likewise-open | 14.04 | other easy way to connect AD?
Solution 1
Using Powerbroker instead of likewise
do as steps below
1- download powerbroker frome here http://download1.beyondtrust.com/Technical-Support/Downloads/PowerBroker-Identity-Services-Open-Edition/?Pass=True
2- run it ,
sudo chmod a+x
run by typing it and hitting enter key
sudo ./pibsfilename.sh
3- join by one of the below commands
sudo domainjoin-cli join domainname.com [email protected]
or
sudo domainjoin-cli join --disable ssh domainname.com [email protected]
4- Also, note that you might need to make one minor change to a config file as noted here. Namely, in the file /etc/pam.d/common-session
, change the line that reads:
session sufficient pam_lsass.so
to
session [success=ok default=ignore] pam_lsass.so
5- run this command to config, like lwconfig in likewise (run from home folder), use caret ^
for spaces in group names
/opt/pbis/bin/config Requiremembershipof "domainname\\ASecurityGroupFromYourDomain" "domainname\\plus^other^group"
/opt/pbis/bin/config AssumeDefaultDomain true
/opt/pbis/bin/config UserDomainPrefix domainname
6- if you want a username to be sudoer do as follows
sudo nano /etc/sudoers
after root line add the line below
username ALL=(ALL:ALL) ALL
for group use %
:
%DOMAINNAME\\Power^Users ALL=(ALL:ALL) ALL
7- and finally edit lightdm configuration file
sudo nano /usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf
allow-guest=false
greeter-show-remote-login=false
greeter-show-manual-login=true
(60-lightdm-gtk-greeter.conf
in Lubuntu 14.04)
8- Reboot
Resources used:
- http://community.spiceworks.com/how_to/show/80336-join-ubuntu-14-04lts-to-a-windows-domain-using-pbis-open
- Add AD Domain user to sudoers from the command line
- https://serverfault.com/questions/387950/how-to-map-ad-domain-admins-group-to-ubuntu-admins
- http://codenuggets.com/2014/05/15/likewise-open-change-default-user-shell/
Solution 2
It has simply been rebranded, and removed from official repositories. It is now known as BeyondTrust PowerBroker Identity Services, Open Edition (not as catchy, I know), and can be found here.
Also, note that you might need to make one minor change to a config file as noted here. Namely, in the file /etc/pam.d/common-session
, change the line that reads:
session sufficient pam_lsass.so
to
session [success=ok default=ignore] pam_lsass.so
Found this info after a LOT of Googling and pulling out hair. Hope this helps.
Solution 3
Thanks a lot. For me (instead of use the PBIS (powerbroker identify service)) i will run with the "realmd - network authenification" that use "sssd". This install and configure all components (Kerberos and the sssd-config) for me (SSSD= System Security Services Daemon). The only thing to do is joining the domain (see realm --help) and manually setup pam (in /etc/pam.d/common-session; add "session required pam_mkhomedir.so umask=077) for auto-create homedirectorys and possibly modify sudoers-file for the ad-users. Take a look of that, I think that is an easy alternative way for AD-Integration and it comes out of the box and use standards.
Solution 4
The other (and in IMHO the more mature and stable) solution is Centrify Express.
Steps on how to install Centrify Express (and why folks switched to Centrify) can be found at
http://ninjix.blogspot.com/2011/01/puppet-module-for-centrify-express.html
Related videos on Youtube
user272446
Updated on September 18, 2022Comments
-
user272446 almost 2 years
we use a lot of Linux-Servers with active-directory membership for user-authentication. This are made with the likewise-open packet. We tested the beta-Version of ubuntu Server 14.04 LTS. Everything works fine after one minute (install, domain-join, import registry, edit sudoers, done). Now, from beta to production-release likewise-open is removed from repository.
Is there any equivalent easy way for AD-domain-join and (AD-)group-based login-management (without manually installing and editing config-files for samba, winbind, nsswitch, pam etc....?
thanks a lot Silvio
-
guntbert about 10 yearsWelcome to Ask Ubuntu! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.
-
user272446 about 10 yearsThanks a lot. For me I will run with the "realmd" - network authenification that use "sssd" for authentication.
-
matt wilkie about 10 years"disbale" should probably be "disable", yes?
-
matt wilkie about 10 yearsFor me, tab completion in terminal shells is broken for AD user; from here, I think
sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash
might fix that (for new users only?). Also there's a note that50-unity-greeter.conf
needs to be edited instead for Lubuntu 14.04.