likewise-open | 14.04 | other easy way to connect AD?
Solution 1:
Using Powerbroker instead of likewise
do as steps below
1- download powerbroker frome here http://download1.beyondtrust.com/Technical-Support/Downloads/PowerBroker-Identity-Services-Open-Edition/?Pass=True
2- run it ,
sudo chmod a+x
run by typing it and hitting enter key
sudo ./pibsfilename.sh
3- join by one of the below commands
sudo domainjoin-cli join domainname.com [email protected]
or
sudo domainjoin-cli join --disable ssh domainname.com [email protected]
4- Also, note that you might need to make one minor change to a config file as noted here. Namely, in the file /etc/pam.d/common-session
, change the line that reads:
session sufficient pam_lsass.so
to
session [success=ok default=ignore] pam_lsass.so
5- run this command to config, like lwconfig in likewise (run from home folder), use caret ^
for spaces in group names
/opt/pbis/bin/config Requiremembershipof "domainname\\ASecurityGroupFromYourDomain" "domainname\\plus^other^group"
/opt/pbis/bin/config AssumeDefaultDomain true
/opt/pbis/bin/config UserDomainPrefix domainname
6- if you want a username to be sudoer do as follows
sudo nano /etc/sudoers
after root line add the line below
username ALL=(ALL:ALL) ALL
for group use %
:
%DOMAINNAME\\Power^Users ALL=(ALL:ALL) ALL
7- and finally edit lightdm configuration file
sudo nano /usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf
allow-guest=false
greeter-show-remote-login=false
greeter-show-manual-login=true
(60-lightdm-gtk-greeter.conf
in Lubuntu 14.04)
8- Reboot
Resources used:
- http://community.spiceworks.com/how_to/show/80336-join-ubuntu-14-04lts-to-a-windows-domain-using-pbis-open
- Add AD Domain user to sudoers from the command line
- https://serverfault.com/questions/387950/how-to-map-ad-domain-admins-group-to-ubuntu-admins
- http://codenuggets.com/2014/05/15/likewise-open-change-default-user-shell/
Solution 2:
It has simply been rebranded, and removed from official repositories. It is now known as BeyondTrust PowerBroker Identity Services, Open Edition (not as catchy, I know), and can be found here.
Also, note that you might need to make one minor change to a config file as noted here. Namely, in the file /etc/pam.d/common-session
, change the line that reads:
session sufficient pam_lsass.so
to
session [success=ok default=ignore] pam_lsass.so
Found this info after a LOT of Googling and pulling out hair. Hope this helps.
Solution 3:
The other (and in IMHO the more mature and stable) solution is Centrify Express.
Steps on how to install Centrify Express (and why folks switched to Centrify) can be found at
http://www.question-defense.com/2012/08/31/dpkg-error-processing-likewise-open-configure-join-linux-server-to-windows-domain-controller
http://ninjix.blogspot.com/2011/01/puppet-module-for-centrify-express.html
Solution 4:
Thanks a lot. For me (instead of use the PBIS (powerbroker identify service)) i will run with the "realmd - network authenification" that use "sssd". This install and configure all components (Kerberos and the sssd-config) for me (SSSD= System Security Services Daemon). The only thing to do is joining the domain (see realm --help) and manually setup pam (in /etc/pam.d/common-session; add "session required pam_mkhomedir.so umask=077) for auto-create homedirectorys and possibly modify sudoers-file for the ad-users. Take a look of that, I think that is an easy alternative way for AD-Integration and it comes out of the box and use standards.