love
Can we use Let's Encrypt, the free and open certificate authority?
Hola! gracias por la info, me sirvió el comando sacandole el nombre del server. En mi caso, fue una migración…
Yes 3rd option helped me too. I removed the WC key Values from config file then started working.
I know this is from 2014. But really, thank you!