Attach Ubuntu to Windows Domain via Active Directory (+ sudo)

There may not be too many advantages to adding your Ubuntu machines to your Windows domain, but if you think of them this will allow you to work toward them.  It’s actually pretty easy to add a Linux box to Active Directory.  This is true because AD started out life as an LDAP server and it still retains its LDAP genes somewhere deep inside its withered exterior.

First thing you will want to do is add this utility to your Ubuntu machine:

sudo apt-get install likewise-open

It will allow you to authenticate against AD using Kerberos.  If you don’t know what that means it’s not important at this stage; it’s enough to understand that it’s a secure method for assuring identity between your client machine and your AD server.

I then added the machine to the domain.  Again this is a simple operation.  Before you do anything on the Ubuntu machine, hop into Active Directory and create a machine account in the name of the Ubuntu machine.  Then back on the Ubuntu machine it’s one line of code:

sudo domainjoin-cli join [domain.name] [username]

Easy enough.

Further I added a domain group to the local sudo group by adding these lines to the /etc/sudoers file.  You can also add a domain user.  Just note the different formats below:

# Active Directory group [groupname] given sudo privs
%[domain.name]\\[group^name] ALL=(ALL) ALL
[domain.name]\\[username]

If you don’t know how to edit a protected file like /etc/sudoers I recommend using Gedit:

gksudo gedit /etc/sudoers

(If you manage to break your sudoers file, you can always use pkexec visudo -f /etc/sudoers to fix it.)

Just add those two lines to the end of the file.  The first line is just a comment line and could say something different.  Replace those items in the square brackets with the appropriate information to your network.  Groups, as you can see, are preceded by a percent sign while users are not.  Any spaces should be replaced by carets.

For the group I created in Active Directory to grant these sudo privileges (called Ubuntu Sudoers) I included Domain Administrators and a couple of individuals who would likely be using the Ubuntu box and need sudo rights.  The combinations available should make this pretty flexible.

Anyway, that’s about it.  Not too exciting but sure it’s useful for something.  Have fun with it.

For newer versions of Ubuntu you will need to enable a login space on the login screen.  There are a number of ways, but this is nice and simple.  Again open GEdit to edit a file.

gksudo gedit /etc/lightdm/lightdm.conf

Then add this line to that file.

greeter-show-manual-login=true

You may be able to get the domain assumed (at login) using this method but there is more discussion here.

gksudo gedit /etc/samba/lwiauthd.conf

Then add this line to that file.

winbind use default domain = yes

If that does not work, you can just use the domain@username format at the login screen.

Have fun with that.

Share

2 thoughts on “Attach Ubuntu to Windows Domain via Active Directory (+ sudo)

Leave a Reply

Your email address will not be published. Required fields are marked *